The Power of Linear Reconstruction Attacks
Shiva Prasad Kasiviswanathan, Mark Rudelson, Adam Smith
Introduction
The goal of private data analysis is to provide global, statistical properties of a database of sensitive information while protecting the privacy of the individuals whose records the database contains. There is a vast body of work on this problem in statistics and computer science.
Until a few years ago, most schemes proposed in the literature lacked rigor: typically, the schemes had either no formal privacy guarantees or ensured security only against a specific suite of attacks. The seminal results of Dinur and Nissim and Dinur, Dwork and Nissim initiated a rigorous study of the tradeoff between privacy and utility. The notion of differential privacy (Dwork, McSherry, Nissim and Smith , Dwork ) that emerged from this line of work provides rigorous guarantees even in the presence of a malicious adversary with access to arbitrary side information. Differential privacy requires, roughly, that any single individual’s data have little effect on the outcome of the analysis. Recently, many techniques have been developed for designing differentially private algorithms. A typical objective is to release as accurate an approximation as possible to some high-dimensional function evaluated on the database .
A complementary line of work seeks to establish lower bounds on how much distortion is necessary for particular functions . Some of these bounds apply only to specific notions of privacy (e.g., lower bounds for differential privacy ). A second class of bounds rules out any reasonable notion of privacy by giving algorithms to reconstruct almost all of the data given sufficiently accurate approximations to . We refer to the latter results as reconstruction attacks.
We consider reconstruction attacks against attribute privacy: consider a curator who manages a database of sensitive information but wants to release statistics about how a sensitive attribute (say, disease) in the database relates to some nonsensitive attributes (e.g., postal code, age, gender, etc). This setting is widely considered in the applied data privacy literature, partly since it arises with medical and retail data.
Asymptotically, we say that a mechanism is attribute nonprivate if there is an infinite sequence of for which allows -reconstruction. Here is a function of . We say the attack is efficient if it runs in time .
Instead of simply showing that a setting of exists, we will normally aim to show that reconstruction is possible with high probability when is chosen from one of a class of natural distributions.
Such attacks were first considered in the context of data privacy by Dinur and Nissim . They showed that any mechanism which answers (or allows the user to compute) random inner product queries with vectors on a database with noise per query is not private. That is, they assume that the mechanism releases , where is a random matrix in and is a noise vector with . Their attack was subsequently extended to use a linear number of queries , allow a small fraction of answers to be arbitrarily distorted , and run significantly more quickly .
In their simplest form, such inner product queries require the adversary to be able to “name rows”, that is, specify a coefficient for each component of the vector . Thus, the lower bound does not seem to apply to any functionality that is symmetric in the rows of the database (such as, for example, “counting queries”).It was pointed out in that in databases with more than one entry per row, random inner product queries on the sensitive attribute vector can be simulated via hashing: for example, the adversary could ask for the sum the function over the whole database, where is an appropriate hash function. This is a symmetric statistic, but it is unlikely to come up in a typical statistical publication.
Recently, linear attacks were also considered based on range query releases (which, again, are natural, linear queries).
We greatly expand the applicability of linear attacks in “natural” settings. Specifically, we show one can mount linear reconstruction attacks based on any release that gives:
the fraction of records that satisfy a given non-degenerate boolean function (a boolean function over variables is non-degenerate if its multilinear representation has degree exactly ). Such releases include contingency tables as well as more complex outputs like the error rate of certain classifiers such as decision trees; or
the -estimator associated with a differentiable loss function. -estimators are a broad class of estimators which are obtained by minimizing sums of functions of the records (they are also called empirical risk minimization estimators). -estimators include the standard estimators for linear and logistic regression (both these estimators are associated with differentiable loss functions). See Section 4 for definitions.
Our contributions are two-fold. First, we show how these types of releases can be transformed into a (noisy) linear release problem, making them amenable to linear reconstruction attacks. This is already perhaps surprising, since many of the above statistics (like -estimators) are obtained by solving highly nonlinear formulations. After performing this transformation, we can apply polynomial-time methods (like least squares or LP decoding) on this linear release problem to estimate the sensitive data.
