Generalization in Adaptive Data Analysis and Holdout Reuse

Cynthia Dwork, Vitaly Feldman, Moritz Hardt, Toniann Pitassi, Omer Reingold, Aaron Roth

Introduction

The goal of machine learning is to produce hypotheses or models that generalize well to the unseen instances of the problem. More generally, statistical data analysis is concerned with estimating properties of the underlying data distribution, rather than properties that are specific to the finite data set at hand. Indeed, a large body of theoretical and empirical research was developed for ensuring generalization in a variety of settings. In this work, it is commonly assumed that each analysis procedure (such as a learning algorithm) operates on a freshly sampled dataset – or if not, is validated on a freshly sampled holdout (or testing) set.

Unfortunately, learning and inference can be more difficult in practice, where data samples are often reused. For example, a common practice is to perform feature selection on a dataset, and then use the features for some supervised learning task. When these two steps are performed on the same dataset, it is no longer clear that the results obtained from the combined algorithm will generalize. Although not usually understood in these terms, “Freedman’s paradox” is an elegant demonstration of the powerful (negative) effect of adaptive analysis on the same data [Fre83]. In Freedman’s simulation, variables with significant tt-statistic are selected and linear regression is performed on this adaptively chosen subset of variables, with famously misleading results: when the relationship between the dependent and explanatory variables is non-existent, the procedure overfits, erroneously declaring significant relationships.

Most of machine learning practice does not rely on formal guarantees of generalization for learning algorithms. Instead a dataset is split randomly into two (or sometimes more) parts: the training set and the testing, or holdout, set. The training set is used for learning a predictor, and then the holdout set is used to estimate the accuracy of the predictor on the true distributionAdditional averaging over different partitions is used in cross-validation.. Because the predictor is independent of the holdout dataset, such an estimate is a valid estimate of the true prediction accuracy (formally, this allows one to construct a confidence interval for the prediction accuracy on the data distribution). However, in practice the holdout dataset is rarely used only once, and as a result the predictor may not be independent of the holdout set, resulting in overfitting to the holdout set [Reu03, RF08, CT10]. One well-known reason for such dependence is that the holdout data is used to test a large number of predictors and only the best one is reported. If the set of all tested hypotheses is known and independent of the holdout set, then it is easy to account for such multiple testing or use the more sophisticated approach of Ng [Ng97].

However such static approaches do not apply if the estimates or hypotheses tested on the holdout are chosen adaptively: that is, if the choice of hypotheses depends on previous analyses performed on the dataset. One prominent example in which a holdout set is often adaptively reused is hyperparameter tuning (e.g.[DFN07]). Similarly, the holdout set in a machine learning competition, such as the famous ImageNet competition, is typically reused many times adaptively. Other examples include using the holdout set for feature selection, generation of base learners (in aggregation techniques such as boosting and bagging), checking a stopping condition, and analyst-in-the-loop decisions. See [Lan05] for a discussion of several subtle causes of overfitting.

The concrete practical problem we address is how to ensure that the holdout set can be reused to perform validation in the adaptive setting. Towards addressing this problem we also ask the more general question of how one can ensure that the final output of adaptive data analysis generalizes to the underlying data distribution. This line of research was recently initiated by the authors in [DFH+14], where we focused on the case of estimating expectations of functions from i.i.d. samples (these are also referred to as statistical queries). They show how to answer a large number of adaptively chosen statistical queries using techniques from differential privacy [DMNS06](see Sec. 1.3 and Sec. 2.2 for more details).

We propose a simple and general formulation of the problem of preserving statistical validity in adaptive data analysis. We show that the connection between differentially private algorithms and generalization from [DFH+14] can be extended to this more general setting, and show that similar (but sometimes incomparable) guarantees can be obtained from algorithms whose outputs can be described by short strings. We then define a new notion, approximate max-information, that unifies these two basic techniques and gives a new perspective on the problem. In particular, we give an adaptive composition theorem for max-information, which gives a simple way to obtain generalization guarantees for analyses in which some of the procedures are differentially private and some have short description length outputs. We apply our techniques to the problem of reusing the holdout set for validation in the adaptive setting.

We describe a simple and general method, together with two specific instantiations, for reusing a holdout set for validating results while provably avoiding overfitting to the holdout set. The analyst can perform any analysis on the training dataset, but can only access the holdout set via an algorithm that allows the analyst to validate her hypotheses against the holdout set. Crucially, our algorithm prevents overfitting to the holdout set even when the analyst’s hypotheses are chosen adaptively on the basis of the previous responses of our algorithm.

Our first algorithm, referred to as Thresholdout, derives its guarantees from differential privacy and the results in [DFH+14, NS15]. For any function ϕ:X\phi:\mathcal{X}\rightarrow given by the analyst, Thresholdout uses the holdout set to validate that ϕ\phi does not overfit to the training set, that is, it checks that the mean value of ϕ\phi evaluated on the training set is close to the mean value of ϕ\phi evaluated on the distribution P\mathcal{P} from which the data was sampled. The standard approach to such validation would be to compute the mean value of ϕ\phi on the holdout set. The use of the holdout set in Thresholdout differs from the standard use in that it exposes very little information about the mean of ϕ\phi on the holdout set: if ϕ\phi does not overfit to the training set, then the analyst receives only the confirmation of closeness, that is, just a single bit. On the other hand, if ϕ\phi overfits then Thresholdout returns the mean value of ϕ\phi on the training set perturbed by carefully calibrated noise.

Using results from [DFH+14, NS15] we show that for datasets consisting of i.i.d. samples these modifications provably prevent the analyst from constructing functions that overfit to the holdout set. This ensures correctness of Thresholdout’s responses. Naturally, the specific guarantees depend on the number of samples nn in the holdout set. The number of queries that Thresholdout can answer is exponential in nn as long as the number of times that the analyst overfits is at most quadratic in nn.

Our second algorithm SparseValidate is based on the idea that if most of the time the analyst’s procedures generate results that do not overfit, then validating them against the holdout set does not reveal much information about the holdout set. Specifically, the generalization guarantees of this method follow from the observation that the transcript of the interaction between a data analyst and the holdout set can be described concisely. More formally, this method allows the analyst to pick any Boolean function of a dataset ψ\psi (described by an algorithm) and receive back its value on the holdout set. A simple example of such a function would be whether the accuracy of a predictor on the holdout set is at least a certain value α\alpha. (Unlike in the case of Thresholdout, here there is no need to assume that the function that measures the accuracy has a bounded range or even Lipschitz, making it qualitatively different from the kinds of results achievable subject to differential privacy). A more involved example of validation would be to run an algorithm on the holdout dataset to select an hypothesis and check if the hypothesis is similar to that obtained on the training set (for any desired notion of similarity). Such validation can be applied to other results of analysis; for example one could check if the variables selected on the holdout set have large overlap with those selected on the training set. An instantiation of the SparseValidate algorithm has already been applied to the problem of answering statistical (and more general) queries in the adaptive setting [BSSU15]. We describe the formal guarantees for SparseValidate in Section 4.2.

In Section 5 we describe a simple experiment on synthetic data that illustrates the danger of reusing a standard holdout set, and how this issue can be resolved by our reusable holdout. The design of this experiment is inspired by Freedman’s classical experiment, which demonstrated the dangers of performing variable selection and regression on the same data [Fre83].

2 Generalization in Adaptive Data Analysis

We view adaptive analysis on the same dataset as an execution of a sequence of steps A1A2Am{\cal A}_{1}\rightarrow{\cal A}_{2}\rightarrow\cdots\rightarrow{\cal A}_{m}. Each step is described by an algorithm Ai{\cal A}_{i} that takes as input a fixed dataset S=(x1,,xn)S=(x_{1},\ldots,x_{n}) drawn from some distribution D{\cal D} over Xn\mathcal{X}^{n}, which remains unchanged over the course of the analysis. Each algorithm AiA_{i} also takes as input the outputs of the previously run algorithms A1{\cal A}_{1} through Ai1{\cal A}_{i-1} and produces a value in some range Yi{\cal Y}_{i}. The dependence on previous outputs represents all the adaptive choices that are made at step ii of data analysis. For example, depending on the previous outputs, Ai{\cal A}_{i} can run different types of analysis on SS. We note that at this level of generality, the algorithms can represent the choices of the data analyst, and need not be explicitly specified. We assume that the analyst uses algorithms which individually are known to generalize when executed on a fresh dataset sampled independently from a distribution D{\cal D}. We formalize this by assuming that for every fixed value y1,,yi1Y1××Yi1y_{1},\ldots,y_{i-1}\in{\cal Y}_{1}\times\cdots\times{\cal Y}_{i-1}, with probability at least 1βi1-\beta_{i} over the choice of SS according to distribution D{\cal D}, the output of Ai{\cal A}_{i} on inputs y1,,yi1y_{1},\ldots,y_{i-1} and SS has a desired property relative to the data distribution D{\cal D} (for example has low generalization error). Note that in this assumption y1,,yi1y_{1},\ldots,y_{i-1} are fixed and independent of the choice of SS, whereas the analyst will execute Ai{\cal A}_{i} on values Y1,,Yi1{\bm{Y}}_{1},\ldots,{\bm{Y}}_{i-1}, where Yj=Aj(S,Y1,,Yj1){\bm{Y}}_{j}={\cal A}_{j}(S,{\bm{Y}}_{1},\ldots,{\bm{Y}}_{j-1}). In other words, in the adaptive setup, the algorithm Ai{\cal A}_{i} can depend on the previous outputs, which depend on SS, and thus the set SS given to Ai{\cal A}_{i} is no longer an independently sampled dataset. Such dependence invalidates the generalization guarantees of individual procedures, potentially leading to overfitting.

