Extremal Mechanisms for Local Differential Privacy

Peter Kairouz, Sewoong Oh, Pramod Viswanath

Introduction

In statistical analyses involving data from individuals, there is an increasing tension between the need to share data and the need to protect sensitive information about the individuals. For example, users of social networking sites are increasingly cautious about their privacy, but still find it inevitable to agree to share their personal information in order to benefit from customized services such as recommendations and personalized search (Acquisti, 2004; Acquisti and Grossklags, 2007). There is a certain utility in sharing data for both data providers and data analysts, but at the same time, individuals want plausible deniability when it comes to sensitive information.

For such applications, there is a natural core optimization problem to be solved. Assuming both the data providers and analysts want to maximize the utility of the released data, how can they do so while preserving the privacy of participating individuals? The formulation and study of a framework that addresses the fundamental tradeoff between utility and privacy is the focus of this paper.

The need for data privacy appears in two different contexts: the local privacy context, as in when individuals disclose their personal information (e.g., voluntarily on social network sites), and the global privacy context, as in when institutions release databases of information of several people or answer queries on such databases (e.g., US Government releases census data, companies like Netflix release proprietary data for others to test state of the art machine learning algorithms). In both contexts, privacy is achieved by randomizing the data before releasing it. We study the setting of local privacy, in which data providers do not trust the data collector (analyst). Local privacy dates back to Warner (1965), who proposed the randomized response method to provide plausible deniability for individuals responding to sensitive surveys.

A natural notion of privacy protection is making inference of information beyond what is released hard. Differential privacy has been proposed in the global privacy context to formally capture this notion of privacy (Dwork, 2006; Dwork et al., 2006b; Dwork and Lei, 2009). In a nutshell, differential privacy ensures that an adversary should not be able to reliably infer an individual’s record in a database, even with unbounded computational power and access to every other record in the database. Recently, Duchi et al. (2013) extended the notion of differential privacy to the local privacy context. Formally, consider a setting where there are $n$ data providers each owning a data $X_{i}$ defined on an input alphabet ${\cal X}$ . The $X_{i}$ ’s are independently sampled from some distribution $P_{\nu}$ parameterized by $\nu$ . A statistical privatization mechanism $Q$ is a conditional distribution that maps $X_{i}\in{\cal X}$ stochastically to $Y_{i}\in{\cal Y}$ , where ${\cal Y}$ is an output alphabet possibly larger than ${\cal X}$ . The $Y_{i}$ ’s are referred to as the privatized (sanitized) views of $X_{i}$ ’s. In a non-interactive setting, the same privatization mechanism $Q$ is used locally by all individuals. This setting is shown in Figure 1 for the special case of $n=2$ . For some non-negative $\varepsilon$ , we follow the definition of Duchi et al. (2013) and say that a mechanism $Q$ is $\varepsilon$ -locally differentially private if

2 Information theoretic utilities for statistical analysis

In analyses of statistical databases, the analyst is interested in the statistics of the data as opposed to individual records. Naturally, the utility should also be measured in terms of the distribution rather than sample quantities. Concretely, consider a client-server setting where each client with data $X_{i}$ releases $Y_{i}$ , a privatized version of the data, via a non-interactive $\varepsilon$ -locally differentially private privatization mechanism $Q$ . Assume all the clients use the same privatization mechanism $Q$ , and each client’s data is an i.i.d. sample from a distribution $P_{\nu}$ for some parameter $\nu$ . Given the privatized views $\{Y_{i}\}_{i=1}^{n}$ , the data analyst would like to make inferences based on the induced marginal distribution

for $S\subseteq{\cal Y}$ . We consider a broad class of convex utility functions, and identify the class of optimal mechanisms, which we call staircase mechanisms, in Section 2. We apply this framework to two specific applications: (a) hypothesis testing where the utility is measured in $f$ -divergences (Section 3) and (b) information preservation where the utility is measured in mutual information (Section 4).

In the binary hypothesis testing setting, $\nu\in\{0,1\}$ ; therefore, $X$ can be generated by one of two possible distributions $P_{0}$ and $P_{1}$ . The power to discriminate data generated from $P_{0}$ to data generated from $P_{1}$ depends on the ‘distance’ between the marginals $M_{0}$ and $M_{1}$ . To measure the ability of such statistical discrimination, our choice of utility of a particular privatization mechanism $Q$ is an information theoretic quantity called Csiszár’s $f$ -divergence defined as

for some convex function $f$ such that $f(1)=0$ . The Kullback-Leibler (KL) divergence $D_{\rm kl}(M_{0}||M_{1})$ is a special case with $f(x)=x\log x$ , and so is the total variation distance $\|M_{0}-M_{1}\|_{\rm TV}$ with $f(x)=(1/2)|x-1|$ . Such $f$ -divergences capture the quality of statistical inference, such as minimax rates of statistical estimation or error exponents in hypothesis testing (Tsybakov and Zaiats, 2009; Cover and Thomas, 2012). As a motivating example, suppose a data analyst wants to test whether the data is generated from $P_{0}$ or $P_{1}$ based on privatized views $Y_{1},\ldots,Y_{n}$ . According to Chernoff-Stein’s lemma, for a bounded type I error probability, the best type II error probability scales as $e^{-n\,D_{\rm kl}(M_{0}||M_{1})}$ . Naturally, we are interested in finding a privatization mechanism $Q$ that minimizes the probability of error by solving the following constraint maximization problem

where $\mathcal{D}_{\varepsilon}$ is the set of all $\varepsilon$ -locally differentially private mechanisms satisfying (1).

In the information preservation setting, $X$ is generated from an underlying distribution $P$ . We are interested in quantifying how much information can be preserved when releasing a private view of the data. In other words, the data provider would like to release an $\varepsilon$ -locally differentially private view $Y$ of $X$ that preserves the amount of information in $X$ as much as possible. The utility in this case is measured by the mutual information between $X$ and $Y$

Mutual information, as the name suggests, measures the mutual dependence between two random variables. It has been used as a criterion for feature selection and as a measure of similarity between two different clusterings of a data set, in addition to many other applications in signal processing and machine learning. To characterize the fundamental tradeoff between privacy and mutual information, we solve the following constrained maximization problem

where $\mathcal{D}_{\varepsilon}$ is the set of all $\varepsilon$ -locally differentially private mechanisms satisfying (1).

Motivated by such applications in statistical analysis, our goal is to provide a general framework for finding optimal privatization mechanisms that maximize information theoretic utilities under local differential privacy. We demonstrate the power of our techniques in a very general setting that includes both hypothesis testing and information preservation.

3 Our contributions

We study the fundamental tradeoff between local differential privacy and a rich class of convex utility functions. This class of utilities includes several information theoretic quantities such as mutual information and $f$ -divergences. The privacy-utility tradeoff is posed as a constrained maximization problem: maximize utility subject to local differential privacy constraints. This maximization problem is (a) nonlinear: the utility functions we consider are convex in $Q$ ; (b) non-standard: we are maximizing instead of minimizing a convex function; and (c) infinite dimensional: the space of all differentially private mechanisms is infinite dimensional. We show, in Theorem 2, that for all utility functions considered and any privacy level $\varepsilon$ , a finite family of extremal mechanisms (a finite subset of the corner points of the space of differentially private mechanisms), which we call staircase mechanisms, contains the optimal privatization mechanism. We further prove, in Theorem 4, that solving the original privacy-utility problem is equivalent to solving a finite dimensional linear program, the outcome of which is the optimal mechanism. However, solving this linear program can be computationally expensive because it has $2^{|{\cal X}|}$ variables. To account for this, we show that two simple staircase mechanisms (the binary and randomized response mechanisms) are optimal in the high and low privacy regimes, respectively, and well approximate the intermediate regime. This contributes an important progress in the differential privacy area, where the privatization mechanisms have been few and almost no exact optimality results are known. As an application, we show that the effective sample size reduces from $n$ to $\varepsilon^{2}n$ under local differential privacy in the context of hypothesis testing.

We also study the fundamental tradeoff between utility and approximate differential privacy, a generalized notion of privacy that was first introduced in Dwork et al. (2006a). The techniques we develop for differential privacy do not generalize to approximate differential privacy. To account for this, we use an operational interpretation of approximate differential privacy (developed in Kairouz et al. (2014a)) to prove that a simple mechanism maximizes utility for all levels of privacy when the data is binary.

4 Related work

Our work is closely related to the recent work of Duchi et al. (2013) where an upper bound on $D_{\rm kl}(M_{0}||M_{1})$ was derived under the same local differential privacy setting. Precisely, Duchi et. al. proved that the KL-divergence maximization problem in (4) is at most $4(e^{\varepsilon}-1)^{2}\|P_{1}-P_{2}\|_{TV}^{2}$ . This bound was further used to provide a minimax bound on statistical estimation using information theoretic converse techniques such as Fano’s and Le Cam’s inequalities. Such tradeoffs also provide tools for comparing various notions of privacy (Barber and Duchi, 2014).

In a similar spirit, we are also interested in maximizing information theoretic quantities under local differential privacy. We generalize the results of Duchi et al. (2013), and provide stronger results in the sense that we $(a)$ consider a broader class of information theoretic utilities; $(b)$ provide explicit constructions for the optimal mechanisms; and $(c)$ recover the existing result of (Duchi et al., 2013, Theorem 1) (with a stronger condition on $\varepsilon$ ).

Our work also provides a formal connection to an information theoretic notion of privacy called information leakage (Chatzikokolakis et al., 2010; Sankar et al., 2013). Given a privatization mechanism $Q$ , the information leakage is measured by the mutual information between the private data $X$ and the released output $Y$ , i.e. $I(X;Y)$ . Information leakage has been widely studied as a practical notion of privacy. However, connections to differential privacy have been studied only indirectly through comparisons to how much distortion is incurred under the two notions of privacy (Sarwate and Sankar, 2014; Wang et al., 2014a). We show that under $\varepsilon$ -local differential privacy, $I(X;Y)$ is upper bounded by $0.5\varepsilon^{2}\max_{A\subseteq{\cal X}}P(A)P(A^{c})+O(\varepsilon^{3})$ for small $\varepsilon$ . Moreover, we provide an explicit privatization mechanism that achieves this bound.

While there is a vast literature on differential privacy, exact optimality results are only known for a few cases. The typical recipe is to propose a differentially private mechanism inspired by the work of Dwork (2006); Dwork et al. (2006b); McSherry and Talwar (2007) and Hardt and Rothblum (2010), and then establish its near-optimality by comparing the achievable utility to a converse, for example in linear dynamical systems (Wang et al., 2014b), principal component analysis (Chaudhuri et al., 2012; Blocki et al., 2012; Hardt and Roth, 2012; Kapralov and Talwar, 2013), linear queries (Hardt and Talwar, 2010; Hardt et al., 2012), logistic regression (Chaudhuri and Monteleoni, 2008) and histogram release (Lei, 2011). In this paper, we take a different route and solve the utility maximization problem exactly.