Second, we show how to analyze these attacks under various distributional assumptions on the data. This gives lower bounds on the noise needed to release these statistics attribute privately. Specifically, we consider a setting in which the same statistic (either 1 or 2 above) is released about how the sensitive attribute relates to all subsets of (constant) size (out of a total of ) nonsensitive boolean attributes. For a subset of size , let denote the submatrix of consisting of the columns in .
The entries for a statistic are obtained by evaluating the same statistic on for all sets of size . Specifically:
Consider a mechanism which releases, for every set of size , a particular -estimator evaluated over . We show that if the mechanism adds noise per entry and if , then it is attribute non-private. Here, is the Lipschitz constant of the loss function gradient. The loss function also needs to satisfy a mild variance condition. For the case of linear and logistic regression estimators, for bounded data, and so the noise bound is .
The statements above are based on the least squares attack. For most settings, we show the LP decoding attack can also handle a constant fraction of entries with arbitrarily high noise (the exception is the setting of general -estimators).
Casting the releases as a system of linear equations requires two simple insights which we hope will be broadly useful. First, we note that when is boolean, then any release which allows us to derive an equation which involves a sum over database records can in fact be made linear in . Specifically, suppose we know that , where is a real number and is an arbitrary real-valued function that could depend on the index , the public record , and any released information. We can rewrite as ; the constraint can then be written as , which is affine in . This allows us to derive linear constraints from a variety of not-obviously-linear releases; for example, it allows us to get linear attacks based on the error rate of a given binary classifier (see Section 3).
The techniques just mentioned give rise to a variety of linear reconstruction attacks, depending on the type of released statistics. We can provide theoretical guarantees on the performance of these attacks in some settings, for example when the same statistic is released about many subsets of the data (e.g., all sets of a given size ) and when the data records themselves are drawn i.i.d. from some underlying distribution. The main technique here is to analyze the geometry of the constraint matrix that arises in the attack. For the case of non-degenerate boolean functions, we do so by relating the constraint matrix to a row-wise product of a matrix with i.i.d. entries (referred to as a random row product matrix, see Section 3.2.1), which was recently analyzed by Rudelson (see also ). The results of showed that the least singular value of a random row product matrix is asymptotically the same as that of a matrix of same dimensions with i.i.d. entries, and a random row product matrix is a Euclidean section. Our results show that a much broader class of matrices with correlated rows satisfy these properties.
In Section 2, we introduce some notation and review the least squares and LP decoding techniques for solving noisy linear systems. In Section 3, we present our results on evaluating non-degenerate boolean functions. As mentioned earlier, we first reduce the release problem to a linear reconstruction problem (Section 3.1), and then the attacks works by using either least squares or LP decoding techniques. The analysis requires analyzing spectral and geometric properties of the constraint matrix that arises in these attack which we do in Section 3.2. In Section 4, we present our results on releasing -estimators associated with differentiable loss functions. For clarity, we first discuss the attacks for the special cases of linear and logistic regression estimators (in Section 4.1), and then discuss the attacks for the general case (in Section 4.2).
Preliminaries
Let be an real matrix with . The singular values are the eigenvalues of arranged in non-increasing order. Of particular importance in this paper is the least singular value . The unit sphere in dimensions centered at origin is denoted by .
1 Background on Noisy Linear Systems.
Noisy linear systems arise in a wide variety of statistical and signal-processing contexts. Suppose we are given a matrix and vector such that , where is assumed to be “small” (in a sense defined below). A natural approach to estimating is to output for some . We will consider and ; we summarize the assumptions and guarantees for each method below. When it is known that , the attacker can then round the entries of to the nearer of to improve the estimate.
Widely used in regression problems, the least squares method guarantees a good approximation to when the Euclidean norm is small and has no small eigenvalues. It was first used in data privacy by Dwork and Yekhanin . For completeness, we present the entire analysis of this attack (in a general setting) here.