First, we spell out how the differential privacy based approach from [DFH+14] can be applied to this more general setting. Specifically, a simple corollary of results in [DFH+14] is that for a dataset consisting of i.i.d. samples any output of a differentially-private algorithm can be used in subsequent analysis while controlling the risk of overfitting, even beyond the setting of statistical queries studied in [DFH+14]. A key property of differential privacy in this context is that it composes adaptively: namely if each of the algorithms used by the analyst is differentially private, then the whole procedure will be differentially private (albeit with worse privacy parameters). Therefore, one way to avoid overfitting in the adaptive setting is to use algorithms that satisfy (sufficiently strong) guarantees of differential-privacy. In Section 2.2 we describe this result formally.

We then show how description length bounds can be applied in the context of guaranteeing generalization in the presence of adaptivity. If the total length of the outputs of algorithms A1,,Ai1{\cal A}_{1},\ldots,{\cal A}_{i-1} can be described with kk bits then there are at most 2k2^{k} possible values of the input y1,,yi1y_{1},\ldots,y_{i-1} to Ai{\cal A}_{i}. For each of these individual inputs Ai{\cal A}_{i} generalizes with probability 1βi1-\beta_{i}. Taking a union bound over failure probabilities implies generalization with probability at least 12kβi1-2^{k}\beta_{i}. Occam’s Razor famously implies that shorter hypotheses have lower generalization error. Our observation is that shorter hypotheses (and the results of analysis more generally) are also better in the adaptive setting since they reveal less about the dataset and lead to better generalization of subsequent analyses. Note that this result makes no assumptions about the data distribution D{\cal D}. We provide the formal details in Section 2.3. In Section B we also show that description length-based analysis suffices for obtaining an algorithm (albeit not an efficient one) that can answer an exponentially large number of adaptively chosen statistical queries. This provides an alternative proof for one of the results in [DFH+14].

An upper bound on (approximate) max-information gives generalization guarantees.

Differentially private algorithms have low max-information for any distribution D{\cal D} over datasets. A stronger bound holds for approximate max-information on i.i.d. datasets. These bounds apply only to so-called pure differential privacy (the δ=0\delta=0 case).

Bounds on the description length of the output of an algorithm give bounds on the approximate max-information of the algorithm for any D{\cal D}.

Approximate max-information composes adaptively.

Approximate max-information is preserved under post-processing.

Composition properties of approximate max-information imply that one can easily obtain generalization guarantees for adaptive sequences of algorithms, some of which are differentially private, and others of which have outputs with short description length. These properties also imply that differential privacy can be used to control generalization for any distribution D{\cal D} over datasets, which extends its generalization guarantees beyond the restriction to datasets drawn i.i.d. from a fixed distribution, as in [DFH+14].

We remark that (pure) differential privacy and description length are otherwise incomparable – low description length is not a sufficient condition for differential privacy, since differential privacy precludes revealing even a small number of bits of information about any single individual in the data set. At the same time differential privacy does not constrain the description length of the output. Bounds on max-information or differential privacy of an algorithm can, however, be translated to bounds on randomized description length for a different algorithm with statistically indistinguishable output. Here we say that a randomized algorithm has randomized description length of kk if for every fixing of the algorithm’s random bits, it has description length of kk. Details of these results and additional discussion appear in Sections 3 and A.

3 Related Work

This work builds on [DFH+14] where we initiated the formal study of adaptivity in data analysis. The primary focus of [DFH+14] is the problem of answering adaptively chosen statistical queries. The main technique is a strong connection between differential privacy and generalization: differential privacy guarantees that the distribution of outputs does not depend too much on any one of the data samples, and thus, differential privacy gives a strong stability guarantee that behaves well under adaptive data analysis. The link between generalization and approximate differential privacy made in [DFH+14] has been subsequently strengthened, both qualitatively — by [BSSU15], who make the connection for a broader range of queries — and quantitatively, by [NS15] and [BSSU15], who give tighter quantitative bounds. These papers, among other results, give methods for accurately answering exponentially (in the dataset size) many adaptively chosen queries, but the algorithms for this task are not efficient. It turns out this is for fundamental reasons – Hardt and Ullman [HU14] and Steinke and Ullman [SU14] prove that, under cryptographic assumptions, no efficient algorithm can answer more than quadratically many statistical queries chosen adaptively by an adversary who knows the true data distribution.

Differential privacy emerged from a line of work [DN03, DN04, BDMN05], culminating in the definition given by [DMNS06]. There is a very large body of work designing differentially private algorithms for various data analysis tasks, some of which we leverage in our applications. See [Dwo11] for a short survey and [DR14] for a textbook introduction to differential privacy.

The classical approach in theoretical machine learning to ensure that empirical estimates generalize to the underlying distribution is based on the various notions of complexity of the set of functions output by the algorithm, most notably the VC dimension(see e.g. [SSBD14] for a textbook introduction). If one has a sample of data large enough to guarantee generalization for all functions in some class of bounded complexity, then it does not matter whether the data analyst chooses functions in this class adaptively or non-adaptively. Our goal, in contrast, is to prove generalization bounds without making any assumptions about the class from which the analyst can choose query functions. In this case the adaptive setting is very different from the non-adaptive setting.

An important line of work [BE02, MNPR06, PRMN04, SSSSS10] establishes connections between the stability of a learning algorithm and its ability to generalize. Stability is a measure of how much the output of a learning algorithm is perturbed by changes to its input. It is known that certain stability notions are necessary and sufficient for generalization. Unfortunately, the stability notions considered in these prior works do not compose in the sense that running multiple stable algorithms sequentially and adaptively may result in a procedure that is not stable. The measure we introduce in this work (max information), like differential privacy, has the strength that it enjoys adaptive composition guarantees. This makes it amenable to reasoning about the generalization properties of adaptively applied sequences of algorithms, while having to analyze only the individual components of these algorithms. Connections between stability, empirical risk minimization and differential privacy in the context of learnability have been recently explored in [WLF15].

Freund gives an approach to obtaining data-dependent generalization bounds that takes into account the set of statistical queries that a given learning algorithm can produce for the distribution from which the data was sampled [Fre98]. A related approach of Langford and Blum also allows to obtain data-dependent generalization bounds based on the description length of functions that can be output for a data distribution [LB03]. Unlike our work, these approaches require the knowledge of the structure of the learning algorithm to derive a generalization bound. More importantly, the focus of our framework is on the design of new algorithms with better generalization properties in the adaptive setting.

Finally, inspired by our work, Blum and Hardt [BH15] showed how to reuse the holdout set to maintain an accurate leaderboard in a machine learning competition that allows the participants to submit adaptively chosen models in the process of the competition (such as those organized by Kaggle Inc.). Their analysis also relies on the description length-based technique we used to analyze SparseValidate.

Preliminaries and Basic Techniques

In the discussion below log\log refers to binary logarithm and ln\ln refers to the natural logarithm. For simplicity we restrict our random variables to finite domains (extension of the claims to continuous domains is straightforward using the standard formalism). For two random variables X{\bm{X}} and Y{\bm{Y}} over the same domain X\mathcal{X} the max-divergence of X{\bm{X}} from Y{\bm{Y}} is defined as

δ\delta-approximate max-divergence is defined as

On an intuitive level, differential privacy hides the data of any single individual. We are thus interested in pairs of datasets S,SS,S^{\prime} that differ in a single element, in which case we say SS and SS^{\prime} are adjacent.

[DMNS06, DKM+06] A randomized algorithm A{\cal A} with domain Xn\mathcal{X}^{n} for n>0n>0 is (ε,δ)(\varepsilon,\delta)-differentially private if for all pairs of datasets that differ in a single element S,SXnS,S^{\prime}\in\mathcal{X}^{n}: Dδ(A(S)A(S))log(eε).D_{\infty}^{\delta}({\cal A}(S)\|{\cal A}(S^{\prime}))\leq\log(e^{\varepsilon}). The case when δ=0\delta=0 is sometimes referred to as pure differential privacy, and in this case we may say simply that A{\cal A} is ε\varepsilon-differentially private.