Optimal differentially private mechanisms are known only in a few cases. Ghosh et al. (2012) showed that the geometric noise adding mechanism is optimal (under a Bayesian setting) for monotone utility functions under count queries (sensitivity one). This was generalized by Geng et. al. (for a worst-case input setting) who proposed a family of mechanisms and proved its optimality for monotone utility functions under queries with arbitrary sensitivity (Geng and Viswanath, 2012, 2013a, 2013b). The family of optimal mechanisms was called staircase mechanisms because for any $y$ and any neighboring $x$ and $x^{\prime}$ , the ratio of $Q(y|x)$ to $Q(y|x^{\prime})$ takes one of three possible values $e^{\varepsilon}$ , $e^{-\varepsilon}$ , or $1$ . Since the optimal mechanisms we develop also have an identical property, we retain the same nomenclature.

5 Organization

The remainder of the paper is organized as follows. In Section 2, we introduce the family of staircase mechanisms, prove its optimality for a broad class of convex utility functions, and study its combinatorial structure. In Section 3, we study the problem of private hypothesis testing and prove that two staircase mechanisms, the binary and randomized response mechanisms, are optimal for KL-divergence in the high and low privacy regimes, respectively, and (nearly) optimal the intermediate regime. We show, in Section 4, similar results for mutual information. In Section 5, we study approximate local differential privacy, a more general notion of local privacy. Finally, we conclude this paper in Section 6 with a few interesting and nontrivial extensions.

Main Results

In this section, we first present a formal definition for staircase mechanisms and prove that they are the optimal solutions to optimization problems of the form (8). We then provide a combinatorial representation for staircase mechanisms that allows us to reduce the infinite dimensional nonlinear program of (8) to a finite dimensional linear program with $2^{|{\cal X}|}$ variables. For any given privacy level $\varepsilon$ and utility function $U(\cdot)$ , one can solve this linear program to obtain the optimal privatization mechanism, albeit with significant computational challenges since the number of variables scales exponentially in the alphabet size. To address this issue, we prove, in Sections 3 and 4, that two simple staircase mechanisms, which we call the binary mechanism and the randomized response mechanism, are optimal in the high and low privacy regimes, respectively, and well approximate the intermediate regime.

Let $Q_{y}$ be the column of $Q$ corresponding to $Q(y|\cdot)$ and $\mu$ be any sublinear function. We are interested in utilities that can be decomposed into a sum of sublinear functions. We study the fundamental tradeoff between privacy and utility by solving the following constrained maximization problem

This includes maximization over information theoretic quantities of interest in statistical estimation and hypothesis testing such as mutual information, total variation, KL-divergence, and $\chi^{2}$ -divergence (Tsybakov and Zaiats, 2009). Since sub-linearity implies convexity, (8) is in general a complicated nonlinear program: we are maximizing (instead of minimizing) a convex function in $Q$ ; further, the dimension of $Q$ might be unbounded: the optimal privatization mechanism $Q^{*}$ might produce an infinite output alphabet ${\cal Y}$ . The following theorem proves that one never needs an output alphabet larger than the input alphabet in order to achieve the maximum utility, and provides a combinatorial representation for the optimal solution.

For any sublinear function $\mu$ and any $\varepsilon\geq 0$ , there exists an optimal mechanism $Q^{*}$ maximizing the utility in (8) over all $\varepsilon$ -locally differentially private mechanisms, such that

the output alphabet size is at most the input alphabet size, i.e. $|{\cal Y}|\leq|{\cal X}|$ ; and

for all $y\in{\cal Y}$ , and $x,x^{\prime}\in{\cal X}$

The first claim of bounded alphabet size is more generally true for any general utility $U\left(Q\right)$ that is convex in $Q$ (not necessarily decomposing into a sum of sublinear functions as in (8)). The second claim establishes that there is an optimal mechanism with an extremal structure; the absolute value of the log-likelihood ratios can only take one of the two extremal values: 0 or $e^{\varepsilon}$ (see Figure 2 for example). We refer to such a mechanism as a staircase mechanism, and define the family of staircase mechanisms formally as

For all choices of $U\left(Q\right)=\sum_{{\cal Y}}\mu(Q_{y})$ and any $\varepsilon\geq 0$ , Theorem 2 implies that the family of staircase mechanisms includes the optimal solutions to maximization problems of the form (8). Notice that staircase mechanisms are $\varepsilon$ -locally differentially private, since any $Q$ satisfying (9) implies that $Q(y|x)/Q(y|x^{\prime})\leq e^{\varepsilon}$ .

For global differential privacy, we can generalize the definition of staircase mechanisms to hold for all neighboring database queries $x,x^{\prime}$ (or equivalently within some sensitivity), and recover all known existing optimal mechanisms. Precisely, the geometric mechanism shown to be optimal in Ghosh et al. (2012), and the mechanisms shown to be optimal in Geng and Viswanath (2012, 2013a) (also called staircase mechanisms) are special cases of the staircase mechanisms defined above. We believe that the characterization of these extremal mechanisms and the analysis techniques developed in this paper can be of independent interest to researchers interested in optimal mechanisms for global privacy and more general utilities.

2 Combinatorial representation of the staircase mechanisms

Now that we know that staircase mechanisms are optimal, we can try to combinatorially search for the best staircase mechanism for an instance of the function $\mu$ and a fixed $\varepsilon$ . To this end, we give a simple representation for all staircase mechanisms, exploiting the fact that they are scaled copies of a finite number of patterns.

Let $b_{j}$ be the $k$ -dimensional binary vector corresponding to the binary representation of $j$ for $j\leq 2^{k}-1$ . A matrix $S^{(k)}\in\{1,e^{\varepsilon}\}^{k\times 2^{k}}$ is called a staircase pattern matrix if the $j$ -th column of $S^{(k)}$ is $S^{(k)}_{j}=\left(e^{\varepsilon}-1\right)b_{j-1}+\textrm{{1}}$ , for $j\in\{1,\ldots,2^{k}\}$ . Each column of $S^{(k)}$ is a staircase pattern.

When $k=3$ , there are $2^{k}=8$ staircase patterns and the staircase pattern matrix is given by

For all values of $k$ , there are exactly $2^{k}$ such patterns, and any column $Q(y|\cdot)$ of $Q$ , a staircase mechanism, is a scaled version of one of the columns of $S^{(k)}$ . Using this pattern matrix, we can show that any staircase mechanism $Q$ can be represented as

where $\Theta={\rm diag}(\theta)$ is a $2^{k}\times 2^{k}$ diagonal matrix and $\theta$ is a $2^{k}$ -dimensional vector representing the scaling of the columns of $S^{(k)}$ . We can now formulate the problem of maximizing the utility as a linear program and prove their equivalence.

For any sublinear function $\mu$ and any $\varepsilon\geq 0$ , the nonlinear program of (8) and the following linear program have the same optimal value

and the optimal solutions are related by (10).

Thus, the infinite dimensional nonlinear program of (8) is now reduced to a finite dimensional linear program. The constraints in (11) ensure that we get a valid probability matrix $Q=S^{(k)}\Theta$ with rows that sum to one. One could potentially solve this LP with $2^{k}$ variables but its computational complexity scales exponentially in the alphabet size $k=|{\cal X}|$ . For practical values of $k$ this might not always be possible. However, in the following sections, we prove that in the high privacy regime ( $\varepsilon\leq\varepsilon^{*}$ for some positive $\varepsilon^{*}$ ), there is a single optimal mechanism, which we call the binary mechanism, which dominates over all other mechanisms in a very strong sense for all utility functions of practical interest.

In order to understand the above theorem, observe that both the objective function and differential privacy constraints are invariant under permutations (or relabelling) of the columns of a privatization mechanism $Q$ . In other words, shuffling the columns of an $\varepsilon$ -locally differentially private mechanism $Q$ results in a new $\varepsilon$ -locally differentially private mechanism $Q^{\prime}$ that achieves the same utility. Similarly, both the objective function and differential privacy constraints are invariant under merging/splitting of outputs with the same pattern. To be specific, consider a privatization mechanism $Q$ and suppose that there exist two outputs $y$ and $y^{\prime}$ that have the same pattern, i.e. $Q(y|\cdot)=C\,Q(y^{\prime}|\cdot)$ for some positive constant $C$ . Then, we can consider a new mechanism $Q^{\prime}$ by merging the two columns corresponding to $y$ and $y^{\prime}$ . Let $y^{\prime\prime}$ denote this new output. It follows that $Q^{\prime}$ satisfies the differential privacy constraints and the resulting utility is also preserved. Precisely, using the fact that $Q(y|\cdot)=C\,Q(y^{\prime}|\cdot)$ , it follows that

by the homogeneity property of $\mu$ . Therefore, we can naturally define equivalence classes for staircase mechanisms that are equivalent up to a permutation of columns and merging/splitting of columns with the same pattern:

To represent an equivalence class, we use a mechanism in $[Q]$ that is ordered and merged to match the patterns of the pattern matrix $S^{(k)}$ . For any staircase mechanism $Q$ , there exists a possibly different staircase mechanism $Q^{\prime}\in[Q]$ such that $Q^{\prime}=S^{(k)}\Theta$ for some diagonal matrix $\Theta$ with nonnegative entries. Therefore, to solve optimization problems of the form (8), we can restrict our attention to such representatives of equivalent classes. Further, for privatization mechanisms of the form $Q=S^{(k)}\Theta$ , the objective function takes the form $\sum_{j}\mu(S^{(k)}_{j})\theta_{j}$ , a simple linear function of $\Theta$ .

Hypothesis Testing

In this section, we study the fundamental tradeoff between local differential privacy and hypothesis testing. In this setting, there are $n$ individuals each with data $X_{i}$ sampled from a distribution $P_{\nu}$ for a fixed $\nu\in\{0,1\}$ . Let $Q$ be a non-interactive privatization mechanism guaranteeing $\varepsilon$ -local differential privacy. The output of the privatization mechanism $Y_{i}$ is distributed according to the induced marginal $M_{\nu}$ defined in (2). With a slight abuse of notation, we will use $M_{\nu}$ and $P_{\nu}$ to represent both probability distributions and probability mass functions. The power to discriminate data sampled from $P_{0}$ to data sampled from $P_{1}$ depends on the ‘distance’ between the marginals $M_{0}$ and $M_{1}$ . To measure the ability of such statistical discrimination, our choice of utility of a privatization mechanism $Q$ is an information theoretic quantity called Csiszár’s $f$ -divergence defined as

for some convex function $f$ such that $f(1)=0$ . The Kullback-Leibler (KL) divergence $D_{\rm kl}(M_{0}||M_{1})$ is a special case of $f$ -divergence with $f(x)=x\log x$ . The total variation distance $\|M_{0}-M_{1}\|_{\rm TV}$ is also special case with $f(x)=(1/2)|x-1|$ . Note that in general, the $f$ -divergence is not necessarily a distance metric since it need not be symmetric or satisfy triangular inequality. We are interested in characterizing the optimal solution to

where $\mathcal{D}_{\varepsilon}$ is the set of all $\varepsilon$ -locally differentially private mechanisms defined in (7).

