Interactive Privacy via the Median Mechanism
Aaron Roth, Tim Roughgarden
Introduction
Managing a data set with sensitive but useful information, such as medical records, requires reconciling two objectives: providing utility to others, perhaps in the form of aggregate statistics; and respecting the privacy of individuals who contribute to the data set. The field of private data analysis, and in particular work on differential privacy, provides a mathematical foundation for reasoning about this utility-privacy trade-off and offers methods for non-trivial data analysis that are provably privacy-preserving in a precise sense. For a recent survey of the field, see Dwork [Dwo08].
More precisely, consider a domain and database size . A mechanism is a randomized function from the set of databases to some range. For a parameter , a mechanism is -differentially private if, for every database and fixed subset of the range of , changing a single component of changes the probability that outputs something in by at most an factor. The output of a differentially private mechanism (and any analysis or privacy attack that follows) is thus essentially independent of whether or not a given individual “opts in” or “opts out” of the database.
Achieving differential privacy requires “sufficiently noisy” answers [DN03]. For example, suppose we’re interested in the result of a query — a function from databases to some range — that simply counts the fraction of database elements that satisfy some predicate on . A special case of a result in Dwork et al. [DMNS06] asserts that the following mechanism is -differentially private: if the underlying database is , output , where the output perturbation is drawn from the Laplace distribution with density . Among all -differentially private mechanisms, this one (or rather, a discretized analog of it) maximizes user utility in a strong sense [GRS09].
What if we care about more than a single one-dimensional statistic? Suppose we’re interested in predicate queries , where could be large, even super-polynomial in . A natural solution is to use an independent Laplace perturbation for each query answer [DMNS06]. To maintain -differential privacy, the magnitude of noise has to scale linearly with , with each perturbation drawn from . Put another way, suppose one fixes “usefulness parameters” , and insists that the mechanism is -useful, meaning that the outputs are within of the correct query answers with probability at least . This constrains the magnitude of the Laplace noise, and the privacy parameter now suffers linearly with the number of answered queries. This dependence limits the use of this mechanism to a sublinear number of queries.
Can we do better than independent output perturbations? For special classes of queries like predicate queries, Blum, Ligett, and Roth [BLR08] give an affirmative answer (building on techniques of Kasiviswanathan et al. [KLN+08]). Specifically, in [BLR08] the exponential mechanism of McSherry and Talwar [MT07] is used to show that, for fixed usefulness parameters , the privacy parameter only has to scale logarithmically with the number of queries.More generally, linearly with the VC dimension of the set of queries, which is always at most . This permits simultaneous non-trivial utility and privacy guarantees even for an exponential number of queries. Moreover, this dependence on is necessary in every differentially private mechanism (see the full version of [BLR08]).
The mechanism in [BLR08] suffers from two drawbacks, however. First, it is non-interactive: it requires all queries to be given up front, and computes (noisy) outputs of all of them at once.Or rather, it computes a compact representation of these outputs in the form of a synthetic database. By contrast, independent Laplace output perturbations can obviously be implemented interactively, with the queries arriving online and each answered immediately. There is good intuition for why the non-interactive setting helps: outperforming independent output perturbations requires correlating perturbations across multiple queries, and this is clearly easier when the queries are known in advance. Indeed, prior to the present work, no interactive mechanism better than independent Laplace perturbations was known.
Second, the mechanism in [BLR08] is inefficient. Here by “efficient” we mean has running time polynomial in , , and ; Dwork et al. [DNR+09] prove that this is essentially the best one could hope for (under certain cryptographic assumptions). The mechanism in [BLR08] is not efficient because it requires sampling from a non-trivial probability distribution over an unstructured space of exponential size. Dwork et al. [DNR+09] recently gave an efficient (non-interactive) mechanism that is better than independent Laplace perturbations, in that the privacy parameter of the mechanism scales as with the number of queries (for fixed usefulness parameters ).
We define a new interactive differentially private mechanism for answering arbitrary predicate queries, called the median mechanism.The privacy guarantee is -differential privacy for a negligible function ; see Section 2 for definitions. The basic implementation of the median mechanism interactively answers queries that arrive online, is -useful, and has privacy that scales with ; see Theorem 4.1 for the exact statement. These privacy and utility guarantees hold even if an adversary can adaptively choose each after seeing the mechanism’s first answers. This is the first interactive mechanism better than the Laplace mechanism, and its performance is close to the best possible even in the non-interactive setting.