Let be the singular value decomposition of . Here, is an orthogonal matrix, is a diagonal matrix, and is an orthogonal matrix. Let be an matrix with all entries zero. Define
In the context of privacy, the “LP decoding” approach was first used by Dwork et al. . (The name stems from the fact that the minimization problem can be cast as a linear program.) The LP attack is slower than the least squares attack but can handle considerably more complex error patterns at the cost of a stronger assumption on . Recently, De gave a simple analysis of this attack based on the geometry of the operator . We need the following definition of Euclidean section.
Note that by Cauchy-Schwarz, the first inequality, , always holds. We remark that when we say is Euclidean, we simply mean that there is some constant such that is -Euclidean.
The following theorem gives a sufficient condition under which LP decoding gives a good approximation to . The time bound here was derived from the LP algorithm of Vaidya , which uses arithmetic operations where is the number of constraints, is the number of variables, and is a bound on the number of bits used to describe the entries of . In our setting, the LP has variables, constraints, and could be upper bounded by , and therefore the LP could be solved in time.
Releasing Evaluations of Non-Degenerate Boolean Functions
In this section, we analyze privacy lower bounds for releasing evaluations of non-degenerate boolean functions. We use the following standard definition of representing polynomial (see Appendix A for a background about representing boolean functions as multilinear polynomials).
A polynomial over the reals represents a function over if for all .
A function is non-degenerate iff it can be written as a multilinear polynomial of degree .
If is non-degenerate, then it depends on all of its variables. Note that non-degenerate functions constitute a large class of functions.A simple counting argument shows that among the boolean functions over variables, are non-degenerate. For example, it includes widely used boolean functions like AND, OR, XOR, MAJORITY, and depth decision trees .
Let represent the function that we want to evaluate on a database . Let , where and . Let , i.e., denotes the th entry in (with and ). Let
Note that allows repeated entries.We allow repeated entries for convenience of notation. Our results also hold if we use the more natural , . Let be the submatrix of restricted to columns indexed by . For a fixed , define as
Note that is an integer between to . Let be the vector obtained by computing on all different ’s: . Note that is a vector of length . The goal is to understand how much noise is needed to attribute privately release (or ) when is non-degenerate.
Let be a non-degenerate boolean function. Then
any mechanism which for every database with releases by adding (or releases by adding ) noise to each entry is attribute non-private. The attack that achieves this non-privacy violation runs in time.
there exists a constant such that any mechanism which for every database with releases by adding (or releases by adding ) noise to at most fraction of the entries is attribute non-private. The attack that achieves this non-privacy violation runs in time.
For convenience of notation, in this section, we work mostly with the transpose of . Let . So is a matrix.
1 Reducing to a Linear Reconstruction Problem.
In this section, we reduce the problem of releasing for a database into a linear reconstruction problem. First, we define a simple decomposition of boolean functions. Consider a non-degenerate boolean function . Now there exists two function and such that
Define . Therefore,
Note that is a function from . Since both and are both boolean functions and can be represented as multilinear polynomials over the variables , therefore also could be represented as a multilinear polynomial over the variables . Since is represented by a multilinear polynomial of degree , therefore, the multilinear polynomial representing has degree (if it has any lower degree, then could be represented as multilinear polynomial of degree strictly less than , which is a contradiction). To aid our construction, we need to define a particular function of matrices.
Let be a function from . Let be matrices with entries and dimensions . Define a row function matrix (of dimension ) as follows. Any row of this matrix will correspond to a sequence
of numbers, so the entries of will be denotedThe definition assumes a certain order of the rows of the matrix . This order, however, is not important, for our analysis. Note that changing the relative positions of rows of a matrix doesn’t affect its eigenvalues and singular values. by , where . For the entries of the matrix will be defined by the relation
The row product matrices from (see Definition 6) is a particular example of this construction where the function , which implies that , where is the row-product operator from Definition 6.