Differential privacy is preserved under adaptive composition. Adaptive composition of algorithms is a sequential execution of algorithms on the same dataset in which an algorithm at step ii can depend on the outputs of previous algorithms. More formally, let A1,A2,,Am{\cal A}_{1},{\cal A}_{2},\ldots,{\cal A}_{m} be a sequence of algorithms. Each algorithm Ai{\cal A}_{i} outputs a value in some range Yi{\cal Y}_{i} and takes as an input dataset in Xn\mathcal{X}^{n} as well as a value in Yˉi1Y1××Yi1\bar{{\cal Y}}_{i-1}\doteq{\cal Y}_{1}\times\cdots\times{\cal Y}_{i-1}. Adaptive composition of these algorithm is the algorithm that takes as an input a dataset SXnS\in\mathcal{X}^{n} and executes A1A2Am{\cal A}_{1}\rightarrow{\cal A}_{2}\rightarrow\cdots\rightarrow{\cal A}_{m} sequentially with the input to Ai{\cal A}_{i} being SS and the outputs y1,,yi1y_{1},\ldots,y_{i-1} of A1,,Ai1{\cal A}_{1},\ldots,{\cal A}_{i-1}. Such composition captures the common practice in data analysis of using the outcomes of previous analyses (that is y1,,yi1y_{1},\ldots,y_{i-1}) to select an algorithm that is executed on SS.

For an algorithm that in addition to a dataset has other input we say that it is (ε,δ)(\varepsilon,\delta)-differentially private if it is (ε,δ)(\varepsilon,\delta)-differentially private for every setting of additional parameters. The basic property of adaptive composition of differentially private algorithms is the following result (e.g.[DL09]):

Let Ai:Xn×Y1××Yi1Yi{\cal A}_{i}:\mathcal{X}^{n}\times{\cal Y}_{1}\times\cdots\times{\cal Y}_{i-1}\rightarrow{\cal Y}_{i} be an (εi,δi)(\varepsilon_{i},\delta_{i})-differentially private algorithm for i[m]i\in[m]. Then the algorithm B:XnYm{\mathcal{B}}:\mathcal{X}^{n}\rightarrow{\cal Y}_{m} obtained by composing Ai{\cal A}_{i}’s adaptively is (i=1mεi,i=1mδi)(\sum_{i=1}^{m}\varepsilon_{i},\sum_{i=1}^{m}\delta_{i})-differentially private.

A more sophisticated argument yields significant improvement when ε<1\varepsilon<1 (e.g.[DR14]).

For all ε,δ,δ0\varepsilon,\delta,\delta^{\prime}\geq 0, the adaptive composition of mm arbitrary (ε,δ)(\varepsilon,\delta)-differentially private algorithms is (ε,mδ+δ)(\varepsilon^{\prime},m\delta+\delta^{\prime})-differentially private, where

Another property of differential privacy important for our applications is preservation of its guarantee under post-processing (e.g.[DR14, Prop. 2.1]):

If A\mathcal{A} is an (ϵ,δ)(\epsilon,\delta)-differentially private algorithm with domain Xn\mathcal{X}^{n} and range Y{\cal Y}, and B\mathcal{B} is any, possibly randomized, algorithm with domain Y{\cal Y} and range Y{\cal Y}^{\prime\prime}, then the algorithm BA\mathcal{B}\circ\mathcal{A} with domain Xn\mathcal{X}^{n} and range Y{\cal Y}^{\prime} is also (ϵ,δ)(\epsilon,\delta)-differentially private.

2 Generalization via Differential Privacy

Generalization in special cases of our general adaptive analysis setting can be obtained directly from results in [DFH+14] and composition properties of differentially private algorithms. For the case of pure differentially private algorithms with general outputs over i.i.d. datasets, in [DFH+14] we prove the following result.

An immediate corollary of Thm. 6 together with Lemma 1 is that differentially private algorithms that output low-sensitivity functions generalize.

For approximate (ε,δ)(\varepsilon,\delta)-differential privacy, strong preservation of generalization results are currently known only for algorithms that output a function over X\mathcal{X} of bounded range (for simplicity we use range $$) [DFH+14, NS15]. The following result was proved by Nissim and Stemmer [NS15] (a weaker statement is also given in [DFH+14, Thm. 10]).

Let A{\cal A} be an (ε,δ)(\varepsilon,\delta)-differentially private algorithm that outputs a function from X\mathcal{X} to $.Forarandomvariable. For a random variable\bm{S}distributedaccordingtodistributed according to\mathcal{P}^{n}weletwe let{\bm{\phi}}={\cal A}({\bm{S}}).ThenforThen forn\geq 2\ln(8/\delta)/\varepsilon^{2}$,

Many learning algorithms output a hypothesis function that aims to minimize some bounded loss function LL as the final output. If algorithms used in all steps of the adaptive data analysis are differentially private and the last step (that is, Am{\cal A}_{m}) outputs a hypothesis hh, then generalization bounds for the loss of hh are implied directly by Theorem 8. We remark that this application is different from the example for pure differential privacy above since there we showed preservation of generalization guarantees of arbitrarily complex learning algorithm Am{\cal A}_{m} which need not be differentially private. In Section 4 we give an application of Theorem 8 to the reusable holdout problem.

3 Generalization via Description Length

Let A:XnY{\cal A}:\mathcal{X}^{n}\rightarrow{\cal Y} and B:Xn×YY{\mathcal{B}}:\mathcal{X}^{n}\times{\cal Y}\rightarrow{\cal Y}^{\prime} be two algorithms. We now give a simple application of bounds on the size of Y{\cal Y} (or, equivalently, the description length of A{\cal A}’s output) to preserving generalization of B{\mathcal{B}}. Here generalization can actually refer to any valid or desirable output of B{\mathcal{B}} for a given given dataset SS and input yYy\in{\cal Y}. Specifically we will use a set R(y)XnR(y)\subseteq\mathcal{X}^{n} to denote all datasets for which the output of B{\mathcal{B}} on yy and SS is “bad” (e.g. overfits). Using a simple union bound we show that the probability (over a random choice of a dataset) of such bad outcome can be bounded.

In Section A we describe a generalization of description length bounds to randomized algorithms and show that it possesses the same properties.

Max-Information

Consider two algorithms A:XnY{\cal A}:\mathcal{X}^{n}\rightarrow{\cal Y} and B:Xn×YY{\mathcal{B}}:\mathcal{X}^{n}\times{\cal Y}\rightarrow{\cal Y}^{\prime} that are composed adaptively and assume that for every fixed input yYy\in{\cal Y}, B{\mathcal{B}} generalizes for all but fraction β\beta of datasets. Here we are speaking of generalization informally: our definitions will support any property of input yYy\in{\cal Y} and dataset SS. Intuitively, to preserve generalization of B{\mathcal{B}} we want to make sure that the output of A{\cal A} does not reveal too much information about the dataset SS. We demonstrate that this intuition can be captured via a notion of max-information and its relaxation approximate max-information.

For two random variables X{\bm{X}} and Y{\bm{Y}} we use X×Y{\bm{X}}\times{\bm{Y}} to denote the random variable obtained by drawing X{\bm{X}} and Y{\bm{Y}} independently from their probability distributions.

It follows immediately from Bayes’ rule that for all β0\beta\geq 0, Iβ(X;Y)=Iβ(Y;X)I_{\infty}^{\beta}(\bm{X};\bm{Y})=I_{\infty}^{\beta}(\bm{Y};\bm{X}). Further, I(X;Y)kI_{\infty}({\bm{X}};{\bm{Y}})\leq k if and only if for all xx in the support of X{\bm{X}}, D(Y  X=x  Y)kD_{\infty}({\bm{Y}}\ |\ {\bm{X}}=x\ \|\ {\bm{Y}})\leq k. Clearly, max-information upper bounds the classical notion of mutual information: I(X;Y)I(X;Y)I_{\infty}({\bm{X}};{\bm{Y}})\geq I({\bm{X}};{\bm{Y}}).

In our use (X,Y)(\bm{X},\bm{Y}) is going to be a joint distribution (S,A(S))({\bm{S}},{\cal A}({\bm{S}})), where S{\bm{S}} is a random nn-element dataset and A{\cal A} is a (possibly randomized) algorithm taking a dataset as an input. If the output of an algorithm on any distribution S{\bm{S}} has low approximate max-information then we say that the algorithm has low max-information. More formally:

We say that an algorithm A{\cal A} has β\beta-approximate max-information of kk if for every distribution S\mathcal{S} over nn-element datasets, Iβ(S;A(S))kI_{\infty}^{\beta}({\bm{S}};{\cal A}({\bm{S}}))\leq k, where S{\bm{S}} is a dataset chosen randomly according to S\mathcal{S}. We denote this by Iβ(A,n)kI_{\infty}^{\beta}({\cal A},n)\leq k.

An alternative way to define the (pure) max-information of an algorithm is using the maximum of the infinity divergence between distributions on two different inputs.

Let A{\cal A} be an algorithm with domain Xn\mathcal{X}^{n} and range Y{\cal Y}. Then I(A,n)=maxS,SXnD(A(S)A(S))I_{\infty}({\cal A},n)=\max_{S,S^{\prime}\in\mathcal{X}^{n}}D_{\infty}({\cal A}(S)\|{\cal A}(S^{\prime})).

For the other direction let k=I(A,n)k=I_{\infty}({\cal A},n), let S,SXnS,S^{\prime}\in\mathcal{X}^{n} and yYy\in{\cal Y}. For α(0,1)\alpha\in(0,1), let S{\bm{S}} be the random variable equal to SS with probability α\alpha and to SS^{\prime} with probability 1α1-\alpha and let Y=A(S){\bm{Y}}={\cal A}({\bm{S}}). By our assumption, I(Y;S)=I(S;Y)kI_{\infty}({\bm{Y}};{\bm{S}})=I_{\infty}({\bm{S}};{\bm{Y}})\leq k. This gives

This holds for every α>0\alpha>0 and therefore

Using this inequality for every yYy\in{\cal Y} we obtain D(A(S)A(S))kD_{\infty}({\cal A}(S)\|{\cal A}(S^{\prime}))\leq k. ∎

An immediate corollary of our definition of approximate max-information is that it controls the probability of “bad events” that can happen as a result of the dependence of A(S){\cal A}(S) on SS.