The basic implementation of the median mechanism is not efficient, and we give an efficient implementation with a somewhat weaker utility guarantee. (The privacy guarantee is as strong as in the basic implementation.) This alternative implementation runs in time polynomial in , , and , and satisfies the following (Theorem 5.1): for every sequence of predicate queries, for all but a negligible fraction of input distributions, the efficient median mechanism is -useful.
This is the first efficient mechanism with a non-trivial utility guarantee and polylogarithmic privacy cost, even in the non-interactive setting.
2 The Main Ideas
The key challenge to designing an interactive mechanism that outperforms the Laplace mechanism lies in determining the appropriate correlations between different output perturbations on the fly, without knowledge of future queries. It is not obvious that anything significantly better than independent perturbations is possible in the interactive setting.
Our median mechanism and our analysis of it can be summarized, at a high level, by three facts. First, among any set of queries, we prove that there are “hard” queries, the answers to which completely determine the answers to all of the other queries (up to ). Roughly, this holds because: (i) by a VC dimension argument, we can focus on databases over of size only ; and (ii) every time we answer a “hard” query, the number of databases consistent with the mechanism’s answers shrinks by a constant factor, and this number cannot drop below 1 (because of the true input database). Second, we design a method to privately release an indicator vector which distinguishes between hard and easy queries online. We note that a similar private ‘indicator vector’ technique was used by Dwork et al. [DNR+09]. Essentially, the median mechanism deems a query “easy” if a majority of the databases that are consistent (up to ) with the previous answers of the mechanism would answer the current query accurately. The median mechanism answers the small number of hard queries using independent Laplace perturbations. It answers an easy query (accurately) using the median query result given by databases that are consistent with previous answers. A key intuition is that if a user knows that query is easy, then it can generate the mechanism’s answer on its own. Thus answering an easy query communicates only a single new bit of information: that the query is easy. Finally, we show how to release the classification of queries as “easy” and “hard” with low privacy cost; intuitively, this is possible because (independent of the database) there can be only hard queries.
Our basic implementation of the median mechanism is not efficient for the same reasons as for the mechanism in [BLR08]: it requires non-trivial sampling from a set of super-polynomial size. For our efficient implementation, we pass to fractional databases, represented as fractional histograms with components indexed by . Here, we use the random walk technology of Dyer, Frieze, and Kannan [DFK91] for convex bodies to perform efficient random sampling. To explain why our utility guarantee no longer holds for every input database, recall the first fact used in the basic implementation: every answer to a hard query shrinks the number of consistent databases by a constant factor, and this number starts at and cannot drop below 1. With fractional databases (where polytope volumes play the role of set sizes), the lower bound of 1 on the set of consistent (fractional) databases no longer holds. Nonetheless, we prove a lower bound on the volume of this set for almost all fractional histograms (equivalently probability distributions), which salvages the bound on hard queries for databases drawn from such distributions.
Preliminaries
A mechanism is -useful if for every sequence of queries and every database , with probability at least it provides answers that are -accurate for and .
Recall that differential privacy means that changing the identity of a single element of the input database does not affect the probability of any outcome by more than a small factor. Formally, given a database , we say that a database of the same size is a neighbor of if it differs in only a single element: .
We are generally interested in the case where is a negligible function of some of the problem parameters, meaning one that goes to zero faster than for every constant .
Finally, the sensitivity of a real-valued query is the largest difference between its values on neighboring databases. For example, the sensitivity of every non-trivial predicate query is precisely .
The Median Mechanism: Basic Implementation
We now describe the median mechanism and our basic implementation of it. As described in the Introduction, the mechanism is conceptually simple. It classifies queries as “easy” or “hard”, essentially according to whether or not a majority of the databases consistent with previous answers to hard queries would give an accurate answer to it (in which case the user already “knows the answer”). Easy queries are answered using the corresponding median value; hard queries are answered as in the Laplace mechanism.