Let be a database, and let . Let . Consider any fixed . Now for this , there exists an entry in equaling . Now consider the matrices and . Consider the rows in and corresponding to this above . Let this be the th row in these matrices. Then the th row of the matrix has entries equaling and the th row of the matrix has entries equaling for . Since
where and denote the th row of matrices and respectively and denotes the vector . Now define a vector whose th element () is
The length of vector is . The above arguments show that all the entries of are contained in the vector . Since every row in these correspond to some , it also follows that all the entries of are contained in the vector , implying the following claim.
.Under proper ordering of both the vectors.
The privacy mechanism releases a noisy approximation to . Let be this noisy approximation. The adversary tries to reconstruct an approximation of from . Let , and . Given , the adversary solves the following linear reconstruction problem:
In the setting of attribute non-privacy the adversary knows , and therefore can compute and (hence, ). The goal of the adversary is to compute a large fraction of given . The definition of iterated logarithm is given in Definition 8. In the below analysis, we use a random matrix and the least singular value lower bound on a random row function matrix from Theorem 3.9. We use boldface letters to denote random matrices.
Let be a non-degenerate boolean function and for a constant depending only on . Any privacy mechanism which for every database releases by adding (or releases by adding ) noise to each entry is attribute non-private. The attack that achieves this non-privacy violation runs in time.
Consider the least squares attack outlined in Theorem 2.1 on Equation (3). Let be a random matrix of dimension with independent Bernoulli entries taking values and with probability , and let database for some . For analyzing the attack in Theorem 2.1, we need a lower bound on the least singular value of . The following claim follows from Theorem 3.9. Note that is a function over variables.
For function defined above and (where is the constant from Theorem 3.8), the matrix satisfies
Apply Theorem 3.9 with function . ∎
Claim 2 shows that with exponentially high probability . Invoking Theorem 3.9 with and shows that with exponentially high probability the adversary fails to recover only entries of . Noise bound of for releasing translates into a noise bound of for releasing . ∎
The LP decoding attack solves a slightly different reconstruction problem than Equation (3). The reason is because is not a Euclidean sectionIf we take a matrix of dimension with independent Bernoulli entries taking values and with probability , the resulting matrix is not a Euclidean section. This is because the matrix is non-centered (expectation of each entry in the matrix is ) which makes the to be instead of . (a property needed for applying Theorem 2.2). However, we show that a related reconstruction problem has all the properties needed for the LP decoding attack. The analysis goes via matrices with entries which have the desired properties. We establish the Euclidean section property in Appendix B.
Let be a database, and let . Let where is a matrix of all ’s. Define as
where and . Using the notation, and , we get
Define and . Let us denote . Using the decomposition of from Equation (1),
Using the notation, and , and substituting the decomposition of and into Equation (4) gives:
Let , , and . Then
Note that from the earlier established decomposition
The reminder of the proof follows by using Equation (5) along with the definition of row-function matrices (Definition 5). ∎
Then . Let . We get
Let be the noisy approximation to released by the privacy mechanism. Given , the linear program that the adversary solves is:
The following theorem analyzes this attack using a random matrix .
Let be a non-degenerate boolean function and let for a constant depending only on . Then there exists a constant such that any mechanism which for every database releases by adding (or releases by adding ) noise to at most fraction of the entries is attribute non-private. The attack that achieves this non-privacy violation runs in time.
The proof uses the LP decoding attack outlined in Theorem 2.2 on Equation (7). Let be a random matrix of dimension with independent Bernoulli entries taking values and with probability , and let database for some . Let . To use Theorem 2.2, we need to (i) establish that is a Euclidean section and (ii) establish a lower bound on its least singular value. Since has a representation as a multilinear polynomial of degree , Theorem B.4 shows that is with exponentially high probability a Euclidean section. Repeating an analysis similar to Theorem 3.9 shows that the least singular value of is with exponentially high probability at least . Hence, with exponentially high probability both of the following statements hold simultaneously: (i) is a Euclidean section and (ii) .