Let S{\bm{S}} be a random dataset in Xn\mathcal{X}^{n} and A{\cal A} be an algorithm with range Y{\cal Y} such that for some β0\beta\geq 0, Iβ(S;A(S))=kI_{\infty}^{\beta}({\bm{S}};{\cal A}({\bm{S}}))=k. Then for any event OXn×Y{\mathcal{O}}\subseteq\mathcal{X}^{n}\times{\cal Y},

Approximate max-information satisfies the following adaptive composition property:

Let A:XnY{\mathcal{A}}:{\cal X}^{n}\rightarrow{\cal Y} be an algorithm such that Iβ1(A,n)k1I_{\infty}^{\beta_{1}}({\cal A},n)\leq k_{1}, and let B:Xn×YZ{\mathcal{B}}:{\cal X}^{n}\times{\cal Y}\rightarrow{\cal Z} be an algorithm such that for every yYy\in{\cal Y}, B(,y){\mathcal{B}}(\cdot,y) has β2\beta_{2}-approximate max-information k2k_{2}. Let C:XnZ{\cal C}:{\cal X}^{n}\rightarrow{\cal Z} be defined such that C(S)=B(S,A(S)){\cal C}(S)={\mathcal{B}}({\bm{S}},{\mathcal{A}}(S)). Then Iβ1+β2(C,n)k1+k2I_{\infty}^{\beta_{1}+\beta_{2}}({\cal C},n)\leq k_{1}+k_{2}.

Let D{\cal D} be a distribution over Xn\mathcal{X}^{n} and S{\bm{S}} be a random dataset sampled from D{\cal D}. By hypothesis, Iβ1(S;A(S))k1I^{\beta_{1}}_{\infty}({\bm{S}};{\mathcal{A}}(S))\leq k_{1}. Expanding out the definition for all OXn×Y{\mathcal{O}}\subseteq{\cal X}^{n}\times{\cal Y}:

We also have for all QXn×Z{\mathcal{Q}}\subseteq{\cal X}^{n}\times{\cal Z} and for all yYy\in{\cal Y}:

For every OXn×Y{\mathcal{O}}\subseteq{\cal X}^{n}\times{\cal Y}, define

Observe that μ(O)β1\mu({\mathcal{O}})\leq\beta_{1} for all OXn×Y{\mathcal{O}}\subseteq{\cal X}^{n}\times{\cal Y}. For any event QXn×Z{\mathcal{Q}}\subseteq{\cal X}^{n}\times{\cal Z}, we have:

Applying the definition of max-information, we see that equivalently, Iβ1+β2(S;C(S))k1+k2I^{\beta_{1}+\beta_{2}}_{\infty}({\bm{S}};{\cal C}({\bm{S}}))\leq k_{1}+k_{2}, which is what we wanted. ∎

This lemma can be iteratively applied, which immediately yields the following adaptive composition theorem for max-information:

Consider an arbitrary sequence of algorithms A1,,Ak{\mathcal{A}}_{1},\ldots,{\mathcal{A}}_{k} with ranges Y1,,Yk{\cal Y}_{1},\ldots,{\cal Y}_{k} such that for all ii, Ai:Xn×Y1××Yi1Yi{\mathcal{A}}_{i}:{\cal X}^{n}\times{\cal Y}_{1}\times\ldots\times{\cal Y}_{i-1}\rightarrow{\cal Y}_{i} is such that Ai(,y1,,yi1){\mathcal{A}}_{i}(\cdot,y_{1},\ldots,y_{i-1}) has βi\beta_{i}-approximate max-information kik_{i} for all choices of y1,,yi1Y1××Yi1y_{1},\ldots,y_{i-1}\in{\cal Y}_{1}\times\ldots\times{\cal Y}_{i-1}. Let the algorithm B:XnYk{\mathcal{B}}:{\cal X}^{n}\rightarrow{\cal Y}_{k} be defined as follows: B(S){\mathcal{B}}(S):

For i=2i=2 to kk: Let yi=Ai(S,y1,,yi1)y_{i}={\mathcal{A}}_{i}(S,y_{1},\ldots,y_{i-1})

Then B{\mathcal{B}} has (iβi)(\sum_{i}\beta_{i})-approximate max-information (iki)(\sum_{i}k_{i}).

Another useful property that (approximate) max-information shares with differential privacy is preservation under post-processing. The simple proof of this lemma is identical to that for differential privacy (Lemma 5) and hence is omitted.

If A\mathcal{A} is an algorithm with domain Xn\mathcal{X}^{n} and range Y{\cal Y}, and B\mathcal{B} is any, possibly randomized, algorithm with domain Y{\cal Y} and range Y{\cal Y}^{\prime\prime}, then the algorithm BA\mathcal{B}\circ\mathcal{A} with domain Xn\mathcal{X}^{n} and range Y{\cal Y}^{\prime} satisfies: for every random variable S{\bm{S}} over Xn\mathcal{X}^{n} and every β0\beta\geq 0, Iβ(S;BA(S))Iβ(S;A(S))I_{\infty}^{\beta}({\bm{S}};\mathcal{B}\circ\mathcal{A}({\bm{S}}))\leq I_{\infty}^{\beta}({\bm{S}};\mathcal{A}({\bm{S}})).

1 Bounds on Max-information

We now show that the basic approaches based on description length and (pure) differential privacy are captured by approximate max-information.

Description length kk gives the following bound on max-information.

Let A{\cal A} be a randomized algorithm taking as an input an nn-element dataset and outputting a value in a finite set Y{\cal Y}. Then for every β>0\beta>0, Iβ(A,n)log(Y/β)I_{\infty}^{\beta}({\cal A},n)\leq\log(|{\cal Y}|/\beta).

We will use the following simple property of approximate divergence (e.g.[DR14]) in the proof. For a random variable X{\bm{X}} over X\mathcal{X} we denote by p(X)p({\bm{X}}) the probability distribution associated with X{\bm{X}}.

Let X{\bm{X}} and Y{\bm{Y}} be two random variables over the same domain X\mathcal{X}. If

then Dβ(XY)kD_{\infty}^{\beta}({\bm{X}}\|{\bm{Y}})\leq k.

Let S{\bm{S}} be any random variable over nn-element input datasets and let Y{\bm{Y}} be the corresponding output distribution Y=A(S){\bm{Y}}={\cal A}({\bm{S}}). We prove that for every β>0\beta>0, Iβ(S;Y)log(Y/β)I_{\infty}^{\beta}({\bm{S}};{\bm{Y}})\leq\log(|{\cal Y}|/\beta).

For yYy\in{\cal Y} we say that yy is “bad” if exists SS in the support of S{\bm{S}} such that

For every (S,y)∉B(S,y)\not\in{\mathcal{B}} we have that

This, by Lemma 18, gives that Iβ(S;Y)log(Y/β)I_{\infty}^{\beta}({\bm{S}};{\bm{Y}})\leq\log(|{\cal Y}|/\beta). ∎

In Section A we introduce a closely related notion of randomized description length and show that it also provides an upper bound on approximate max-information. More interestingly, for this notion a form of the reverse bound can be proved: A bound on (approximate) max-information of an algorithm A{\cal A} implies a bound on the randomized description length of the output of a different algorithm with statistically indistinguishable from A{\cal A} output.

1.2 Differential Privacy

We now show that pure differential privacy implies a bound on max information. We start with a simple bound on max-information of differentially private algorithms that applies to all distributions over datasets. In particular, it implies that the differential privacy-based approach can be used beyond the i.i.d. setting in [DFH+14].

Let A{\cal A} be an ϵ\epsilon-differentially private algorithm. Then I(A,n)logeϵnI_{\infty}({\cal A},n)\leq\log e\cdot\epsilon n.

Finally, we prove a stronger bound on approximate max-information for datasets consisting of i.i.d. samples using the technique from [DFH+14]. This bound, together with Thm. 13, generalizes Thm. 6.

Let A{\cal A} be an ε\varepsilon-differentially private algorithm with range Y{\cal Y}. For a distribution P{\mathcal{P}} over X\mathcal{X}, let S{\bm{S}} be a random variable drawn from Pn{\mathcal{P}}^{n}. Let Y=A(S){\bm{Y}}={\cal A}({\bm{S}}) denote the random variable output by A{\cal A} on input S{\bm{S}}. Then for any β>0\beta>0, Iβ(S;A(S))loge(ε2n/2+εnln(2/β)/2)I_{\infty}^{\beta}({\bm{S}};{\cal A}({\bm{S}}))\leq\log e(\varepsilon^{2}n/2+\varepsilon\sqrt{n\ln(2/\beta)/2}).