To explain the mechanism precisely, we need to discuss a number of parameters. We take the privacy parameter , the accuracy parameter , and the number of queries as input; these are hard constraints on the performance of our mechanism.We typically think of as small constants, though our results remain meaningful for some sub-constant values of and as well. We always assume that is at least inverse polynomial in . Note that when or is sufficiently small (at most for a small constant , say), simultaneously meaningful privacy and utility is clearly impossible. Our mechanism obeys these constraints with a value of that is inverse polynomial in and , and a value of that is negligible in and , provided is sufficiently large (at least polylogarithmic in and , see Theorem 4.1). Of course, such a result can be rephrased as a nearly exponential lower bound on the number of queries that can be successfully answered as a function of the database size .In contrast, the number of queries that the Laplace mechanism can privately and usefully answer is at most linear.
The median mechanism is shown in Figure 1, and it makes use of several additional parameters. For our analysis, we set their values to:
The denominator in (2) can be thought of as our “privacy cost” as a function of the number of queries . Needless to say, we made no effort to optimize the constants.
The value in Step 2(a) of the median mechanism is defined as
For the Laplace perturbations in Steps 2(a) and 2(d), recall that the distribution has the cumulative distribution function
The motivation behind the mechanism’s steps is as follows. The set is the set of size- databases consistent (up to ) with previous answers of the mechanism to hard queries. The focus on databases with the small size is justified by a VC dimension argument, see Proposition 4.6. Steps 2(a) and 2(b) choose a random value and a random threshold . The value in Step 2(a) is a measure of how easy the query is, with higher numbers being easier. A more obvious measure would be the fraction of databases in for which , but this is a highly sensitive statistic (unlike , see Lemma 4.9). The mechanism uses the perturbed value rather than to privately communicate which queries are easy and which are hard. In Step 2(b), we choose the threshold at random between and . This randomly shifted threshold ensures that, for every database , there is likely to be a significant gap between and ; such gaps are useful when optimizing the privacy guarantee. Steps 2(c) and 2(d) answer easy and hard queries, respectively. Step 2(e) updates the set of databases consistent with previous answers to hard queries. We prove in Lemma 4.7 that Step 2(f) occurs with at most inverse polynomial probability.
Finally, we note that the median mechanism is defined as if the total number of queries is (approximately) known in advance. This assumption can be removed by using successively doubling “guesses” of ; this increases the privacy cost by an factor.
Analysis of Median Mechanism
This section proves the following privacy and utility guarantees for the basic implementation of the median mechanism.
For every sequence of adaptively chosen predicate queries arriving online, the median mechanism is -useful and -differentially private, where is a negligible function of and , and is an inverse polynomial function of and , provided the database size satisfies
We prove the utility and privacy guarantees in Sections 4.1 and 4.2, respectively.If desired, in Theorem 4.1 we can treat as a parameter and solve for the error . The maximum error on any query (normalized by the database size) is ; the unnormalized error is a factor of larger.
Here we prove a utility guarantee for the median mechanism.
The median mechanism is -useful, where .
Note that under assumption (6), is inverse polynomial in and .
We give the proof of Theorem 4.2 in three pieces: with high probability, every hard query is answered accurately (Lemma 4.4); every easy query is answered accurately (Lemmas 4.3 and 4.5); and the algorithm does not fail (Lemma 4.7). The next two lemmas follow from the definition of the Laplace distribution (5), our choice of , and trivial union bounds.
With probability at least , for every query .
With probability at least , every answer to a hard query is -accurate for .
The next lemma shows that median answers are accurate for easy queries.
If for every query , then every answer to an easy query is -accurate for .
For a query , let denote the databases of on which the result of query is -accurate for . Observe that if , then the median value of on is an -accurate answer for . Thus proving the lemma reduces to showing that only if .
Consider a query with . Using (4), we have
Since for every query by assumption, the proof is complete. ∎
Our final lemma shows that the median mechanism does not fail and hence answers every query, with high probability; this will conclude our proof of Theorem 4.2. We need the following preliminary proposition, which instantiates the standard uniform convergence bound with the fact that the VC dimension of every set of predicate queries is at most [Vap96]. Recall the definition of the parameter from (1).
For every collection of predicate queries and every database , a database obtained by sampling points from uniformly at random will satisfy for all except with probability , provided
In particular, there exists a database of size such that for all , .
In other words, the results of predicate queries on an arbitrarily large database can be well approximated by those on a database with size only .
If for every query and every answer to a hard query is -accurate for , then the median mechanism answers fewer than hard queries (and hence answers all queries before terminating).