A motivating example for this choice of utility is the Neyman-Pearson hypothesis testing framework (Cover and Thomas, 2012). Given the privatized views $\{Y_{i}\}_{i=1}^{n}$ , the data analyst wants to test whether they are generated from $M_{0}$ or $M_{1}$ . Let the null hypothesis be $H_{0}:\text{$ Y_{i} $'s are generated from }M_{0}$ , and the alternative hypothesis $H_{1}:\text{$ Y_{i} $'s are generated from }M_{1}$ . For a choice of rejection region $R\subseteq{\cal Y}^{n}$ , the probability of false alarm (type I error) is $\alpha=M_{0}^{n}(R)$ and the probability of miss detection (type II error) is $\beta=M_{1}^{n}({\cal Y}^{n}\setminus R)$ . Let $\beta^{\alpha^{*}}=\min_{R\subseteq{\cal Y}^{n},\alpha<\alpha^{*}}\beta$ denote the minimum type II error achievable while keeping the type I error rate at most $\alpha^{*}$ . According to Chernoff-Stein lemma (Cover and Thomas, 2012), we know that

Suppose the analyst knows $P_{0}$ , $P_{1}$ , and $Q$ . Then in order to achieve optimal asymptotic error rate, one would want to maximize the KL divergence of the induced marginals, over all $\varepsilon$ -locally differentially private mechanisms $Q$ . The results we present in this section (Theorems 5 and 8 to be precise) provide an explicit construction of optimal mechanisms in high and low privacy regimes. Using these optimality results, we prove a fundamental limit on the achievable error rates under differential privacy. Precisely, with data collected from an $\varepsilon$ -locally differentially privatization mechanism, one cannot achieve an asymptotic type II error smaller than

whenever $\varepsilon\leq\varepsilon^{*}$ , where $\varepsilon^{*}$ is dictated by Theorem 5 and $\delta>0$ is some arbitrarily small but positive constant. In the equation above, the second inequality follows from Pinsker’s inequality. Since $(e^{\varepsilon}-1)^{2}=O(\varepsilon^{2})$ for small $\varepsilon$ , the effective sample size is now reduced from $n$ to $\varepsilon^{2}n$ . This is the price of privacy. In the low privacy regime where $\varepsilon\geq\varepsilon^{*}$ , for $\varepsilon^{*}$ dictated by Theorem 8, one cannot achieve an asymptotic type II error smaller than

From the definition of $D_{f}(M_{0}||M_{1})$ , we have that

where $P_{\nu}^{T}Q_{y}=\sum_{{\cal X}}P_{\nu}\left(x\right)Q\left(y|x\right)$ and $\mu\left(Q_{y}\right)=(P_{1}^{T}Q_{y})f(P_{0}^{T}Q_{y}/P_{1}^{T}Q_{y})$ . For any $\gamma>0$ ,

Moreover, since the function $\phi(z,t)=tf\left(\frac{z}{t}\right)$ is convex in $(z,t)$ for $0\leq z,t\leq 1$ , then $\mu$ is convex in $Q_{y}$ . Convexity and homogeniety together imply sublinearlity. Therefore, Theorems 2 and 4 apply to $D_{f}(M_{0}||M_{1})$ and we have that staircases are optimal.

2 Optimality of the binary mechanism

For a given $P_{0}$ and $P_{1}$ , the binary mechanism is defined as a staircase mechanism with only two outputs $Y\in\{0,1\}$ satisfying (see Figure 2)

Although this mechanism is extremely simple, perhaps surprisingly, we will establish that it is the optimal mechanism when a high level of privacy is required. Intuitively, the output should be very noisy in the high privacy regime, and we are better off sending just one bit of information that tells you whether your data is more likely to have come from $P_{0}$ or $P_{1}$ .

For any pair of distributions $P_{0}$ and $P_{1}$ , there exists a positive $\varepsilon^{*}$ that depends on $P_{0}$ and $P_{1}$ such that for any $f$ -divergences and any positive $\varepsilon\leq\varepsilon^{*}$ , the binary mechanism maximizes the $f$ -divergence between the induced marginals over all $\varepsilon$ -locally differentially private mechanisms.

This implies that in the high privacy regime, which is a typical setting studied in much of the differential privacy literature, the binary mechanism is universally optimal for all $f$ -divergences. In particular this threshold $\varepsilon^{*}$ is universal, in that it does not depend on the particular choice of which $f$ -divergence we are maximizing. It is only a function of $P_{0}$ and $P_{1}$ . This is established by proving a very strong statistical dominance using Blackwell’s celebrated result on comparisons of statistical experiments Blackwell (1953). In a nutshell, we prove that any $\varepsilon$ -locally differentially private mechanism can be simulated from the output of the binary mechanism for sufficiently small $\varepsilon$ . Hence, the binary mechanism dominates over all other mechanisms and at the same time achieves the maximum divergence. A similar idea has been used previously in (Kairouz et al., 2013) to exactly characterize how much privacy degrades under composition attacks.

The optimality of binary mechanisms is not just for high privacy regimes. The next theorem shows that it is the optimal solution of (13) for all $\varepsilon$ , when the objective function is the total variation distance: $D_{f}(M_{0}||M_{1})=\|M_{0}-M_{1}\|_{\rm TV}$ .

For any pair of distributions $P_{0}$ and $P_{1}$ , and any $\varepsilon\geq 0$ , the binary mechanism maximizes the total variation distance between the induced marginals $M_{0}$ and $M_{1}$ among all $\varepsilon$ -locally differentially private mechanisms.

When maximizing the KL divergence between the induced marginals, we show that the binary mechanism still achieves good performance for $\varepsilon\leq C$ where $C$ is a constant that does not depend on $P_{0}$ and $P_{1}$ . For the special case of KL divergence, let ${\rm OPT}$ denote the maximum value of $\eqref{eq:optf}$ and ${\rm BIN}$ denote the KL divergence when the binary mechanism is used. The next theorem shows that

For any $\varepsilon$ and any pair of distributions $P_{0}$ and $P_{1}$ , the binary mechanism is an $1/(2(e^{\varepsilon}+1)^{2})$ approximation of the maximum KL divergence between the induced marginals $M_{0}$ and $M_{1}$ among all $\varepsilon$ -locally differentially private mechanisms.

Observe that $2(e^{\varepsilon}+1)^{2}\leq 32$ for $\varepsilon\leq 1$ . Therefore, for any $\varepsilon\leq 1$ , the simple binary mechanism is at most a constant factor away from the optimal mechanism.

3 Optimality of the randomized response mechanism

The randomized response mechanism (see Figure 2) is a staircase mechanism with ${\cal Y}={\cal X}$ satisfying

In other words, the randomized response is a simple randomization over the same alphabet where the true data is released with probability ${e^{\varepsilon}}/\left({|{\cal X}|-1+e^{\varepsilon}}\right)$ . We view it as a multiple choice generalization to the randomized response method proposed by Warner (1965). We now establish that for the special case of optimizing the KL divergence between the induced marginals, the randomized response mechanism is the optimal solution of (13) in the low privacy regime (i.e., $\varepsilon\geq\varepsilon^{*}$ for some threshold $\varepsilon^{*}$ that depends on $P_{0}$ and $P_{1}$ ).

There exists a positive $\varepsilon^{*}$ that depends on $P_{0}$ and $P_{1}$ such that for all $P_{0}$ and $P_{1}$ , and all $\varepsilon\geq\varepsilon^{*}$ , the randomized response mechanism maximizes the KL divergence between the induced marginals among all $\varepsilon$ -locally differentially private mechanisms.

The randomized response mechanism is particularly important because it does not depend on $P_{0}$ or $P_{1}$ . Thus, even if the data providers and analysts do not have access to the priors, they can still use the randomized response mechanism to achieve the optimal (or near-optimal) utility in the moderate to low privacy regimes.

4 Numerical experiments

For $100$ instances of randomly chosen $P_{0}$ and $P_{1}$ defined over an input alphabet of size $|{\cal X}|=6$ , we compare the average performance of the binary, randomized response, and geometric mechanisms to the average performance of the optimal staircase mechanism for various values of $\varepsilon$ . The optimal staircase mechanism is computed by solving the linear program in Equation (11) for each fixed pair $(P_{0},P_{1})$ and $\varepsilon$ . The left panel of Figure 3 shows the average performance measured by the normalized divergence $D_{\rm kl}(M_{0}||M_{1})/D_{\rm kl}(P_{0}||P_{1})$ for all 4 mechanisms. The average is taken over the 100 instances of $P_{0}$ and $P_{1}$ . In the low privacy (large $\varepsilon$ ) regime, the randomized response achieves optimal performance (which converges exponentially in $\varepsilon$ to 1) as predicted. In the high privacy regime (small $\varepsilon$ ), the binary mechanism achieves optimal performance (which converges quadratically in $\varepsilon$ to 0) as predicted. In all regimes, both the binary and randomized response mechanisms provide significant gains over the geometric mechanism.

To illustrate how much worse the binary and the randomized response mechanisms can be relative to the optimal staircase mechanism, we plot in the right panel of Figure 3 the divergence under each mechanism normalized by the divergence under the optimal mechanism. This is done for all 100 instances of $P_{0}$ and $P_{1}$ . In all instances, the binary mechanism is optimal for small $\varepsilon$ and the randomized response mechanism is optimal for large $\varepsilon$ . However, $D_{\rm kl}(M_{0}||M_{1})$ under the randomized response mechanism can be as bad as $10\%$ of the optimal one (for small $\varepsilon$ ). Similarly, $D_{\rm kl}(M_{0}||M_{1}))$ under the binary mechanism can be as bad as $25\%$ of the optimal one (for large $\varepsilon$ ). To overcome this issue, we propose the following simple strategy: use the better among these two mechanisms. The performance of this strategy is illustrated in Figure 4. For various input alphabet size $|{\cal X}|\in\{3,4,6,12\}$ , we plot the performance of this mixed strategy for each value of $\varepsilon$ and each of the $100$ randomly generated instances of $P_{0}$ and $P_{1}$ . This mixed strategy achieves at least $70\%$ for $|{\cal X}|=6$ (and $55\%$ for $|{\cal X}|=12$ ) of the optimal divergence for all instances. Figure 4 shows that this mixed strategy is not too sensitive to the size of the alphabet $k$ . Therefore, this strategy provides a good mechanism that can be readily used in practice for any value of $\varepsilon$ .