Invoking Theorem 2.2 with , , , and shows that with exponentially high probability the adversary fails to recover only entries of . This shows that the mechanism is attribute non-private.
In the running time analysis of Theorem 2.2, gets replaced by , and by (as the input matrix can be represented using bits). Noise bound of for releasing translates into a noise bound of for releasing . ∎
2 Spectral and Geometric Properties of Random Row Function Matrices.
Analysis of our reconstruction attacks rely on spectral and geometric properties of random row function matrices that we discuss in this section. Rudelson and Kasiviswanathan et al. analyzed certain spectral and geometric properties of a certain class of correlated matrices that they referred to as row product matrices (or conjunction matrices). Our analysis builds upon these results. We first summarize some important definitions and useful results from in Section 3.2.1, and establish our least singular value bound in Section 3.2.2. The Euclidean section property is established in Appendix B.
For two matrices with the same number of columns we define the row product as a matrix whose rows consist of entry-wise product of the rows of original matrices.
Rudelson showed that if we take entry-wise product of independent random matrices of dimension , then the largest and the least singular values of the resulting row product matrix (which of dimension ) is asymptotically the same order as that of a matrix with i.i.d. entries. To formulate this result formally, we introduce a class of uniformly bounded random variables, whose variances are uniformly bounded below.
We would also need the notion of iterated logarithm () that is defined as:
Let be natural numbers. Assume that Let be matrices with independent -random entries and dimensions . Then the -times entry-wise product is a matrix satisfying
The constants depends only on and .
One of the main ingredients in proving the above theorem is following fact about the norm of row product matrices.
Let be a matrix with independent -random entries and dimension . Then the -times entry-wise product is a matrix satisfying
The constants depends only on .
The bound on the norm appearing in the above theorem (asymptotically) matches that for a matrix with independent -random entries (refer for more details).
2.2 Least Singular Value of Random Row Function Matrices.
We start by proving a simple proposition about functions that can be represented as multilinear polynomials. The main step behind the following proposition proof is the following simple fact about multilinear polynomials. Let be a multilinear polynomial representing function , and let and then
Let be a function from having a representation as a multilinear polynomial of degree . Let denote this multilinear polynomial. Let . For let be the point with coordinates . Then
where is the coefficient of the monomial corresponding to all variables in the multilinear representation of .
By definition, we know that for all , . Since is a linear function of ,
where denotes the partial derivative of with respect to . Repeating this for the other coordinates, we get
The last term in the right hand side is the coefficient of the polynomial corresponding to the monomial , and we denote it by . ∎
Let be matrices with entries and dimensions . For a set denote . Then the following holds,
Follows by a simple extension of Proposition 3.6 and using Definitions 5 and 6. ∎
Let be natural numbers. Assume that . Consider a matrix with independent Bernoulli entries taking values 0 and 1 with probability . Let be a function from having a representation as a multilinear polynomial of degree . Then the matrix satisfies
The constants depend only on and .
Let , where . For denote by the submatrix of consisting of rows , and by the submatrix consisting or rows . For a set denote
The last inequality follows since is a submatrix of , which implies that
The entries of the matrices are independent -random variables. Thus, Theorem 3.4 (note that yields
which along with Equation (8) proves the theorem. Note that can be bounded as a function of alone. ∎
Combining Theorem 3.8 with Cauchy-Schwarz’s inequality, we obtain a lower bound on the least singular value of . It is well known that the least singular value of a matrix with independent -random entries is . Therefore, we get that in spite of all the correlations that exist in its least singular value is asymptotically the same order as that of an i.i.d. matrix.
The right-hand side probability could be bounded using Theorem 3.8 and the left-hand probability is exactly . ∎
Releasing M𝑀M-estimators
Let be a database dimension , and let be a real-valued matrix of dimension and be a (secret) vector. Let . Consider the submatrix of , where . Let be the -estimator for defined as
where is the th row in . Then -estimators for is obtained by solving
This gives a set of constraints over which the adversary could use to construct . For the case of linear and logistic regression, Equation (10) reduces to a form , where is a vector independent of . For general loss function, we would use the fact that is binary and use a decomposition similar to Equation (1). The other issue is that the adversary gets only a noisy approximation of and we overcome this problem by using the Lipschitz properties of the gradient of the loss function.