The plan is to track the contraction of as hard queries are answered by the median mechanism. Initially we have . If the median mechanism answers a hard query , then the definition of the mechanism and our hypotheses yield
We then claim that the size of the set is at most . For if not,
Iterating now shows that the number of consistent databases decreases exponentially with the number of hard queries:
On the other hand, Proposition 4.6 guarantees the existence of a database for which for every query . Since all answers produced by the median mechanism for hard queries are -accurate for by assumption, . This shows that and hence . Combining this with (7) gives
2 Privacy of the Median Mechanism
This section establishes the following privacy guarantee for the median mechanism.
The median mechanism is - differentially private, where is a negligible function of and when is sufficiently large (as in (6)).
Our first lemma states that the small sensitivity of predicate queries carries over, with a factor loss, to the -function defined in (4).
The function has sensitivity for every fixed set of databases and predicate query .
Let and be neighboring databases. Then
where the first inequality follows from the fact that the (predicate) query has sensitivity , the second from the fact that when , and the third from the fact that . ∎
The next lemma identifies nice properties of “typical executions” of the median mechanism. Consider an output of the median mechanism with a database . From and , we can uniquely recover the values computed (via (4)) in Step 2(a) of the median mechanism, with depending only on the first components of and . We sometimes write such a value as , or as if an output has been fixed. Call a possible threshold good for and if and , where is defined as in (3). Call a vector of possible thresholds good for and if all but of the thresholds are good for and .
For every database , with all but negligible () probability, the thresholds generated by the median mechanism are good for its output .
The idea is to “charge” the probability of bad thresholds to that of answering hard queries, which are strictly limited by the median mechanism. Since the median mechanism only allows of the ’s to be 1, we only need to bound the number of queries with output and threshold satisfying , where is the value computed by the median mechanism in Step 2(a) when it answers the query .
Let be the indicator random variable corresponding to the (larger) event that . Define to be 1 if and only if, when answering the th query, the median mechanism chooses a threshold and a Laplace perturbation such that (i.e., the query is classified as hard). If the median mechanism fails before reaching query , then we define . Set and . We can finish the proof by showing that is at most except with negligible probability.
Consider a query and condition on the event that ; this event depends only on the results of previous queries. In this case, only if . But this occurs with probability , which using (3) and (6) is at most .For simplicity, we ignore the normalizing constant in the distribution over ’s in Step 2(b), which is . Therefore, the expected contribution to coming from queries with is at most . Since is selected independently at random for each , the Chernoff bound implies that the probability that such queries contribute more than to is
Now condition on the event that . Let denote the threshold choices that would cause to be 1, and let be the smallest such; since , . For every , ; hence, for every , . Also, our distribution on the ’s in Step 2(b) ensures that . Since the Laplace distribution is symmetric around zero and the random choices are independent, we have
The definition of the median mechanism ensures that with probability 1. Linearity of expectation, inequality (8), and the Chernoff bound imply that queries with contribute at most to with probability at least . The proof is complete. ∎
with some good for , and where is the negligible function of Lemma 4.10. We complete the proof by showing that, for every neighboring database , possible output , and thresholds good for and ,
Fix a neighboring database , a target output , and thresholds good for and . The probability that the median mechanism chooses the target thresholds is independent of the underlying database, and so is the same on both sides of (9). For the rest of the proof, we condition on the event that the median mechanism uses the thresholds (both with database and database ).
Imagine running the median mechanism in parallel on and condition on the events . The set is then the same in both runs of the mechanism, and are now fixed. Let () be 0 if () classifies query as easy and 1 otherwise. Since (Lemma 4.9) and a perturbation with distribution is added to these values before comparing to the threshold (Step 2(a)),
and similarly for the events where . Suppose that the target classification is (a hard query), and let and denote the random variables and , respectively. Independence of the Laplace perturbations in Steps 2(a) and 2(d) implies that
Since the predicate query has sensitivity , we have
Now suppose that , and let denote the median value of on . Then is either 0 (if ) or (if ); similarly, is either 0 or . Thus the bound in (10) continues to hold (even with replaced by ) when .
Since is not much smaller than the privacy target (recall (2)), we cannot afford to suffer the upper bound in (10) for many queries. Fortunately, for queries with good thresholds we can do much better. Consider a query such that is good for and and condition again on , which fixes and hence . Goodness implies that , so the arguments from the previous paragraph also apply here. We can therefore assume that the median value of on equals and focus on bounding in terms of . Goodness also implies that and hence (by Lemma 4.9). Recalling from (3) the definition of , we have
and of course, .