Fix yYy\in{\cal Y}. We first observe that by Jensen’s inequality,

Further, by definition of differential privacy, for two databases S,SS,S^{\prime} that differ in a single element,

For an integer i1i\geq 1, let tiε2n/2+εnln(2i/β)/2t_{i}\doteq\varepsilon^{2}n/2+\varepsilon\sqrt{n\ln(2^{i}/\beta)/2} and let

By inequality (1), we have that for i1i\geq 1,

Let B={(S,y)  yY,SBy}{\mathcal{B}}=\{(S,y)\ |\ y\in{\cal Y},S\in B_{y}\}. Then

For every (S,y)∉B(S,y)\not\in{\mathcal{B}} we have that

Note that for f(S)=ES[ϕ]f(S)={\cal E}_{S}[\phi], where ϕ:X\phi:\mathcal{X}\rightarrow this result requires ε=τ2\varepsilon=\tau^{2}. The stronger bound allows to preserve concentration of measure even when ε=τ/(cn)\varepsilon=\tau/(cn) which corresponds to τ=ε\tau=\varepsilon when f(S)=ES[ϕ]f(S)={\cal E}_{S}[\phi].

We apply Theorem 20 with β=2exp(τ2/(c2n))\beta=2\exp{(-\tau^{2}/(c^{2}n))} to obtain that

Applying Thm. 13 to McDiarmid’s inequality we obtain that

where the last inequality holds when τ2/(c2n)\tau^{2}/(c^{2}n) is larger than a fixed constant. ∎

Reusable Holdout

We describe two simple algorithms that enable validation of analyst’s queries in the adaptive setting.

Our first algorithm Thresholdout{\sf Thresholdout} follows the approach in [DFH+14] where differentially private algorithms are used to answer adaptively chosen statistical queries. This approach can also be applied to any low-sensitivity functions Guarantees based on pure differential privacy follow from the same analysis. Proving generalization guarantees for low-sensitivity queries based on approximate differential privacy requires a modification of Thresholdout using techniques in [BSSU15]. of the dataset but for simplicity we present the results for statistical queries. Here we address an easier problem in which the analyst’s queries only need to be answered when they overfit. Also, unlike in [DFH+14], the analyst has full access to the training set and the holdout algorithm only prevents overfitting to holdout dataset. As a result, unlike in the general query answering setting, our algorithm can efficiently validate an exponential in nn number of queries as long as a relatively small number of them overfit.

Thresholdout is given access to the training dataset StS_{t} and holdout dataset ShS_{h} and a budget limit BB. It allows any query of the form ϕ:X\phi:\mathcal{X}\rightarrow and its goal is to provide an estimate of P[ϕ]\mathcal{P}[\phi]. To achieve this the algorithm gives an estimate of ESh[ϕ]{\cal E}_{S_{h}}[\phi] in a way that prevents overfitting of functions generated by the analyst to the holdout set. In other words, responses of Thresholdout are designed to ensure that, with high probability, ESh[ϕ]{\cal E}_{S_{h}}[\phi] is close to P[ϕ]\mathcal{P}[\phi] and hence an estimate of ESh[ϕ]{\cal E}_{S_{h}}[\phi] gives an estimate of the true expectation P[ϕ]\mathcal{P}[\phi]. Given a function ϕ\phi, Thresholdout first checks if the difference between the average value of ϕ\phi on the training set StS_{t} (or ESt[ϕ]{\cal E}_{S_{t}}[\phi]) and the average value of ϕ\phi on the holdout set ShS_{h} (or ESh[ϕ]{\cal E}_{S_{h}}[\phi]) is below a certain threshold T+ηT+\eta. Here, TT is a fixed number such as 0.010.01 and η\eta is a Laplace noise variable whose standard deviation needs to be chosen depending on the desired guarantees (The Laplace distribution is a symmetric exponential distribution.) If the difference is below the threshold, then the algorithm returns ESt[ϕ]{\cal E}_{S_{t}}[\phi]. If the difference is above the threshold, then the algorithm returns ESh[ϕ]+ξ{\cal E}_{S_{h}}[\phi]+\xi for another Laplacian noise variable ξ\xi. Each time the difference is above threshold the “overfitting” budget BB is reduced by one. Once it is exhausted, Thresholdout stops answering queries. In Fig. 1 we provide the pseudocode of Thresholdout.

We now establish the formal generalization guarantees that Thresholdout enjoys. As the first step we state what privacy parameters are achieved by Thresholdout.

Thresholdout satisfies (2B/(σn),0)(2B/(\sigma n),0)-differential privacy. Thresholdout{\sf Thresholdout} also satisfies (32Bln(2/δ)/(σn),δ)(\sqrt{32B\ln(2/\delta)}/(\sigma n),\delta)-differential privacy for any δ>0\delta>0.

Thresholdout is an instantiation of a basic tool from differential privacy, the “Sparse Vector Algorithm” ([DR14, Algorithm 2]), together with the Laplace mechanism ([DR14, Defn. 3.3]). The sparse vector algorithm takes as input a sequence of cc sensitivity 1/n1/n queriesIn fact, the theorems for the Sparse Vector algorithm in Dwork and Roth are stated for sensitivity 1 queries – we use them for sensitivity 1/n1/n queries of the form ESh[ϕ]{\cal E}_{S_{h}}[\phi], which results in all of the bounds being scaled down by a factor of nn. (here c=Bc=B, the budget), and for each query, attempts to determine whether the value of the query, evaluated on the private dataset, is above a fixed threshold TT or below it. In our instantiation, the holdout set ShS_{h} is the private data set, and each function ϕ\phi corresponds to the following query evaluated on ShS_{h}: fϕ(Sh):=ESh[ϕ]ESt[ϕ]f_{\phi}(S_{h}):=|{\cal E}_{S_{h}}[\phi]-{\cal E}_{S_{t}}[\phi]|. (Note that the training set StS_{t} is viewed as part of the definition of the query). Thresholdout{\sf Thresholdout} then is equivalent to the following procedure: we run the sparse vector algorithm [DR14, Algorithm 2] with c=Bc=B, queries fϕf_{\phi} for each function ϕ\phi, and noise rate 2σ2\sigma. Whenever an above-threshold query is reported by the sparse vector algorithm, we release its value using the Laplace mechanism [DR14, Defn. 3.3] with noise rate σ\sigma (this is what occurs every time Thresholdout answers by outputting ESh[ϕ]+ξ{\cal E}_{S_{h}}[\phi]+\xi). By the privacy guarantee of the sparse vector algorithm ([DR14, Thm. 3.25]), the sparse vector portion of Thresholdout{\sf Thresholdout} satisfies (B/(σn),0)(B/(\sigma n),0)-differential privacy, and simultaneously satisfies (8Bln(2/δ)σn,δ/2)(\frac{\sqrt{8B\ln(2/\delta)}}{\sigma n},\delta/2)-differential privacy. The Laplace mechanism portion of Thresholdout satisfies (B/(σn),0)(B/(\sigma n),0)-differential privacy by [DR14, Thm. 3.6], and simultaneously satisfies (8Bln(2/δ)σn,δ/2)(\frac{\sqrt{8B\ln(2/\delta)}}{\sigma n},\delta/2)-differential privacy by [DR14, Thm. 3.6] and [DR14, Cor. 3.21]. Finally, the composition of two mechanisms, the first of which is (ϵ1,δ1)(\epsilon_{1},\delta_{1})-differentially private, and the second of which is (ϵ2,δ2)(\epsilon_{2},\delta_{2})-differentially private is itself (ϵ1+ϵ2,δ1+δ2)(\epsilon_{1}+\epsilon_{2},\delta_{1}+\delta_{2})-differentially private (Thm. 3). Adding the privacy parameters of the Sparse Vector portion of Thresholdout and the Laplace mechanism portion of Thresholdout yield the parameters of our theorem. ∎

We note that tighter privacy parameters are possible (e.g. by invoking the parameters and guarantees of the algorithm “NumericSparse” ([DR14, Algorithm 3]), which already combines the Laplace addition step) – we chose simpler parameters for clarity.

Note the seeming discrepancy between the guarantee provided by Thresholdout and generalization guarantees in Theorem 8 and Corollary 7: while Theorem 8 promises generalization bounds for functions that are generated by a differentially private algorithm, here we allow an arbitrary data analyst to generate query functions in any way she chooses, with access to the training set and differentially private estimates of the means of her functions on the holdout set. The connection comes from preservation of differential privacy guarantee under post-processing (Lem. 5).

We can now quantify the number of samples necessary to achieve generalization error τ\tau with probability at least 1β1-\beta.

Let τ,β,T,B>0\tau,\beta,T,B>0. Let S{\bm{S}} denote the holdout dataset of size nn drawn i.i.d. from a distribution P\mathcal{P}. Consider an algorithm that is given access to StS_{t} and adaptively chooses functions ϕ1,,ϕm:X{\bm{\phi}}_{1},\dots,{\bm{\phi}}_{m}:\mathcal{X}\rightarrow while interacting with Thresholdout which is given datasets S{\bm{S}}, StS_{t} and parameters σ,B,T\sigma,B,T. If

Both settings lead to small generalization error and so we can pick whichever gives the larger bound. The first bound has grows linearly with BB but is simpler can be easily extended to other distributions over datasets and to low-sensitivity functions. The second bound has quadratically better dependence on BB at the expense of a slightly worse dependence on τ\tau. We can now apply our main results to get a generalization bound for the entire execution of Thresholdout.