5 Lower bounds

In this section, we provide converse results on the fundamental limit of differentially private mechanisms; these results follow from our main theorems and are of independent interest in other applications where lower bounds in statistical analysis are studied (Beimel et al., 2008; Hardt and Talwar, 2010; Chaudhuri and Hsu, 2012; De, 2012). For example, a bound similar to (22) was used to provide converse results on the sample complexity for statistical estimation with differentially private data in Duchi et al. (2013).

For any $\varepsilon\geq 0$ , let $Q$ be any conditional distribution that guarantees $\varepsilon$ -local differential privacy. Then, for any pair of distributions $P_{0}$ , $P_{1}$ and any positive $\delta>0$ , there exists a positive $\varepsilon^{*}$ that depends on $P_{0}$ , $P_{1}$ and $\delta$ such that for any $\varepsilon\leq\varepsilon^{*}$ the induced marginals $M_{0}$ and $M_{1}$ satisfy the bound

This follows from Theorem 5 and observing that the binary mechanism achieves

where $T\subseteq{\cal X}$ is the set of $x$ such that $P_{0}(x)\geq P_{1}(x)$ . Compared to (Duchi et al., 2013, Theorem 1), we recover their bound of $4(e^{\varepsilon}-1)^{2}\|P_{0}-P_{1}\|_{\rm TV}^{2}$ with a smaller constant. We want to note that Duchi et al.’s bound holds for all values of $\varepsilon$ and uses a different technique of bounding the KL divergence directly, however no achievable mechanism has been provided. We instead provide an explicit mechanism, that is optimal in high privacy regime.

Similarly, in the low privacy regime, we can show the following converse result.

For any $\varepsilon\geq 0$ , let $Q$ be any conditional distribution that guarantees $\varepsilon$ -local differential privacy. Then, for any pair of distributions $P_{0}$ and $P_{1}$ and any positive $\delta>0$ , there exists a positive $\varepsilon^{*}$ that depends on $P_{0}$ and $P_{1}$ and $\delta$ such that for any $\varepsilon\geq\varepsilon^{*}$ the induced marginals $M_{0}$ and $M_{1}$ satisfy the bound

where $G(P_{0},P_{1})=\sum_{{\cal X}}(1-P_{0}(x))\log(P_{1}(x)/P_{0}(x))$ .

This follows directly from Theorem 8 and observing that the randomized response mechanism achieves $D_{\rm kl}(M_{0}||M_{1})=D_{\rm kl}(P_{0}||P_{1})-G(P_{0},P_{1})e^{-\varepsilon}+O(e^{-2\varepsilon})\;.$

Figure 5 illustrates the gap between the divergence achieved by the geometric mechanism described in the previous section and the optimal mechanisms (the binary mechanism for the high privacy regime and the randomized response mechanism for the low privacy regime). For each instance of the $100$ randomly generated $P_{0}$ and $P_{1}$ defined over input alphabets of size $k=6$ , we plot the resulting divergence $D_{\rm kl}(M_{0}||M_{1})$ as a function of $\|P_{0}-P_{1}\|_{\rm TV}$ for $\varepsilon=0.1$ , and as a function of $D_{\rm kl}(P_{0}||P_{1})$ for $\varepsilon=10$ . The binary and the randomized response mechanisms exhibit the scaling predicted by Equation (22) and (23), respectively.

Similarly, for total variation, we can get the following converse result.

For any $\varepsilon\geq 0$ , let $Q$ be any conditional distribution that guarantees $\varepsilon$ -local differential privacy. Then, for any pair of distributions $P_{0}$ and $P_{1}$ , the induced marginals $M_{0}$ and $M_{1}$ satisfy the bound $\big{\|}M_{0}-M_{1}\big{\|}_{\rm TV}\leq(({e^{\varepsilon}-1)}/({e^{\varepsilon}+1}))\,\big{\|}P_{0}-P_{1}\big{\|}_{\rm TV}\;,$ and equality is achieved by the binary mechanism.

This follows from Theorem 6 and explicitly computing the total variation achieved by the binary mechanism.

Information Preservation

In this section, we study the fundamental tradeoff between local privacy and mutual information. Consider a random variable $X$ distributed according to $P$ . The information content of $X$ is captured by information theoretic quantity called entropy

We are interested in releasing a differentially private version of $X$ represented by $Y$ . The random variable $Y$ should preserve the information content of $X$ as much as possible while meeting the local differential privacy constraints. Similar to the hypothesis testing setting, we will show that a variant of the binary mechanism is optimal in the high privacy regime and that the randomized response mechanism is optimal in the low privacy regime.

Let $Q$ be a non-interactive privatization mechanism guaranteeing $\varepsilon$ -local differential privacy. The output of the privatization mechanism $Y$ is distributed according to the induced marginal $M$ given by

for $S\subseteq{\cal Y}$ . With a slight abuse of notation, we will use $M$ and $P$ to represent both probability distributions and probability mass functions. The information content in $Y$ about $X$ is captured by the well celebrated information theoretic quantity called mutual information. The mutual information between $X$ and $Y$ is given by

Notice that $I\left(X;Y\right)\ \leq H\left(X\right)$ and $I\left(X;Y\right)$ is convex in $Q$ (Cover and Thomas, 2012). To preserve the information context of $X$ , we wish to choose a privatization mechanism $Q$ such that the mutual information between $X$ and $Y$ is maximized subject to differential privacy constraints. In other words, we are interested in characterizing the optimal solution to

where $\mathcal{D}_{\varepsilon}$ is the set of all $\varepsilon$ -locally differentially private mechanisms defined in (7). The above mutual information maximization problem can be thought of as a conditional entropy minimization problem since $I\left(X;Y\right)=H\left(X\right)-H\left(X|Y\right)$ .

From the definition of $I\left(X;Y\right)$ , we have that

where $P^{T}Q_{y}=\sum_{{\cal X}}P(x)Q\left(y|x\right)$ and $\mu\left(Q_{y}\right)=\sum_{{\cal X}}P\left(x\right)Q\left(y|x\right)\log\left(Q\left(y|x\right)/P^{T}Q_{y}\right)$ . Notice that $\mu\left(\gamma Q_{y}\right)=\gamma\mu\left(Q_{y}\right)$ , and by the log-sum inequality, $\mu$ is convex. Convexity and homogeneity together imply sublinearity. Therefore, Theorems 2 and 4 apply to $I\left(X;Y\right)$ and we have that staircase mechanisms are optimal.

2 Optimality of the binary mechanism

For a given $P$ , the binary mechanism for mutual information is a staircase mechanism with only two outputs $Y\in\{0,1\}$ (see Figure 2)

Observe that there are multiple valid choices for $T$ . Indeed, for any minimizing set $T$ , $T^{c}$ is also a minimizing set since $|P(T)-1/2|=|P(T^{c})-1/2|$ . When there are multiple pairs, any pair $(T,T^{c})$ can be chosen to define the binary mechanism. All valid binary mechanisms are equivalent from a utility maximization perspective.

In what follows, we will establish that this simple mechanism is optimal in the high privacy regime. Intuitively, in the high privacy regime, we cannot release more than one bit of information, and hence, the input alphabet is reduced to a binary output alphabet. In this case, it makes sense to partition the original alphabet ${\cal X}$ in a way that preserves the information content of $X$ as much as possible. Indeed, our choice of $T$ in Equation (30) maximizes the information contained in the released bit because $T\in\underset{A\subseteq{\cal X}}{\arg\max}|P(A)-1/2|=\underset{A\subseteq{\cal X}}{\arg\max}\big{(}-P(A)\log P(A)-P(A^{c})\log P(A^{c})\big{)}$ (see Section 9.1 for a proof).

For any distribution $P$ , there exists a positive $\varepsilon^{*}$ that depends on $P$ such that for any positive $\varepsilon\leq\varepsilon^{*}$ , the binary mechanism maximizes the mutual information between the input and the output of a privatization mechanism over all $\varepsilon$ -locally differentially private mechanisms.

This implies that in the high privacy regime, the binary mechanism is the optimal solution for (24).

Next, we show that the binary mechanism achieves near-optimal performance for all $({\cal X},P)$ and $\varepsilon\leq 1$ even when $\varepsilon^{*}<1$ . Let ${\rm OPT}$ denote the maximum value of $\eqref{eq:opti}$ and ${\rm BIN}$ denote the mutual information achieved by the binary mechanism given in (29). The next theorem shows that

For any $\varepsilon\leq 1$ and any distribution $P$ , the binary mechanism is an $(1+e^{\varepsilon})$ -approximation of the maximum mutual information between the input and the output of a privatization mechanism among all $\varepsilon$ -locally differentially private mechanisms.

Note that $1+e^{\varepsilon}\leq 4$ for $\varepsilon\leq 1$ which is a commonly studied regime in differential privacy applications. Therefore, we can always use the simple binary mechanism and the resulting mutual information is at most a constant factor away from the optimal value.

3 Optimality of the randomized response mechanism

In the low privacy regime ( $\varepsilon\geq\varepsilon^{*}$ ), the randomized response mechanism defined in(21) is optimal.

There exists a positive $\varepsilon^{*}$ that depends on $P$ such that for any distribution $P$ and all $\varepsilon\geq\varepsilon^{*}$ , the randomized response mechanism maximizes the mutual information between the input and the output of a privatization mechanism over all $\varepsilon$ -locally differentially private mechanisms.

Observe that the randomized response is not a function of $P$ . Therefore, it can be used even when the distribution $P$ is unknown.

4 Numerical experiments

For $100$ instances of randomly chosen $P$ defined over an input alphabet of size $|{\cal X}|=6$ , we compare the average performance of the binary, randomized response, and the geometric mechanisms to the average performance of the optimal mechanism. We plot (in Figure 6, left) the average performance measured by the normalized mutual information ${I\left(X;Y\right)}/{H\left(X\right)}$ for all 4 mechanisms. The average is taken over the 100 random instances of $P$ . In the low privacy (large $\varepsilon$ ) regime, the randomized response achieves optimal performance as predicted, which converges to one. In the high privacy regime (small $\varepsilon$ ), the binary mechanism achieves optimal performance as predicted. In all regimes, both mechanisms significantly improve over the geometric mechanism.

To illustrate how much worse the binary and randomized response mechanisms can be (relative to the optimal staircase mechanism), we plot (in Figure 6, right) the mutual information under each mechanism normalized by the mutual information under the optimal staircase mechanism. This is done for all 100 instances of $P$ . In all instances, the binary mechanism is optimal for small $\varepsilon$ and the randomized response mechanism is optimal for large $\varepsilon$ . However, $I\left(X;Y\right)$ under the randomized response mechanism can be as bad as $35\%$ of the optimal one (for small $\varepsilon$ ). Similarly, $I\left(X;Y\right)$ under the binary mechanism can be as bad as $40\%$ of the optimal one (for large $\varepsilon$ ).