Applying (10) to the bad queries — at most of them, since is good for and — and (11) to the rest, we can derive
which completes the proof of both the inequality (9) and the theorem.
The Median Mechanism: Efficient Implementation
The basic implementation of the median mechanism runs in time . This section provides an efficient implementation, running in time polynomial in , , and , although with a weaker usefulness guarantee.
Assume that the database size satisfies (6). For every sequence of adaptively chosen predicate queries arriving online, the efficient implementation of the median Mechanism is -differentially private for a negligible function . Moreover, for every fixed set of queries, it is -useful for all but a negligible fraction of fractional databases (equivalently, probability distributions).
We note however that even for the small fraction of fractional histograms for which the efficient median mechanism may not satisfy our usefulness guarantee, it does not output incorrect answers: it merely halts after having answered a sufficiently large number of queries using the Laplace mechanism. Therefore, even for this small fraction of databases, the efficient median mechanism is an improvement over the Laplace mechanism: in the worst case, it simply answers every query using the Laplace mechanism before halting, and in the best case, it is able to answer many more queries.
We give a high-level overview of the proof of Theorem 5.1 which we then make formal. First, why isn’t the median mechanism a computationally efficient mechanism? Because has super-polynomial size , and computing in Step 2(a), the median value in Step 2(c), and the set in Step 2(e) could require time proportional to . An obvious idea is to randomly sample elements of to approximately compute and the median value of on ; while it is easy to control the resulting sampling error and preserve the utility and privacy guarantees of Section 4, it is not clear how to sample from efficiently.
We now give a formal analysis of the efficient implementation.
We redefine the sets to represent databases that can contain points fractionally, as opposed to the finite set of small discrete databases. Equivalently, we can view the sets as containing probability distributions over the set of points .
We generalize our query functions to fractional histograms in the natural way:
The update operation after a hard query is answered is the same as in the basic implementation:
Note that each updating operation after a hard query merely intersects with the pair of halfspaces:
and so is a convex polytope for each .
Since is given as the intersection of a set of explicit halfspaces, we have a simple membership oracle to determine whether a given point : we simply check that lies on the appropriate side of each of the halfspaces. This takes time poly, since the number of halfspaces defining is linear in the number of answers to hard queries given before time , which is never more than . Moreover, for each we have Finally, we can safely assume that by simply considering the convex set instead. This will not affect our results.
Therefore, we can implement the median mechanism in time poly by using sets as defined in this section, and sampling from them using the grid walk of [DFK91]. Estimation error in computing and the median value of on by random sampling rather than brute force is easily controlled via the Chernoff bound and can be incorporated into the proofs of Lemmas 4.3 and 4.5 in the obvious way. It remains to prove a continuous version of Lemma 4.7 to show that the efficient implementation of the median mechanism is -useful on all but a negligibly small fraction of fractional histograms .
2 Usefulness for Almost All Distributions
We now prove an analogue of Lemma 4.7 to establish a usefulness guarantee for the efficient version of the median mechanism.
With respect to any set of queries and for any , define
as the set of points that agree up to an additive factor with on every query .
For any , is a convex polytope contained inside . We will prove that the efficient version of the median mechanism is -useful for a database if
We first prove that (12) holds for almost every fractional histogram. For this, we need a preliminary lemma.
Let denote the set of integer points inside . Then with respect to an arbitrary set of queries,
Every rational valued point corresponds to some (large) database by scaling to an integer-valued histogram. Irrational points can be arbitrarily approximated by such a finite database. By Proposition 4.6, for every set of predicates , there is a database with such that for each , . Recalling that the histograms corresponding to databases of size at most are exactly the integer points in , the proof is complete. ∎
All but an fraction of fractional histograms satisfy
Consider a randomly selected fractional histogram . For any we have:
Since , by a union bound we can conclude that except with probability , for any . However, by Lemma 5.2, for some . Therefore, except with probability , . Thus, since , except with negligible probability, we have:
We are now ready to prove the analogue of Lemma 4.7 for the efficient implementation of the median mechanism.