Let β,τ>0\beta,\tau>0 and mB>0m\geq B>0. We set T=3τ/4T=3\tau/4 and σ=τ/(96ln(4m/β))\sigma=\tau/(96\ln(4m/\beta)). Let S{\bm{S}} denote a holdout dataset of size nn drawn i.i.d. from a distribution P\mathcal{P} and StS_{t} be any additional dataset over X\mathcal{X}. Consider an algorithm that is given access to StS_{t} and adaptively chooses functions ϕ1,,ϕm{\bm{\phi}}_{1},\dots,{\bm{\phi}}_{m} while interacting with Thresholdout which is given datasets S{\bm{S}}, StS_{t} and values σ,B,T\sigma,B,T. For every i[m]i\in[m], let ai{\bm{a}}_{i} denote the answer of Thresholdout on function ϕi:X{\bm{\phi}}_{i}:\mathcal{X}\rightarrow. Further, for every i[m]i\in[m], we define the counter of overfitting

whenever nmin{n0(B,σ,τ/8,β/(2m)), n1(B,σ,τ/8,β/(2m))}=O(ln(m/β)τ2)min{B,Bln(ln(m/β)/τ)}n\geq\min\{n_{0}(B,\sigma,\tau/8,\beta/(2m)),\ n_{1}(B,\sigma,\tau/8,\beta/(2m))\}=O\left(\frac{\ln(m/\beta)}{\tau^{2}}\right)\cdot\min\{B,\sqrt{B\ln(\ln(m/\beta)/\tau)}\}.

There are two types of error we need to control: the deviation between ai{\bm{a}}_{i} and the average value of ϕi{\bm{\phi}}_{i} on the holdout set ES[ϕi]{\cal E}_{{\bm{S}}}[{\bm{\phi}}_{i}], and the deviation between the average value of ϕi{\bm{\phi}}_{i} on the holdout set and the expectation of ϕi\phi_{i} on the underlying distribution, P[ϕi]\mathcal{P}[{\bm{\phi}}_{i}]. Specifically, we decompose the error as

To control the first term we need to bound the values of noise variables used by Thresholdout{\sf Thresholdout}. For the second term we will use the generalization properties of Thresholdout given in Lemma 24.

By the definition of σ\sigma, 8ln(4m/β)σ=τ/128\ln(4m/\beta)\cdot\sigma=\tau/12. Applying the union bound we obtain that

where by i\exists i we refer to i[m]\exists i\in[m] for brevity. Similarly, ξi\bm{\xi}_{i} and γi\bm{\gamma}_{i} are obtained by sampling from the Laplace distribution and each is re-randomized at most BB times. Therefore

For answers that are different from \bot, we can now bound the first term of Equation (4) by considering two cases, depending on whether Thresholdout answers query ϕi{\bm{\phi}}_{i} by returning ai=ES[ϕi]+ξi{\bm{a}}_{i}={\cal E}_{{\bm{S}}}[{\bm{\phi}}_{i}]+\bm{\xi}_{i} or by returning ai=ESt[ϕi]{\bm{a}}_{i}={\cal E}_{S_{t}}[{\bm{\phi}}_{i}]. First, consider queries whose answers are returned using the former condition. Under this condition, aiES[ϕi]=ξi|{\bm{a}}_{i}-{\cal E}_{{\bm{S}}}[{\bm{\phi}}_{i}]|=|\bm{\xi}_{i}|. Next, we consider the second case, those queries whose answers are returned using ESt[ϕi]{\cal E}_{{\bm{S}}_{t}}[{\bm{\phi}}_{i}]. By definition of the algorithm, we have

Noting that τ/24+τ/12=τ/8\tau/24+\tau/12=\tau/8 and applying our bound on variables ηi\bm{\eta}_{i}, ξi\bm{\xi}_{i} and γi\bm{\gamma}_{i} we get

By Lemma 24, for nmin{n0(B,σ,τ/8,β/2m),n1(B,σ,τ/8,β/2m)}n\geq\min\{n_{0}(B,\sigma,\tau/8,\beta/2m),n_{1}(B,\sigma,\tau/8,\beta/2m)\},

Combining this with Equation (5) and using in Equation (4) we get that

To finish the proof we show that under the conditions on the noise variables and generalization error used above, we have that if Zi<B{\bm{Z}}_{i}<B then ai{\bm{a}}_{i}\neq\bot. To see this, observe that for every jij\leq i that reduces Thresholdout’s budget, we have

This means that for every jij\leq i that reduces the budget we have P[ϕj]ESt[ϕj]3τ/4τ/24τ/12τ/8=τ/2|\mathcal{P}[{\bm{\phi}}_{j}]-{\cal E}_{S_{t}}[{\bm{\phi}}_{j}]|\geq 3\tau/4-\tau/24-\tau/12-\tau/8=\tau/2 and hence (when the conditions on the noise variables and generalization error are satisfied) for every ii, if Zi<B{\bm{Z}}_{i}<B then Thresholdout’s budget is not yet exhausted and ai{\bm{a}}_{i}\neq\bot. We can therefore conclude that

Note that in the final bound on nn, the term O(ln(m/β)τ2)O\left(\frac{\ln(m/\beta)}{\tau^{2}}\right) is equal (up to a constant factor) to the number of samples that are necessary to answer mm non-adaptively chosen queries with tolerance τ\tau and confidence 1β1-\beta. In particular, as in the non-adaptive setting, achievable tolerance τ\tau scales as 1/n1/\sqrt{n} (up to the logarithmic factor). Further, this bound allows mm to be exponentially large in nn as long as BB grows sub-quadratically in nn (that is, Bn2cB\leq n^{2-c} for a constant c>0c>0).

In Thm. 25 ShS_{h} is used solely to provide a candidate estimate of the expectation of each query function. The theorem holds for any other way to provide such estimates. In addition, the one-sided version of the algorithm can be used when catching only the one-sided error is necessary. For example, in many cases overfitting is problematic only if the training error estimate is larger than the true error. This is achieved by using the condition ESh[ϕ]ESt[ϕ]>T^+η{\cal E}_{S_{h}}[\phi]-{\cal E}_{S_{t}}[\phi]>\hat{T}+\eta to detect overfitting. In this case only one-sided errors will be caught by Thresholdout and only one-sided overfitting will decrease the budget.

2 SparseValidate

We now present a general algorithm for validation on the holdout set that can validate many arbitrary queries as long as few of them fail the validation. The algorithm which we refer to as SparseValidate only reveals information about the holdout set when validation fails and therefore we use bounds based on description length to analyze its generalization guarantees.

More formally, our algorithm allows the analyst to pick any Boolean function of a dataset ψ\psi (or even any algorithm that outputs a single bit) and provides back the value of ψ\psi on the holdout set ψ(Sh)\psi(S_{h}). SparseValidate has a budget mm for the total number of queries that can be asked and budget BB for the number of queries that returned 11. Once either of the budgets is exhausted, no additional answers are given. We now give a general description of the guarantees of SparseValidate.

We remark that the proof can also be obtained via a more direct application of the union bound over all strings in Y{\cal Y}. But the proof via Thm. 9 demonstrates the conceptual role that short description length plays in this application. ∎

An example of the application of SparseValidate for answering statistical and low-sensitivity queries that is based on our analysis can be found in [BSSU15]. The analysis of generalization on the holdout set in [BH15] and the analysis of the Median Mechanism we give in Section B also rely on this sparsity-based technique.

An alternative view of this algorithm is as a general template for designing algorithms for answering some specific type of adaptively chosen queries. Generalization guarantees specific to the type of query can then be obtained from our general analysis. For example, an algorithm that fits a mixture of Gaussians model to the data could define the validation query to be an algorithm that fits the mixture model to the holdout and obtains a vector of parameters Θh\Theta_{h}. The validation query then compares it with the vector of parameters Θt\Theta_{t} obtained on the training set and outputs 1 if the parameter vectors are “not close” (indicating overfitting). Given guarantees of statistical validity of the parameter estimation method in the static setting one could then derive guarantees for adaptive validation via Thm. 27.

Experiments

We describe a simple experiment on synthetic data that illustrates the danger of reusing a standard holdout set and how this issue can be resolved by our reusable holdout. In our experiment the analyst wants to build a classifier via the following common strategy. First the analyst finds a set of single attributes that are correlated with the class label. Then the analyst aggregates the correlated variables into a single model of higher accuracy (for example using boosting or bagging methods). More formally, the analyst is given a dd-dimensional labeled data set SS of size 2n2n and splits it randomly into a training set StS_{t} and a holdout set ShS_{h} of equal size. We denote an element of SS by a tuple (x,y)(x,y) where xx is a dd-dimensional vector and y{1,1}y\in\{-1,1\} is the corresponding class label. The analyst wishes to select variables to be included in her classifier. For various values of the number of variables to select kk, she picks kk variables with the largest absolute correlations with the label. However, she verifies the correlations (with the label) on the holdout set and uses only those variables whose correlation agrees in sign with the correlation on the training set and both correlations are larger than some threshold in absolute value. She then creates a simple linear threshold classifier on the selected variables using only the signs of the correlations of the selected variables. A final test evaluates the classification accuracy of the classifier on both the training set and the holdout set.