For $|{\cal X}|\in\{3,4,6,12\}$ , we plot (in Figure 7) the performance of the better between the binary and randomized response mechanisms normalized by the optimal mechanism for all $100$ randomly generated instances of $P$ . This mixed strategy achieves at least $75\%$ for $|{\cal X}|=6$ (and $65\%$ for $|{\cal X}|=12$ ) of the optimal mutual infirmation for all instances of $P$ . Moreover, it is not sensitive to the size of the alphabet $|{\cal X}|$ .

5 Lower bounds

In this section, we provide converse results on the fundamental limit of locally differentially private mechanisms when utility is measured via mutual information.

For any $\varepsilon\geq 0$ , let $Q$ be any conditional distribution that guarantees $\varepsilon$ -local differential privacy. Then, for any distribution $P$ and any positive $\delta>0$ , there exists a positive $\varepsilon^{*}$ that depends on $P$ and $\delta$ such that for any $\varepsilon\leq\varepsilon^{*}$ the following bound holds

This follows from Theorem 12 (optimality of the binary mechanism) and observing that the binary mechanism achieves

Similarly, in the low privacy regime, we can show the following converse result.

This follows directly from Theorem 14 (optimality of the randomized response mechanism) and observing that the randomized response mechanism achieves

Figure 8 illustrates the gap between the mutual information achieved under the geometric and the optimal mechanisms (the binary mechanism for the high privacy regime and the randomized response mechanism for the low privacy regime). For each instance of the $100$ randomly generated $P$ over an input of size $k=6$ , we plot the resulting mutual information $I\left(X;Y\right)$ as a function of $P\left(T\right)P\left(T^{c}\right)$ for $\varepsilon=0.1$ , and as a function of $H\left(X\right)$ for $\varepsilon=10$ . The binary and the randomized response mechanisms exhibit the scaling predicted by Equations (31) and (32), respectively.

Generalizations to approximate differential privacy

In this section, we generalize the results of the previous sections in the following ways.

We consider the class of utility functions that obey the data processing inequality. Consider the composition of two privatization mechanisms $QW=Q\circ W$ where the output of the first mechanism $Q$ is applied to another mechanism $W$ . We say that a utility function $U(\cdot)$ obeys the data processing inequality if the following inequality holds for all $Q$ and $W$

The following proposition, proved in Section 10, shows that the class of utilities obeying the data processing inequality includes all the utility functions we studied in Section 2.

Any utility function that can be written in the form of $U\left(Q\right)=\sum_{{\cal Y}}\mu(Q_{y})$ , where $\mu$ is any sublinear function, obeys the data processing inequality.

We consider $\left(\varepsilon,\delta\right)$ -differential privacy which generalizes the notion of $\varepsilon$ -differential privacy. $\left(\varepsilon,\delta\right)$ -differential privacy is commonly referred to as approximate differential privacy and it was first introduced in Dwork et al. (2006a). For the release of a random variable $X\in{\cal X}$ , we say that a mechanism $Q$ is $\left(\varepsilon,\delta\right)$ -locally differentially private if

for all $S\subseteq{\cal Y}$ and all $x,x^{\prime}\in{\cal X}$ . Note that $\varepsilon$ -local differential privacy is a special case of $\left(\varepsilon,\delta\right)$ -local differential privacy where $\delta=0$ .

We prove that the quaternary mechanism, defined in Equation (38), is optimal for any $\varepsilon$ and any $\delta$ . This is different from the treatment conducted in the previous sections where we proved the optimality of the binary (randomized response) mechanism for sufficiently small (large) $\varepsilon$ and $\delta=0$ .

The treatment in this section, even though more general than the one in previous sections in the ways described above, holds only for binary alphabets (i.e., $|{\cal X}|=2$ ). Finding optimal privatization mechanisms under $(\varepsilon,\delta)$ -local differential privacy for larger input alphabets (i.e., $|{\cal X}|>2$ ) is an interesting open question. Unlike $\varepsilon$ -local differential privacy, the privacy constraints under $(\varepsilon,\delta)$ -local differential privacy no longer decompose into separate constraints on each output $y$ . This makes it difficult to generalize the techniques developed in previous sections of this paper. However, for the special case of binary input alphabets, we can prove the optimality of one mechanism for all values of $(\varepsilon,\delta)$ and all utility functions that obey the data processing inequality.

For a binary random variable $X\in{\cal X}=\{0,1\}$ , the quaternary mechanism maps $X$ to a quaternary random variable $Y\in{\cal Y}=\{0,1,2,3\}$ and is defined as

In other words, the quaternary mechanism passes $X$ unchanged with probability $\delta$ and applies the binary mechanism (defined in previous sections) with probability $1-\delta$ . The main result of this section can be stated formally as follows.

If $|{\cal X}|=2$ , then for any $\varepsilon$ , any $\delta$ , and any utility $U\left(Q\right)$ that obeys the data processing inequality, the quaternary mechanism maximizes $U\left(Q\right)$ subject to $Q\in\mathcal{D}_{(\varepsilon,\delta)}$ , the set of all $(\varepsilon,\delta)$ -locally differentially private mechanism.

It turns out that $\left(\varepsilon,\delta\right)$ -local differential privacy imposes the following conditions on the error region of all $\left(\varepsilon,\delta\right)$ -locally differentially private mechanisms

for any decision rule $\hat{X}$ . These two conditions define an error region $\mathcal{R}_{\varepsilon,\delta}$ shown in Figure 9(b). Interestingly, the next theorem shows that the converse result is also true.

A mechanism $Q$ is $\left(\varepsilon,\delta\right)$ -locally differentially private if and only if $\mathcal{R}_{Q}\subseteq\mathcal{R}_{\varepsilon,\delta}$ .

The proof of the above theorem can be found in Kairouz et al. (2013). Notice that it is no coincidence that $\mathcal{R}_{Q_{\rm QT}}=\mathcal{R}_{\varepsilon,\delta}$ . This property will be essential in proving the optimality of the quaternary mechanism.

Theorem 19 allows us to benefit from the data processing inequality (DPI) and its converse, which follows from a celebrated result by Blackwell (1953). These inequalities, while simple by themselves, lead to surprisingly strong technical results. Indeed, there is a long line of such a tradition in the information theory literature (see Chapter 17 of Cover and Thomas (2012)). Consider two privatization mechanisms, $Q^{(1)}$ and $Q^{(2)}$ . Let $Y$ and $Z$ denote the output of the mechanisms $Q^{(1)}$ and $Q^{(2)}$ , respectively. We say that $Q^{(1)}$ dominates $Q^{(2)}$ if there exists a coupling of $Y$ and $Z$ such that $X\text{--}Y\text{--}Z$ forms a Markov chain. In other words, we say $Q^{(1)}$ dominates $Q^{(2)}$ if there exists a stochastic mapping $Q$ such that $Q^{(2)}=Q^{(1)}\circ Q$ .

A mechanism $Q^{(1)}$ dominates a mechanism $Q^{(2)}$ if and only if $\mathcal{R}_{Q^{(2)}}\subseteq\mathcal{R}_{Q^{(1)}}$ .

The proof of the above theorem can be found in Blackwell (1953). Observe that by Theorems 20 and 19, and the fact that $\mathcal{R}_{Q_{\rm QT}}=\mathcal{R}_{\varepsilon,\delta}$ , the quaternary mechanism dominates any other differentially private mechanism. In other words, for any differentially private mechanism $Q$ , there exists a stochastic mapping $W$ such that $Q=W\circ Q_{\rm QT}$ . Therefore, for any $(\varepsilon,\delta)$ and any utility function $U(.)$ obeying the data processing inequality, we have that $U(Q)\leq U(Q_{\rm QT})$ . This finishes the proof of Theorem 18.

Discussion

In this paper, we have considered a broad class of convex utility functions and assumed a setting where individuals cannot collaborate (communicate with each other) before releasing their data. It turns out that the techniques developed in this work can be generalized to find optimal privatization mechanisms in a setting where different individuals can collaborate interactively and each individual can be an analyst (Kairouz et al., 2014b).

Binary hypothesis testing and information preservation are two canonical problems with a wide range of applications. However, there are a number of non-trivial and interesting extensions to our work.

Correlation among data. In some scenarios the $X_{i}$ ’s could be correlated (e.g., when different individuals observe different functions of the same random variable). In this case, the data analyst is interested in inferring whether the data was generated from $P^{n}_{0}$ or $P^{n}_{1}$ , where $P^{n}_{\nu}$ is one of two possible joint priors on $X_{1},...,X_{n}$ . This is a challenging problem because knowing $X_{i}$ reveals information about $X_{j}$ , $j\neq i$ . Therefore, the utility maximization problems for different individuals are coupled in this setting.

Robust and $m$ -ary hypothesis testing. In some cases the data analyst need not have access to $P_{0}$ and $P_{1}$ , but rather to two classes of prior distribution $P_{\theta_{0}}$ and $P_{\theta_{1}}$ for $\theta_{0}\in\Lambda_{0}$ and $\theta_{1}\in\Lambda_{1}$ . Such problems are studied under the rubric of universal hypothesis testing and robust hypothesis testing. One possible direction is to select the privatization mechanism that maximizes the worst case utility: $Q^{*}=\arg\max_{Q\in\mathcal{D}_{\varepsilon}}\min_{\theta_{0}\in\Lambda_{0},\theta_{1}\in\Lambda_{1}}D_{f}(M_{\theta_{0}}||M_{\theta_{1}})$ , where $M_{\theta_{\nu}}$ is the induced marginal under $P_{\theta_{\nu}}$ .

The more general problem of private $m$ -ary hypothesis testing is also an interesting but challenging one. In this setting, the $X_{i}$ ’s can follow one of $m$ distributions $P_{0}$ , $P_{1}$ , …, $P_{m-1}$ . Consequently, the $Y_{i}$ ’s can follow one of $m$ distributions $M_{0}$ , $M_{1}$ , …, $M_{m-1}$ . In this case, the utility can be defined as the average $f$ -divergence between any two distributions: $1/(m(m-1))\sum_{i\neq j}D_{f}(M_{i}||M_{j})$ , or the worst case one: $\min_{i\neq j}D_{f}(M_{i}||M_{j})$ .