For every set of queries , for all but an fraction of fractional histograms , the efficient implementation of the median mechanism guarantees that: The mechanism answers fewer than hard queries, except with probability ,
We assume that all answers to hard queries are accurate, and that for every . By Lemmas 4.3 and 4.4 — the former adapted to accommodate approximating via random sampling — we are in this case except with probability .
We analyze how the volume of contracts with the number of hard queries answered. Suppose the mechanism answers a hard query at time . Then:
Since all answers to hard queries are accurate, it must be that . Therefore, for an input database that satisfies (12) — and this is all but an fraction of them, by Lemma 5.3 — we have
Combining inequalities (13) and (14) yields
Lemmas 4.4, 4.5, and 5.4 give the following utility guarantee.
For every set of queries, for all but a negligible fraction of fractional histograms , the efficient implementation of the median mechanism is -useful with .
3 Usefulness for Finite Databases
Fractional histograms correspond to probability distributions over . Lemma 5.3 shows that most probability distributions are ‘good’ for the efficient implementation of the Median Mechanism; in fact, more is true. We next show that finite databases sampled from randomly selected probability distributions also have good volume properties. Together, these lemmas show that the efficient implementation of the median mechanism will be able to answer nearly exponentially many queries with high probability, in the setting in which the private database is drawn from some ‘typical’ population distribution. DatabaseSample():
Select a fractional point uniformly at random.
Sample and return a database of size by drawing each independently at random from the probability distribution over induced by (i.e. sample with probability proportional to ).
For as in (6) (as required for the Median Mechanism), a database sampled by DatabaseSample() satisfies (12) except with probability at most .
By lemma 5.3, except with probability , the fractional histogram selected in step satisfies
By lemma 4.6, when we sample a database of size from the probability distribution induced by , except with probability , , which gives us condition (12). ∎
We would like an analogue of lemma 5.3 that holds for all but a diminishing fraction of finite databases (which correspond to lattice points within ) rather than fractional points in , but it is not clear how uniformly randomly sampled lattice points distribute themselves with respect to the volume of . If , then the lattice will be fine enough to approximate the volume of , and lemma 5.3 will continue to hold. We now show that small uniformly sampled databases will also be good for the efficient version of the median mechanism. Here, small means , which allows for databases which are still polynomial in the size of . A tighter analysis is possible, but we opt instead to give a simple argument.
For every such that satisfies (6) and , all but an fraction of databases of size satisfy condition (12).
Finally, let be the event that database fails to satisfy (12). We have:
where the last equality follows from lemma 5.6, which states that is negligibly small. ∎
We observe that we can substitute either of the above lemmas for lemma 5.3 in the proof of lemma 5.4 to obtain versions of Thoerem 5.5:
For every set of queries, for all but a negligible fraction of databases sampled by DatabaseSample, the efficient implementation of the median mechanism is -useful with .
For every set of queries, for all but an fraction of uniformly randomly sampled databases of size , the efficient implementation of the median mechanism is -useful with .
Conclusion
We have shown that in the setting of predicate queries, interactivity does not pose an information theoretic barrier to differentially private data release. In particular, our dependence on the number of queries nearly matches the optimal dependence of achieved in the offline setting by [BLR08]. We remark that our dependence on other parameters is not necessarily optimal: in particular, [DNR+09] achieves a better (and optimal) dependence on . We have also shown how to implement our mechanism in time poly, although at the cost of sacrificing worst-case utility guarantees. The question of an interactive mechanism with poly runtime and worst-case utility guarantees remains an interesting open question. More generally, although the lower bounds of [DNR+09] seem to preclude mechanisms with run-time poly from answering a superlinear number of generic predicate queries, the question of achieving this runtime for specific query classes of interest (offline or online) remains largely open. Recently a representation-dependent impossibility result for the class of conjunctions was obtained by Ullman and Vadhan [UV10]: either extending this to a representation-independent impossibility result, or circumventing it by giving an efficient mechanism with a novel output representation would be very interesting.
Acknowledgments
The first author wishes to thank a number of people for useful discussions, including Avrim Blum, Moritz Hardt, Katrina Ligett, Frank McSherry, and Adam Smith. He would particularly like to thank Moritz Hardt for suggesting trying to prove usefulness guarantees for a continuous version of the BLR mechanism, and Avrim Blum for suggesting the distribution from which we select the threshold in the median mechanism.