Formally, the algorithm is used to build a linear threshold classifier:

For each attribute i[d]i\in[d] compute the correlation with the label on the training and holdout sets: wit=(x,y)Stxiyw_{i}^{t}=\sum_{(x,y)\in S_{t}}x_{i}y and wih=(x,y)Shxiyw_{i}^{h}=\sum_{(x,y)\in S_{h}}x_{i}y. Let

that is the set of variables for which witw_{i}^{t} and wihw_{i}^{h} have the same sign and both are at least 1/n1/\sqrt{n} in absolute value (this is the standard deviation of the correlation in our setting). Let VkV_{k} be the subset of variables in WW with kk largest values of wit|w_{i}^{t}|.

Construct the classifier f(x)=sgn(iVksgn(wit)xi)f(x)=\textrm{sgn}\left(\sum_{i\in V_{k}}\textrm{sgn}(w_{i}^{t})\cdot x_{i}\right).

In the experiments we used an implementation of Thresholdout that differs somewhat from the algorithm we analyzed theoretically (given in Figure 1). Specifically, we set the parameters to be T=0.04T=0.04 and τ=0.01\tau=0.01. This is lower than the values necessary for the proof (and which are not intended for direct application) but suffices to prevent overfitting in our experiment. Second, we use Gaussian noise instead of Laplacian noise as it has stronger concentration properties (in many differential privacy applications similar theoretical guarantees hold mechanisms based on Gaussian noise).

No correlation between labels and data: In our first experiment, each attribute is drawn independently from the normal distribution N(0,1)N(0,1) and we choose the class label y{1,1}y\in\{-1,1\} uniformly at random so that there is no correlation between the data point and its label. We chose n=10,000n=10,000, d=10,000d=10,000 and varied the number of selected variables kk. In this scenario no classifier can achieve true accuracy better than 50%. Nevertheless, reusing a standard holdout results in reported accuracy of over 63% for k=500k=500 on both the training set and the holdout set (the standard deviation of the error is less than 0.5%). The average and standard deviation of results obtained from 100100 independent executions of the experiment are plotted in Figure 2 which also includes the accuracy of the classifier on another fresh data set of size nn drawn from the same distribution. We then executed the same algorithm with our reusable holdout. The algorithm Thresholdout was invoked with T=0.04T=0.04 and τ=0.01\tau=0.01 explaining why the accuracy of the classifier reported by Thresholdout is off by up to 0.040.04 whenever the accuracy on the holdout set is within 0.040.04 of the accuracy on the training set. Thresholdout prevents the algorithm from overfitting to the holdout set and gives a valid estimate of classifier accuracy.

High correlation between labels and some of the variables: In our second experiment, the class labels are correlated with some of the variables. As before the label is randomly chosen from {1,1}\{-1,1\} and each of the attributes is drawn from N(0,1)N(0,1) aside from 2020 attributes which are drawn from N(y0.06,1)N(y\cdot 0.06,1) where yy is the class label. We execute the same algorithm on this data with both the standard holdout and Thresholdout and plot the results in Figure 3. Our experiment shows that when using the reusable holdout, the algorithm still finds a good classifier while preventing overfitting. This illustrates that the reusable holdout simultaneously prevents overfitting and allows for the discovery of true statistical patterns.

In Figures 2 and 3, simulations that used Thresholdout for selecting the variables also show the accuracy on the holdout set as reported by Thresholdout. For comparison purposes, in Figure 4 we plot the actual accuracy of the generated classifier on the holdout set (the parameters of the simulation are identical to those used in Figures 2 and 3). It demonstrates that there is essentially no overfitting to the holdout set. Note that the advantage of the accuracy reported by Thresholdout is that it can be used to make further data dependent decisions while mitigating the risk of overfitting.

Discussion of the results: Overfitting to the standard holdout set arises in our experiment because the analyst reuses the holdout after using it to measure the correlation of single attributes. We first note that neither cross-validation nor bootstrap resolve this issue. If we used either of these methods to validate the correlations, overfitting would still arise due to using the same data for training and validation (of the final classifier). It is tempting to recommend other solutions to the specific problem we used in our experiment. Indeed, a significant number of methods in the statistics and machine learning literature deal with inference for fixed two-step procedures where the first step is variable selection (see [HTF09] for examples). Our experiment demonstrates that even in such simple and standard settings our method avoids overfitting without the need to use a specialized procedure – and, of course, extends more broadly. More importantly, the reusable holdout gives the analyst a general and principled method to perform multiple validation steps where previously the only known safe approach was to collect a fresh holdout set each time a function depends on the outcomes of previous validations.

Conclusions

In this work, we give a unifying view of two techniques (differential privacy and description length bounds) which preserve the generalization guarantees of subsequent algorithms in adaptively chosen sequences of data analyses. Although these two techniques both imply low max-information – and hence can be composed together while preserving their guarantees – the kinds of guarantees that can be achieved by either alone are incomparable. This suggests that the problem of generalization guarantees under adaptivity is ripe for future study on two fronts. First, the existing theory is likely already strong enough to develop practical algorithms with rigorous generalization guarantees, of which Thresholdout is an example. However additional empirical work is needed to better understand when and how the theory should be applied in specific application scenarios. At the same time, new theory is also needed. As an example of a basic question we still do not know the answer to: even in the simple setting of adaptively reusing a holdout set for computing the expectations of boolean-valued predicates, is it possible to obtain stronger generalization guarantees (via any means) than those that are known to be achievable via differential privacy?

References

Appendix A From Max-information to Randomized Description Length

In this section we demonstrate additional connections between max-information, differential privacy and description length. These connections are based on a generalization of description length to randomized algorithms that we refer to as randomized description length.

For a universe Y{\cal Y} let A{\cal A} be a randomized algorithm with input in X\mathcal{X} and output in Y{\cal Y}. We say that the output of A{\cal A} has randomized description length kk if for every fixed setting of random coin flips of A{\cal A} the set of possible outputs of A{\cal A} has size at most 2k2^{k}.

We first note that just as the (deterministic) description length, randomized description length implies generalization and gives a bound on max-information.

Let A{\cal A} be an algorithm with randomized description length kk taking as an input an nn-element dataset and outputting a value in Y{\cal Y}. Then for every β>0\beta>0, Iβ(A,n)log(Y/β)I_{\infty}^{\beta}({\cal A},n)\leq\log(|{\cal Y}|/\beta).

Let S{\bm{S}} be any random variable over nn-element input datasets and let Y{\bm{Y}} be the corresponding output distribution Y=A(S){\bm{Y}}={\cal A}({\bm{S}}). It suffices to prove that for every β>0\beta>0, Iβ(S;Y)k+log(1/β)I_{\infty}^{\beta}({\bm{S}};{\bm{Y}})\leq k+\log(1/\beta).

Let RR be the set of all possible values of the random bits of A{\cal A} and let R{\mathcal{R}} denote the uniform distribution over a choice of rRr\in R. For rRr\in R, let Ar{\cal A}_{r} denote A{\cal A} with the random bits set to rr and let Yr=Ar(S){\bm{Y}}_{r}={\cal A}_{r}({\bm{S}}). Observe that by the definition of randomized description length, the range of Ar{\cal A}_{r} has size at most 2k2^{k}. Therefore, by Theorem 17, we obtain that Iβ(S;Yr)log(2k/β)I_{\infty}^{\beta}({\bm{S}};{\bm{Y}}_{r})\leq\log(2^{k}/\beta).

For any event OXn×Y{\mathcal{O}}\subseteq\mathcal{X}^{n}\times{\cal Y} we have that

By the definition of β\beta-approximate max-information, we obtain that Iβ(S;Y)log(2k/β)I_{\infty}^{\beta}({\bm{S}};{\bm{Y}})\leq\log(2^{k}/\beta). ∎

We next show that if the output of an algorithm A{\cal A} has low approximate max-information about its input then there exists a (different) algorithm whose output is statistically close to that of A{\cal A} while having short randomized description. We remark that this reduction requires the knowledge of the marginal distribution A(S){\cal A}({\bm{S}}).

Let A{\cal A} be a randomized algorithm taking as an input a dataset of nn points from X\mathcal{X} and outputting a value in Y{\cal Y}. Let Z{\bm{Z}} be a random variable over Y{\cal Y}. For k>0k>0 and a dataset SS let βS=min{β  Dβ(A(S)Z)k}\beta_{S}=\min\{\beta\ |\ D_{\infty}^{\beta}({\cal A}(S)\|{\bm{Z}})\leq k\}. There exists an algorithm A{\cal A}^{\prime} that given SXnS\in\mathcal{X}^{n}, β,k\beta,k and any β>0\beta^{\prime}>0,

the output of A{\cal A}^{\prime} has randomized description length k+logln(1/β)k+\log\ln(1/\beta^{\prime}).

for every SS, Δ(A(S),A(S))βS+β\Delta({\cal A}^{\prime}(S),{\cal A}(S))\leq\beta_{S}+\beta^{\prime}.