In the next subsection, we focus on the standard MLE’s for linear and logistic regression. In Section 4.2, we consider general -estimators. Here, we would require an additional variance condition on the loss function. We would use this following standard definition of Lipschitz continuous gradient.
Remark: Also, for any twice differentiable function , for all (where denotes the Hessian matrix) .
1 Releasing Linear and Logistic Regression Estimators.
In this section, we establish distortion lower bounds for attribute privately releasing linear and logistic regression estimators.
Logistic regression models estimate probabilities of events as functions of independent variables. Let be binary variable representing the value on the dependent variable for th input, and the values of independent variables for this same case be represented as (). Let denote the total sample size, and let denote the probability of success ). The design matrix of independent variables, , is composed of rows and columns.
The logistic regression model equates the logit transform, the log-odds of the probability of a success, to the linear component:
where the notation denotes vertical concatenation of the argument matrices/vectors. Our analysis will require a bound on the Lipschitz constant of the gradient of the log-likelihood function, which we bound using the following claim.
Let , where each is an matrix (assume is a multiple of ). Let be the solution to the MLE equation
This reduction is very similar to the linear regression case. As before let . Let be the solution to the MLE equation
In the following analysis, we use a random matrix for where each entry of the random matrix is an independent -random variable (Definition 7).
Let us first look at the least squares attack. Let (i.e., is the error vector). We have for all (as is a -random matrix, all entries in the matrix are at most , and is the th column in ). The least squares attack produces an estimate by solving:
The remaining analysis is similar to Theorem 2.1, except that again each error term is scaled up by a factor (at most) . Since is a -random matrix, it is well-known that if , then the least singular value of is with exponentially high probability (see, e.g., ). Therefore, if a privacy mechanism adds The in the denominator is because of the scaling of the noise . noise to each , then the least squares attack with exponentially high probability recovers fraction of the entries in . The time for executing this attack is as the attack requires computing the SVD of a matrix.
The LP decoding attack produces an estimate by solving:
where (using Claim 4). Therefore,
The least squares attack produces an estimate by solving:
The remaining analysis follows as in the linear regression case (from Theorem 2.1) and again the errors are scaled by a factor (at most) . Therefore, if a privacy mechanism adds noise to each , then the least squares attack with exponentially high probability recovers fraction of the entries in . The time for executing this attack is .
The LP decoding attack produces an estimate by solving:
Again like in the linear regression case (using Theorem 2.2), we get that any mechanism that adds noise to at most fraction of the ’s is attribute non-private. The time for executing this attack is . ∎
Compared to Theorems 3.2 and 3.3, this above theorem requires a much larger (about ). However, it is possible to reduce to dependence on if the released statistic is a degree polynomial kernel of these regression functions. We defer the details to the full version.
2 Releasing General M𝑀M-estimators.
In this section, we establish distortion lower bounds for attribute privately releasing -estimators associated with differentiable loss functions.
Now the -estimator () between and can be found by setting . Therefore, is the solution to (ignoring the scaling multiplier )
Let , where is a -random matrix of dimension .
Let be four matrices of dimension defined as follows:
The adversary solves the following reconstruction problem to compute :
: Least Singular Value. Since is a -random matrix, is another random matrix. However, may not be centered (i.e., its entries might have non-zero means). We can re-express as
.
, where is a -random matrix. The rank of is , and its operator norm can be polynomially bounded in . Applying Lemma D.2 implies the result. ∎
Least Squares Attack. The least squares attack produces an estimate by solving:
The analysis is similar to Theorem 2.1, except that each error term is scaled up by a factor (at most) . Therefore, if a privacy mechanism adds noise to each , then the least squares attack with exponentially high probability recovers fraction of the entries in . The time for executing this attack is .