Non-exchangeable utility functions. The utility studied in this paper was measured by functions that are exchangeable, i.e. the utility does not depend on the naming (labelling) or topology of the private and privatized data ( $X$ and $Y$ ). This made sense for statistical learning applications that depend on information theoretic quantities such as $f$ -divergences and mutual information. However, in some other applications, the utility might be defined over ${\cal X}\cup{\cal Y}$ in a metric space, where there exists a natural measure of distance (or distortion) between the data points. In this case, we can formulate the problem as a distortion minimization one

Proof of Theorems 2 and 4

We start the proof with a few definitions, a lemma, and a general result that applies to any convex utility function that obeys a mild assumption.

Naturally, one would expect that if we delete the zero columns of a privatization mechanism $Q^{(2)}$ to obtain a new privatization mechanism $Q^{(1)}$ , we would still get the same utility. This is because a “reasonable” utility function should not depend on output alphabets with zero probability.

If $U\left(Q\right)$ is a convex utility function that satisfies Assumption 1, then the following holds

We start the proof of Theorem 21 with an important lemma the proof of which is presented in Section 7.3.

2 Proof of Lemma 22

Proof Assume that $Q_{i_{1}j}=0$ and $Q_{i_{2}j}\neq 0$ for some $i_{1},i_{2}\in\{1,...,k\}$ . It is obvious that $q\left(y_{j}|x_{i_{2}}\right)\leq q\left(y_{j}|x_{i_{1}}\right)e^{\varepsilon}$ is not satisfied. Therefore, $Q$ is not a locally differentially private mechanism.

3 Proof of Lemma 23

Proof By definition, $Q$ is differentially private if for all $x$ , $x^{\prime}\in\mathcal{X}$ and all $B\subseteq\mathcal{Y}$ we have that $Q\left(B|x\right)\leq Q\left(B|x^{\prime}\right)e^{\varepsilon}$ . By choosing $B=\{y\}$ for some $y\in\mathcal{Y}$ the first direction of the above lemma is proven. In order to prove the other direction, assume that for all $x,x^{\prime}\in\mathcal{X}$ and all $y\in\mathcal{Y}$ we have that $Q\left(y|x\right)\leq Q\left(y|x^{\prime}\right)e^{\varepsilon}$ . Then for any $B\subseteq\mathcal{Y}$ , the following holds

Moreover, since $Q$ is a row stochastic matrix (a conditional distribution) it satisfies $Q\textrm{{1}}=\textrm{{1}}$ , where 1 represents the all ones vector of appropriate dimensions. This condition can be rewritten as

In what follows, the term linearly independent inequality constraints refers to linear independent rows of $A_{j}$ .

If $Q_{j}=0$ , then $k$ linearly independent inequality constraints are achieved with equality.

If $Q_{j}\neq 0$ , then at most $k-1$ linearly independent inequality constraints can be achieved with equality.

Proofs for Hypothesis Testing

Let $T=\left\{x:P_{0}(x)\geq P_{1}(x)\right\}$ . In other words, $P_{0}(T)-P_{1}(T)=\max_{A\subseteq\mathcal{X}}P_{0}(A)-P_{1}(A)$ . Recall that for a given $P_{0}$ and $P_{1}$ , the binary mechanism is defined as a staircase mechanism with only two outputs $y\in\{0,1\}$ satisfying

Moreover, the above upper and lower bounds are achieved by the binary mechanism given in (55).

Observe that because $P_{0}\left(T\right)\geq P_{1}\left(T\right)$ and $P_{0}\left(T^{c}\right)\leq P_{1}\left(T^{c}\right)$ , the direction of the above inequalities makes sense.

For any other mechanism satisfying the $\varepsilon$ -local differential privacy for $\varepsilon\leq\varepsilon^{*}$ , the above lemma implies that for any choice of the rejection region $S$ , the slopes satisfy $-{M}_{0}(S)/{M}_{1}(S)\geq-((e^{\varepsilon}-1)P_{0}(T)+1)/((e^{\varepsilon}-1)P_{1}(T)+1)$ and $-{M}_{0}(S^{c})/{M}_{1}(S^{c})\leq-((e^{\varepsilon}-1)P_{0}(T^{c})+1)/((e^{\varepsilon}-1)P_{1}(T^{c})+1)$ . In the hypothesis testing region, this implies that

From Theorem 2.5 of Kairouz et al. (2013), we know that this implies a certain Markov property. Precisely, let $Y_{\rm bin}$ denote the output of the binary mechanism, and $Y_{\rm dp}$ denote the output of any $\varepsilon$ -local differentially private mechanism. Then, it follows that there exists a coupling of $Y_{\rm bin}$ and $Y_{\rm dp}$ such that they form a Markov chain: $\nu$ – $Y_{\rm bin}$ – $Y_{\rm dp}$ , where $\nu$ is the hypothesis on $P_{\nu}$ whether the data was generated from $\nu=0$ or $\nu=1$ . Then, it follows from the data processing inequality of $f$ -divergences that

It follows that there is no algorithm with larger $f$ -divergence than the binary mechanism.

2 Proof of Lemma 24

We start by showing that the binary mechanism achieves the upper and lower bounds presented in the statement of the lemma. Let $M_{0}^{B}$ and $M_{1}^{B}$ denote the induced marginals under the binary mechanism given in (55). For $\nu\in\{0,1\}$ , we have that

Computing $M_{0}^{B}\left(0\right)/M_{1}^{B}\left(0\right)$ and $M_{0}^{B}\left(1\right)/M_{1}^{B}\left(1\right)$ we see that the binary mechanism achieves the upper and lower bounds for all values of $\varepsilon$ .

for all $y\in\mathcal{Y}$ and sufficiently small $\varepsilon$ . The above expression can be alternatively written as

Using the fact that $P_{0}\left(T\right)-P_{1}\left(T\right)>P_{0}\left(T_{j}\right)-P_{1}\left(T_{j}\right)$ for all $T_{j}\neq T$ , the inequality in (8.2) holds true for all $\varepsilon$ whenever $P_{0}\left(T\right)P_{1}\left(T_{j}\right)\geq P_{1}\left(T\right)P_{0}\left(T_{j}\right)$ . If $P_{0}\left(T\right)P_{1}\left(T_{j}\right)<P_{1}\left(T\right)P_{0}\left(T_{j}\right)$ , then the inequality in (8.2) holds true for all $\varepsilon\leq\varepsilon(j)$ , where

On the other hand, it is easy to verify that when $T_{j}=T$ , we have that

for all $y\in\mathcal{Y}$ and sufficiently small $\varepsilon$ . The above expression can be alternatively written as

Using the fact that $P_{0}\left(T\right)-P_{1}\left(T\right)>P_{1}\left(T_{j}\right)-P_{0}\left(T_{j}\right)$ for all $T_{j}\neq T^{c}$ , then for sufficiently small $\varepsilon$ , Equation (8.2) can be written as

This proves that there exists a positive $\varepsilon(j)$ such that the left hand side of Equation (8.2) is positive for all $\varepsilon\leq\varepsilon(j)$ . On the other hand, it is easy to verify that when $T_{j}=T^{c}$ , we have that

3 Proof of Theorem 6

The total variation (TV) distance $\|M_{0}-M_{1}\|_{\rm TV}$ is a special case of $f$ -divergence $D_{f}(M_{0}||M_{1})$ with $f(x)=\frac{1}{2}|x-1|$ . Therefore, by Theorem 4, we have that

where $\mu_{j}=\mu\left(S^{(k)}_{j}\right)=\frac{1}{2}\big{|}\sum_{i\in[k]}\left(P_{0}(x_{i})-P_{1}(x_{i})\right)S^{(k)}_{ij}\big{|}$ for $j\in\{1,\ldots,2^{k}\}$ and $S^{(k)}$ is the $k\times 2^{k}$ staircase pattern matrix given in Definition 3.

The polytope given by $S^{(k)}\theta=\textrm{{1}}$ and $\theta\geq 0$ is a closed and bounded one. Thus, there is no duality gap and solving the above linear program is equivalent to solving its dual

Note that any satisfiable solution $\alpha^{*}$ to (69) provides an upper bound to (68) since $\max\mu^{T}\theta=\min\textrm{{1}}^{T}\alpha\leq\textrm{{1}}^{T}\alpha^{*}$ . Let $T=\left\{x:P_{0}(x)\geq P_{1}(x)\right\}$ and $T_{j}=\{x_{i}:S^{(k)}_{ij}=e^{\varepsilon}\}$ for $j\in[2^{k}]$ . Consider the following choice of dual variable

We claim that $\alpha^{*}$ is a feasible dual variable for all values of $\varepsilon$ . In order to prove that $\alpha^{*}$ is a feasible dual variable, we show that ${S^{(k)}}^{T}_{j}\alpha^{*}-\mu_{j}\geq 0$ for all $j\in[2^{k}]$ and all $\varepsilon$ . For all $j\in[2^{k}]$ , we have that

Notice that we have arranged the equation such that all the summands are non-negative. Without loss of generality, we will assume that

From the equality $\sum_{x_{i}\in T}\left(P_{0}(x_{i})-P_{1}(x_{i})\right)=\sum_{x_{i}\in T^{c}}\left(P_{1}(x_{i})-P_{0}(x_{i})\right)$ and the fact that $S^{(k)}_{ij}\in\{1,e^{\varepsilon}\}$ for all $i$ and $j$ , it follows that

This is true because the right-hand side is minimized when the $S^{(k)}_{ij}$ ’s for $x_{i}\in T^{c}$ are all equal to 1 and the left-hand side is maximized when the $S^{(k)}_{ij}$ ’s for $x_{i}\in T$ are all equal to $e^{\varepsilon}$ . Now, (72) can be written as

where the last inequality follows from (73).

This establishes the satisfiability of $\alpha^{*}$ for all $\varepsilon$ which, in turn, shows that (71) is indeed an upper bound to the primal problem. It remains to show that this upper bound can be achieved via the binary mechanism. To this extent, recall that for a given $P_{0}$ and $P_{1}$ , the binary mechanism is defined as a staircase mechanism with only two outputs $y\in\{0,1\}$ satisfying

Computing the TV distance between $M_{0}$ and $M_{1}$ under (78), we get that

Hence, the binary mechanism in (78) achieves the upper bound in (71). This proves the optimality of the binary mechanism for all $\varepsilon$ .

4 Proof of Theorem 8

The Kullback-Leibler (KL) divergence $D_{\rm kl}(M_{0}||M_{1})$ is a special $f$ -divergence $D_{f}(M_{0}||M_{1})$ with $f(x)=x\log x$ . Therefore, by Theorem 4, we have that

where $\mu_{j}=\mu\left(S^{(k)}_{j}\right)=\sum_{i\in[k]}P_{0}(x_{i})S^{(k)}_{ij}\log\left(\frac{\sum_{i\in[k]}P_{0}(x_{i})S^{(k)}_{ij}}{\sum_{i\in[k]}P_{1}(x_{i})S^{(k)}_{ij}}\right)$ for $j\in\{1,\ldots,2^{k}\}$ and $S^{(k)}$ is the $k\times 2^{k}$ staircase pattern matrix given in Definition 3.