References
Appendix A Preliminaries about Boolean Functions
We start with an alternate definition of non-degeneracy and show that it is equivalent to Definition 4.
A boolean function is called non-degenerate if
Consider the function defined by
Let . For let be the corresponding Walsh function. Then the function can be decomposed as
Note that , and so iff . We have
where , the lemma follows. ∎
Remark: There are 10 non-degenerate functions of two boolean variables:
The remaining boolean functions of two variables are degenerate.
Appendix B Euclidean Section Property of Random Row Function Matrices
In this section, we establish the Euclidean section property needed for Theorem 3.3 (LP decoding attack). Let us consider a function having a representation as a multilinear polynomial of degree . Let denote this multilinear polynomial. We first prove a proposition analogous to Proposition 3.6 for . For , let us define
That is is the multilinear polynomial restricted to variables only in . Under this notation
Let be a function from having a representation as a multilinear polynomial of degree . Let be this multilinear polynomial. Let . Then
where is the coefficient of the monomial corresponding to all variables in .
The proof is similar to Proposition 3.6. Since is a linear function in ,
where is the partial derivative of with respect to . Repeating this for other coordinates, we get
so the above equation could be re-expressed as
The last term in the right hand side is the coefficient of the polynomial corresponding to the monomial , and we denote it by . ∎
Let be matrices with entries and dimensions . Let us define a matrix as in Definition 5 using the multilinear polynomial . More concretely, for the entry of the matrix will be defined by the relation
Using this definition, the following corollary follows immediately from Proposition B.1.
Let be matrices with entries and dimensions . Then
Let be natural numbers. Consider a matrix with independent Bernoulli entries taking values and with probability . Let be a function from having a representation as a multilinear polynomial of degree . Then the matrix satisfies
The constants depend only on .
To prove the theorem, we use induction over the size of . Our inductive claim is that for every ,
where constants depend only on .
Since is a random matrix, it is well known that (see e.g., ) there exists constant such that
Therefore, there exists constants such that
Step 2. Let , i.e., . We want to bound . By inductive hypothesis, we assume that for every ,
where constants depend only on . From Theorem 3.5, we know that the -times entry wise product satisfies the following norm condition (as is matrix with independent -random entries)
where again the constants depend only on . From Equations (18) and (19), we get that there exists constants (depending only on ) such that
The last inequality comes by applying triangle inequality and then using from Equation (20). Note that for , . This completes the proof of the theorem. ∎
Let be natural numbers. Assume that . Consider a matrix with independent Bernoulli entries taking values and with probability . Let be a function having a representation as a multilinear polynomial of degree . Then the matrix is with exponentially high probability a Euclidean section.
Note that the proof idea of Theorem 3.8 also works for . That is if then
If , then there exists a constant (depending only on ) such that
Therefore, with probability at least , there exists a (depending only on and ) such that
This shows that the matrix is with exponentially high probability a Euclidean section. ∎
Appendix C MLE’s for Linear and Logistic Regression
Consider the linear regression problem . The likelihood function for linear regression (under the assumption that the entries in are normally distributed) is:
where is the th row in . The log-likelihood is:
For the logistic regression problem, the likelihood function (under the assumption that the entries in are binomially distributed) is:
Appendix D Least Singular Value of Perturbed Random Matrices
In this section, we bound the least singular value of a random matrix perturbed by a low rank matrix. We need the following fact.
The constants , and are all independent of and .
For this follows from Proposition 2.5 and the standard estimate of the norm of a subgaussian matrix (see e.g., Proposition 2.3 ). The proof for a general follows the same lines.
The lemma below gives an estimate of the smallest singular value of a perturbed random matrix.
Let be a random matrix with independent centered subgaussian entries with variances uniformly bounded below and . Let be a deterministic matrix such that , where is a constant. If
The constants , and are all independent of and .
for and for . Assume that there exists such that . Choose so that . Then
The last inequality follows from the assumption on . Here, and are constants independent of and . ∎