The polytope given by $S^{(k)}\theta=\textrm{{1}}$ and $\theta\geq 0$ is a closed and bounded one. Thus, there is no duality gap and solving the above linear program is equivalent to solving its dual

Note that any satisfiable solution $\alpha^{*}$ to (81) provides an upper bound to (80) since $\max\mu^{T}\theta=\min\textrm{{1}}^{T}\alpha\leq\textrm{{1}}^{T}\alpha^{*}$ . Let $T=\left\{x:P_{0}(x)\geq P_{1}(x)\right\}$ and $T_{j}=\{x_{i}:S^{(k)}_{ij}=e^{\varepsilon}\}$ for $j\in[2^{k}]$ . Set $j_{i}=\{j:T_{j}=x_{i}\}$ for $i\in[k]$ , and consider the following choice of dual variable

for $i\in[k]$ . Observe that since $T_{j_{i}}=x_{i}$ we have that $P_{\nu}\left(T_{j_{i}}\right)=P_{\nu}\left(x_{i}\right)$ and since

We claim that $\alpha^{*}$ is a feasible dual variable for sufficiently large $\varepsilon$ . In order to prove that $\alpha^{*}$ is a feasible dual variable, we show that ${S^{(k)}}^{T}_{j}\alpha^{*}-\mu_{j}\geq 0$ for all $j\in[2^{k}]$ for all $\varepsilon\geq\varepsilon^{*}$ , where $\varepsilon^{*}$ is a positive quantity that depends on the priors $P_{0}$ and $P_{1}$ . Using the facts that

Assume, to begin with, that $j\neq\{j_{1},j_{2},...,j_{k}\}$ . Then

Notice that for $j\neq\{j_{1},j_{2},...,j_{k}\}$ , $P_{0}\left(T_{j}\right)\log\frac{P_{0}\left(T_{j}\right)}{P_{1}\left(T_{j}\right)}>\sum_{x_{i}\in T_{j}}P_{0}\left(x_{i}\right)\log\frac{P_{0}\left(x_{i}\right)}{P_{1}\left(x_{i}\right)}$ by the log-sum inequality. Therefore, there exists a $\varepsilon(j)>0$ such that ${S^{(k)}}^{T}_{j}\alpha^{*}-\mu_{j}\geq 0$ for all $\varepsilon\geq\varepsilon(j)$ . If $j\in\{j_{1},j_{2},...,j_{k}\}$ , it is not hard to check that ${S^{(k)}}^{T}_{j}\alpha^{*}-\mu_{j}=0$ for all $\varepsilon$ . In this case, set $\varepsilon(j)=0$ . This establishes the satisfiability of $\alpha^{*}$ for all $\varepsilon\geq\varepsilon^{*}=\max_{j\in[2^{k}]}\varepsilon(j)$ . The satisfiability of $\alpha^{*}$ , in turn, shows that (84) is indeed an upper bound to the primal problem. It remains to show that this upper bound can be achieved via the randomized response. To this extent, recall that the randomized response is given by

Computing the KL divergence between $M_{0}$ and $M_{1}$ under (91), we get that

Hence, the randomized response in (91) achieves the upper bound in (84). This proves the optimality of the randomized response for all $\varepsilon\geq\varepsilon^{*}$ .

5 Proof of Theorem 7

We start the proof with a fundamental bound on the symmetrized KL divergence between the $M_{0}$ and $M_{1}$ .

For any $\varepsilon\geq 0$ , let $Q$ be any conditional distribution that guarantees $\varepsilon$ differential privacy. Then for any pair of distributions $P_{0}$ and $P_{1}$ , the induced marginals $M_{0}$ and $M_{1}$ must satisfy the bound

The above lemma appears as Theorem 1 in Duchi et al. (2013). By Lemma 25, we have that

Let $M_{0}^{B}$ and $M_{1}^{B}$ be the marginals obtained by using the binary mechanism given in (18). By Corollary 11, we have that $\|M_{0}^{B}-M_{1}^{B}\|_{\rm TV}=\frac{e^{\varepsilon}-1}{e^{\varepsilon}+1}\|P_{0}-P_{1}\big{\|}_{\rm TV}$ . Consequently, by applying Pinsker’s inequality to the KL divergence between $M_{0}^{B}$ and $M_{1}^{B}$ we get that

Combining (94) and (95) we get that ${\rm BIN}\geq\frac{1}{2(e^{\varepsilon}+1)^{2}}{\rm OPT}$ which was to be shown.

Proofs for Information Preservation

where $\mu_{j}=\mu\left(S^{(k)}_{j}\right)=\sum_{i\in[k]}P\left(x_{i}\right)S^{(k)}_{ij}\log\left(\frac{S^{(k)}_{ij}}{\sum_{i\in[k]}P\left(x_{i}\right)S^{(k)}_{ij}}\right)$ for $j\in\{1,\ldots,2^{k}\}$ and $S^{(k)}$ is the $k\times 2^{k}$ staircase pattern matrix given in Definition 3. The polytope given by $S^{(k)}\theta=\textrm{{1}}$ and $\theta\geq 0$ is a closed and bounded one. Thus, there is no duality gap and solving the above linear program is equivalent to solving its dual

Note that any satisfiable solution $\alpha^{*}$ to (97) provides an upper bound to (96) since $\max\mu^{T}\theta=\min\textrm{{1}}^{T}\alpha\leq\textrm{{1}}^{T}\alpha^{*}$ . Let $T_{j}=\{x_{i}:S^{(k)}_{ij}=e^{\varepsilon}\}$ and set $j_{1}=\{j:T_{j}=T\}$ and $j_{2}=\{j:T_{j}=T^{c}\}$ . Consider the following choice of dual variable

Observe that since $T_{j_{1}}=T$ , $T_{j_{2}}=T^{c}$ , and

We claim that $\alpha^{*}$ is a feasible dual variable for sufficiently small $\varepsilon$ . In order to prove that $\alpha^{*}$ is a feasible dual variable, we show that $\left({S^{(k)}}^{T}\alpha^{*}\right)_{j}-\mu_{j}\geq 0$ for all $j\in\{1,\ldots,2^{k}\}$ and all $\varepsilon\leq\varepsilon^{*}$ , where $\varepsilon^{*}$ is a positive quantity that depends on $P$ . Using the following facts

where we have used the facts that $T_{j_{1}}=T$ , $T_{j_{2}}=T^{c}$ , and

Let $f(z)=|z-\frac{1}{2}|$ , $g(z)=-z\log z-(1-z)\log(1-z)$ , and $h(z)=z(1-z)$ for $0\leq z\leq 1$ . On the one hand, $g$ and $h$ are monotonically increasing over $0\leq z\leq\frac{1}{2}$ and monotonically decreasing over $\frac{1}{2}\leq z\leq 1$ but on the other hand, $f$ is monotonically decreasing over $0\leq z\leq\frac{1}{2}$ and monotonically increasing over $\frac{1}{2}\leq z\leq 1$ . Therefore,

Since the set $T$ was chosen so that it maximizes $P\left(T\right)P\left(T^{c}\right)$ , we have that $P\left(T\right)P\left(T^{c}\right)\geq P\left(T_{j}\right)P\left(T^{c}_{j}\right)$ for all $j\in\{1,\ldots,2^{k}\}$ . Assume, to begin with, that $j\neq\{j_{1},j_{2}\}$ . Then by the uniqueness of the maximizer assumption stated in the theorem, we have that $P\left(T\right)P\left(T^{c}\right)>P\left(T_{j}\right)P\left(T^{c}_{j}\right)$ .

and thus, there exists an $\varepsilon^{*}$ that depends on $P$ such that $\left({S^{(k)}}^{T}\alpha^{*}\right)_{j}-\mu_{j}\geq 0$ for all $\varepsilon\leq\varepsilon^{*}$ . If $j=\{j_{1},j_{2}\}$ , it is not hard to check that $\left({S^{(k)}}^{T}\alpha^{*}\right)_{j}-\mu_{j}=0$ for all $\varepsilon$ . This establishes the satisfiability of $\alpha^{*}$ for all $\varepsilon\leq\varepsilon^{*}$ which proves an upper bound on the primal problem (given in (100)). It remains to show that the upper bound can be indeed achieved via the binary mechanism. To this extent, recall that the binary mechanism is given by

Computing the $I\left(X;Y\right)$ under (111), we get that

Hence, the binary mechanism in (111) achieves the upper bound in (100). This proves the optimality of the binary mechanism for all $\varepsilon\leq\varepsilon^{*}$ .

2 Proof of Theorem 13

We start by proving an upper bound on $\max_{Q\in\mathcal{D}_{\varepsilon}}I\left(X;Y\right)$ which is tight for $\varepsilon\leq 1$ . Recall that by Theorem 4, we have that

$T_{j}=\{i:S^{(k)}_{ij}=e^{\varepsilon}\}$ , and $S^{(k)}$ is the $k\times 2^{k}$ staircase pattern matrix given in Definition 3.

For all distributions $P$ and all $\varepsilon$ , the following bound holds

The proof of this lemma is given in Section 9.3. In what follows, we will make the dependency of $\mu_{j}$ on $P\left(T_{j}\right)$ and $\varepsilon$ explicit by writing $\mu_{j}\left(P\left(T_{j}\right),\varepsilon\right)$ for $\mu_{j}$ . From the proof of Theorem 12, we have that the partition set $T$ defined in (30) is given by $T\in\arg\max_{A\subseteq{\cal X}}P(A)P(A^{c})$ . It is easy to check that the binary mechanism given in (29) achieves the following utility

For all distributions $P$ and all $\varepsilon\leq 1$ , the following bound holds

The proof of the above lemma is given in Section 9.4. Combining the results of lemmas 26 and 27 we get that

for all $\varepsilon\leq 1$ . This concludes the proof.

3 Proof of Lemma 26

To begin with, since $S^{(k)}_{1}=\textrm{{1}}=\frac{1}{e^{\varepsilon}}S^{(k)}_{2^{k}}$ and $\mu$ is homogenous, we have that $\theta_{1}\mu_{1}+\theta_{2^{k}}\mu_{2^{k}}=\left(\frac{1}{e^{\varepsilon}}\theta_{1}+\theta_{2^{k}}\right)\mu_{2^{k}}$ . Therefore, the following two maximization problems are equivalent

Consider the following choice of dual variable $\alpha^{*}_{i}=\frac{1}{e^{\varepsilon}+k-1}$ . We claim that $\alpha^{*}$ is satisfiable. This can be easily verified by noting that

where the last inequality holds since $|T_{j}|\geq 1$ (this is true because we have deleted the first column of $S^{(k)}$ ). Therefore, ${\rm OPT}\leq\left(\max_{j}\mu_{j}\right)\textrm{{1}}^{T}\alpha^{*}=\left(\max_{j}\mu_{j}\right)\frac{k}{e^{\varepsilon}+k-1}$ which was to be shown.

4 Proof of Lemma 27

Let $\mu\left(z,\varepsilon\right)$ be the function obtained by replacing $P\left(T_{j}\right)$ by the continuous variable $z\in$ in $\mu_{j}\left(P\left(T_{j}\right),\varepsilon\right)$ . Taking the derivative of $\mu\left(z,\varepsilon\right)$ with respect to $z$ we get

Observe that $\mu^{\prime}\left(z,\varepsilon\right)>0$ for all

$\mu^{\prime}\left(z,\varepsilon\right)<0$ for all $z>z^{*}(\varepsilon)$ , and $\mu^{\prime}\left(z,\varepsilon\right)=0$ for $z=z^{*}(\varepsilon)$ . Combining this with the fact that $\mu\left(0,\varepsilon\right)=\mu\left(1,\varepsilon\right)=0$ we get that $\mu\left(z,\varepsilon\right)\geq 0$ for all $z\in$ and for any fixed $\varepsilon$ , $\mu\left(z,\varepsilon\right)$ is maximized at $z^{*}(\varepsilon)$ .

Set $x^{*}\in\arg\max_{x\in{\cal X}}P\left(x\right)$ and fix an $\varepsilon\leq 1$ . We will treat the following three cases separately.

Case 1: $P(x^{*})\in[1-z^{*}(\varepsilon),1]$ .

Let $T=\{x^{*}\}$ . Then $\{T,T^{c}\}=\arg\max_{A\subseteq{\cal X}}P(A)P(A^{c})$ and $\max_{A\subseteq{\cal X}}\mu(P(A),\varepsilon)=\max\left(\mu(P(T),\varepsilon),\mu(P(T^{c}),\varepsilon)\right)$ .

Proof Observe that $z^{*}(\varepsilon)\leq\frac{1}{2}$ for all $\varepsilon$ and $T^{c}={\cal X}\setminus\{x^{*}\}$ . The function $f(z)=z(1-z)$ decreases over the range $[\frac{1}{2},1]\supseteq[1-z^{*}(\varepsilon),1]$ . Thus, for all $A\supset T$ , $P(T)P(T^{c})>P(A)P(A^{c})$ because $P(T)\geq 1-z^{*}(\varepsilon)$ . This proves that $T\in\arg\max_{A\subseteq{\cal X}}P(A)P(A^{c})$ and for all $A\supset T$ , $A\notin\arg\max_{A\subseteq{\cal X}}P(A)P(A^{c})$ . Using a similar approach, we can show that $T^{c}\in\arg\max_{A\subseteq{\cal X}}P(A)P(A^{c})$ and for all $A\subset T^{c}$ , $A\notin\arg\max_{A\subseteq{\cal X}}P(A)P(A^{c})$ . Therefore, $\{T,T^{c}\}=\arg\max_{A\subseteq{\cal X}}P(A)P(A^{c})$ . This proves the first part of the claim. The function $\mu\left(z,\varepsilon\right)$ increases over the range $[0,z^{*}(\varepsilon)]$ . Thus, for all $A\subseteq T^{c}$ , $\mu(P(A),\varepsilon)\leq\mu(P(T^{c}),\varepsilon)$ because $P(T^{c})\leq z^{*}(\varepsilon)$ . On the other hand, note that $\mu\left(z,\varepsilon\right)$ decreases over the range $[z^{*}(\varepsilon),1]$ which includes the range $[1-z^{*}(\varepsilon),1]$ . Thus, for all $A$ such that $A\supseteq T$ , $\mu(P(A),\varepsilon)\leq\mu(P(T),\varepsilon)$ because $P(T)\geq 1-z^{*}(\varepsilon)$ . This proves that $\max\left(\mu(P(T),\varepsilon),\mu(P(T^{c}),\varepsilon)\right)=\max_{A\subseteq{\cal X}}\mu(P(A),\varepsilon)$ . Using the above claim, we can conclude that the partition set $T$ defined in (30) is equal to $\{x^{*}\}$ and

Case 2: $P(x^{*})\in[\frac{1}{2},1-z^{*}(\varepsilon)]$ . Using the first part of the proof of Claim 4, we can show that if $T=\{x^{*}\}$ , then $\{T,T^{c}\}=\arg\max_{A\subseteq{\cal X}}P(A)P(A^{c})$ . Therefore, the partition set $T$ defined in (30) is equal to $\{x^{*}\}$ and

There exists a set $A\subset{\cal X}$ such that $\frac{1}{2}-P(x^{*})\leq P(A)\leq\frac{1}{2}$ .

Proof Without loss of generality, assume that the sequence $P(x_{i})$ , $i\in[k]$ , is sorted in increasing order. Let $l^{*}=\min\{l:\sum_{i=1}^{l}P(x_{i})\geq\frac{1}{2}\}$ . From the definition of $l^{*}$ , $P(\{x_{1},\ldots,x_{l^{*}-1}\})<\frac{1}{2}$ and $P(\{x_{1},\ldots,x_{l^{*}}\})\geq\frac{1}{2}$ . Further,

and since $x^{*}\in\arg\max_{x\in{\cal X}}P\left(x\right)$ , $P(x_{l^{*}})\leq P(x^{*})$ . Therefore, if $A=\{x_{1},\ldots,x_{l^{*}-1}\}$ , then $\frac{1}{2}-P(x^{*})\leq P(A)\leq\frac{1}{2}$ .

Let $P(T)=\min\{P(B):B\in\arg\max_{A\subseteq{\cal X}}P(A)P(A^{c})\}$ . We claim that $\frac{1}{4}\leq P(T)\leq\frac{1}{2}$ . The upper bound on $P(T)$ follows immediately from its definition. To prove the lower bound on $P(T)$ , consider the set $A$ given in Claim 5 and observe that

All the inequalities follow from Claim 5 and the fact that $P(x^{*})\in[0,\frac{1}{2}]$ .

Since $\frac{1}{4}\leq P(T)\leq\frac{1}{2}$ , we have that $\frac{1}{2}\leq P(T^{c})\leq\frac{3}{4}$ . Moreover, the function $\mu\left(z,\varepsilon\right)$ decreases over the range $[z^{*}(\varepsilon),1]\supset[\frac{1}{2},\frac{3}{4}]$ and increases over the range $[\frac{1}{4},z^{*}(\varepsilon)]$ . Therefore, $\mu\left(P(T^{c}),\varepsilon\right)\geq\mu\left(\frac{3}{4},\varepsilon\right)$ and $\mu\left(P(T),\varepsilon\right)\geq\min\left(\mu\left(\frac{1}{2},\varepsilon\right),\mu\left(\frac{1}{4},\varepsilon\right)\right)$ . Putting it all together, we have that

5 Proof of Theorem 14

Note that any satisfiable solution $\alpha^{*}$ to (128) provides an upper bound to (127) since $\max\mu^{T}\theta=\min\textrm{{1}}^{T}\alpha\leq\textrm{{1}}^{T}\alpha^{*}$ . Let $T_{j}=\{x_{i}:S^{(k)}_{ij}=e^{\varepsilon}\}$ and set $j_{i}=\{j:T_{j}=i\}$ for $i\in\{1,\ldots,k\}$ . Consider the following choice of dual variable

for $i\in\{1,\ldots,k\}$ . Observe that since $T_{j_{i}}=i$ we have that $P\left(T_{j_{i}}\right)=P\left(x_{i}\right)$ and since

We claim that $\alpha^{*}$ is a feasible dual variable for sufficiently large $\varepsilon$ . In order to prove that $\alpha^{*}$ is a feasible dual variable, we show that $\left({S^{(k)}}^{T}\alpha^{*}\right)_{j}-\mu_{j}\geq 0$ for all $j\in\{1,\ldots,2^{k}\}$ and all $\varepsilon\geq\varepsilon^{*}$ , where $\varepsilon^{*}$ is a positive quantity that depends on $P$ . Using the fact that

Assume, to begin with, that $j\neq\{j_{1},j_{2},...,j_{k}\}$ . Then

Notice that for $j\neq\{j_{1},j_{2},...,j_{k}\}$ , $P\left(T_{j}\right)\log P\left(T_{j}\right)>\sum_{i\in T_{j}}P\left(x_{i}\right)\log P\left(x_{i}\right)$ . Therefore, there exists an $\varepsilon^{*}>0$ such that $\left({S^{(k)}}^{T}\alpha^{*}\right)_{j}-\mu_{j}\geq 0$ for all $\varepsilon\geq\varepsilon^{*}$ . If $j\in\{j_{1},j_{2},...,j_{k}\}$ , it is not hard to check that $\left({S^{(k)}}^{T}\alpha^{*}\right)_{j}-\mu_{j}=0$ for all $\varepsilon$ . This establishes the satisfiability of $\alpha^{*}$ for all $\varepsilon\geq\varepsilon^{*}$ . It remains to show that the upper bound can be indeed achieved via the randomized response mechanism. To this extent, recall that the randomized response is given by

Computing the $I\left(X;Y\right)$ under (138), we get that

Hence, the randomized response mechanism achieves the upper bound (131). This proves the optimality of the randomized response for all $\varepsilon\geq\varepsilon^{*}$ .

Proof of Proposition 17

where the inequality follows from sublinearity and the second to last equality follows from the row stochastic property of $W$ . Therefore, $U\left(Q\right)$ obeys the data processing inequality.

This research is supported in part by NSF CISE award CCF-1422278, NSF SaTC award CNS-1527754, NSF CMMI award MES-1450848 and NSF ENG award ECCS-1232257.

Introduction

2 Information theoretic utilities for statistical analysis

3 Our contributions

4 Related work

5 Organization

Main Results

2 Combinatorial representation of the staircase mechanisms

Hypothesis Testing

2 Optimality of the binary mechanism

3 Optimality of the randomized response mechanism

4 Numerical experiments

5 Lower bounds

Information Preservation

2 Optimality of the binary mechanism

3 Optimality of the randomized response mechanism

4 Numerical experiments

5 Lower bounds

Generalizations to approximate differential privacy

Discussion

Proof of Theorems 2 and 4

2 Proof of Lemma 22

3 Proof of Lemma 23

Proofs for Hypothesis Testing

2 Proof of Lemma 24

3 Proof of Theorem 6

4 Proof of Theorem 8

5 Proof of Theorem 7

Proofs for Information Preservation

2 Proof of Theorem 13

3 Proof of Lemma 26

4 Proof of Lemma 27

5 Proof of Theorem 14

Proof of Proposition 17

References