Let SS denote the input dataset. By definition of βS\beta_{S}, DβS(A(S)Z)kD_{\infty}^{\beta_{S}}({\cal A}(S)\|{\bm{Z}})\leq k. By the properties of approximate divergence (e.g.[DR14]), DβS(A(S)Z)kD_{\infty}^{\beta_{S}}({\cal A}(S)\|{\bm{Z}})\leq k implies that there exists a random variable Y{\bm{Y}} such that Δ(A(S),Y)βS\Delta({\cal A}(S),{\bm{Y}})\leq\beta_{S} and D(YZ)kD_{\infty}({\bm{Y}}\|{\bm{Z}})\leq k.

We first note that by the definition of this algorithm its output has randomized description length logt=k+logln(1/β)\log t=k+\log\ln(1/\beta^{\prime}). Let TT denote the event that at least one of the samples was accepted. Conditioned on this event the output of A(S){\cal A}^{\prime}(S) is distributed according to Y{\bm{Y}}. For each ii,

This means that the probability that none of tt samples will be accepted is (12k)tet/2kβ(1-2^{-k})^{t}\leq e^{t/2^{k}}\leq\beta^{\prime}. Therefore Δ(A(S),Y)β\Delta({\cal A}^{\prime}(S),{\bm{Y}})\leq\beta^{\prime} and, consequently, Δ(A(S),A(S))βS+β\Delta({\cal A}^{\prime}(S),{\cal A}(S))\leq\beta_{S}+\beta^{\prime}. ∎

We can now use Lemma 31 to show that if for a certain random choice of a dataset S{\bm{S}}, the output of A{\cal A} has low approximate max-information then there exists an algorithm A{\cal A}^{\prime} whose output on S{\bm{S}} has low randomized description length and is statistically close to the output distribution of A{\cal A}.

Let S{\bm{S}} be a random dataset in Xn\mathcal{X}^{n} and A{\cal A} be an algorithm taking as an input a dataset in Xn\mathcal{X}^{n} and having a range Y{\cal Y}. Assume that for some β0\beta\geq 0, Iβ(S;A(S))=kI_{\infty}^{\beta}({\bm{S}};{\cal A}({\bm{S}}))=k. For any β>0\beta^{\prime}>0, there exists an algorithm A{\cal A}^{\prime} taking as an input a dataset in Xn\mathcal{X}^{n} such that

the output of A{\cal A}^{\prime} has randomized description length k+logln(1/β)k+\log\ln(1/\beta^{\prime});

Δ((S,A(S)),(S,A(S))β+β\Delta(({\bm{S}},{\cal A}^{\prime}({\bm{S}})),({\bm{S}},{\cal A}({\bm{S}}))\leq\beta+\beta^{\prime}.

It is important to note that Theorem 32 is not the converse of Theorem 30 and does not imply equivalence between max-information and randomized description length. The primary difference is that Theorem 32 defines a new algorithm rather than arguing about the original algorithm. In addition, the new algorithm requires samples of A(S){\cal A}({\bm{S}}), that is, it needs to know the marginal distribution on Y{\cal Y}. As a more concrete example, Theorem 32 does not allow us to obtain a description-length-based equivalent of Theorem 20 for all i.i.d. datasets. On the other hand, any algorithm that has bounded max-information for all distributions over datasets can be converted to an algorithm with low randomized description length.

Let A{\cal A} be an algorithm over Xn\mathcal{X}^{n} with range Y{\cal Y} and let k=I(A,n)k=I_{\infty}({\cal A},n). For any β>0\beta>0, there exists an algorithm A{\cal A}^{\prime} taking as an input a dataset in Xn\mathcal{X}^{n} such that

the output of A{\cal A}^{\prime} has randomized description length k+logln(1/β)k+\log\ln(1/\beta);

for every dataset SXnS\in\mathcal{X}^{n}, Δ(A(S),A(S))β\Delta({\cal A}^{\prime}(S),{\cal A}(S))\leq\beta.

Let S0=(x,x,,x)S_{0}=(x,x,\ldots,x) be an nn-element dataset for an arbitrary xXx\in\mathcal{X}. By Lemma 3 we know that for every SXnS\in\mathcal{X}^{n}, D(A(S)A(S0))kD_{\infty}({\cal A}(S)\|{\cal A}(S_{0}))\leq k. We can now apply Lemma 31 with Z=A(S0){\bm{Z}}={\cal A}(S_{0}), and β=β\beta^{\prime}=\beta to obtain the result. ∎

The conditions of Theorem 33 are satisfied by any ε\varepsilon-differentially private algorithm with k=logeεnk=\log e\cdot\varepsilon n. This immediately implies that the output of any ε\varepsilon-differentially private algorithm is β\beta-statistically close to the output of an algorithm with randomized description length of logeεn+logln(1/β)\log e\cdot\varepsilon n+\log\ln(1/\beta). Special cases of this property have been derived (using a technique similar to Lemma 31) in the context of proving lower bounds for learning algorithms [BNS13] and communication complexity of differentially private protocols [MMP+10].

Appendix B Answering Queries via Description Length Bounds

In this section, we show a simple method for answering any adaptively chosen sequence of mm statistical queries, using a number of samples that scales only polylogarithmically in mm. This is an exponential improvement over what would be possible by naively evaluating the queries exactly on the given samples. Algorithms that achieve such dependence were given in [DFH+14] and [BSSU15] using differentially private algorithms for answering queries and the connection between generalization and differential privacy (in the same way as we do in Section 4.1). Here we give a simpler algorithm which we analyze using description length bounds. The resulting bounds are comparable to those achieved in [DFH+14] using pure differential privacy but are somewhat weaker than those achieved using approximate differential privacy [DFH+14, BSSU15, NS15].

The mechanism we give here is based on the Median Mechanism of Roth and Roughgarden [RR10]. A differentially private variant of this mechanism was introduced in [RR10] to show that it was possible to answer exponentially many adaptively chosen counting queries (these are queries for an estimate of the empirical mean of a function ϕ:X\phi:\mathcal{X}\rightarrow on the dataset). Here we analyze a noise-free version and establish its properties via a simple description length-based argument. We remark that it is possible to analogously define and analyze the noise-free version of the Private Multiplicative Weights Mechanism of Hardt and Rothblum [HardtR10]. This somewhat more involved approach would lead to better (but qualitatively similar) bounds.

Recall that statistical queries are defined by functions ϕ:X\phi:\mathcal{X}\rightarrow, and our goal is to correctly estimate their expectation P[ϕ]\mathcal{P}[\phi]. The Median Mechanism takes as input a dataset SS and an adaptively chosen sequence of such functions ϕ1,,ϕm\phi_{1},\ldots,\phi_{m}, and outputs a sequence of answers a1,,ama_{1},\ldots,a_{m}.

The guarantee we get for the Median Mechanism is as follows:

Let β,τ>0\beta,\tau>0 and mB>0m\geq B>0. Let S{\bm{S}} denote a dataset of size nn drawn i.i.d. from a distribution P\mathcal{P} over X\mathcal{X}. Consider any algorithm that adaptively chooses functions ϕ1,,ϕm{\bm{\phi}}_{1},\dots,{\bm{\phi}}_{m} while interacting with the Median Mechanism which is given S{\bm{S}} and values τ\tau, β\beta. For every i[m]i\in[m], let ai{\bm{a}}_{i} denote the answer of the Median Mechanism on function ϕi:X{\bm{\phi}}_{i}:\mathcal{X}\rightarrow. Then

We begin with a simple lemma which informally states that for every distribution P\mathcal{P}, and for every set of mm functions ϕ1,,ϕm\phi_{1},\ldots,\phi_{m}, there exists a small dataset that approximately encodes the answers to each of the corresponding statistical queries.

For every dataset SS over X\mathcal{X}, any set C={ϕ1,,ϕm}C=\{\phi_{1},\ldots,\phi_{m}\} of mm functions ϕi:X\phi_{i}:\mathcal{X}\rightarrow, and any α\alpha\in, there exists a data set SXtS^{\prime}\in\mathcal{X}^{t} of size t=logmα2t=\frac{\log m}{\alpha^{2}} such that:

Next, we observe that by construction, the Median Mechanism (as presented in Figure 5) always returns answers that are close to the empirical means of respective query functions.

For every sequence of queries ϕ1,,ϕm\phi_{1},\ldots,\phi_{m} and dataset SS given to the Median Mechanism, we have that for every ii:

Finally, we give a simple lemma from [RR10] that shows that the Median Mechanism only returns answers computed using the dataset SS in a small number of rounds – for any other round ii, the answer returned is computed from the set Consistenti1\textrm{Consistent}_{i-1}.

For every sequence of queries ϕ1,,ϕm\phi_{1},\ldots,\phi_{m} and a dataset SS given to the Median Mechanism:

We simply note several facts. First, by construction, Consistent0=Xlogm/α2|\textrm{Consistent}_{0}|=\left|\mathcal{X}\right|^{\log m/\alpha^{2}}. Second, by Lemma 35, for every ii, Consistenti1|\textrm{Consistent}_{i}|\geq 1 (because for every set of mm queries, there is at least one dataset SS^{\prime} of size logm/α2\log m/\alpha^{2} that is consistent up to error α\alpha with SS on every query asked, and hence is never removed from Consistenti\textrm{Consistent}_{i} on any round). Finally, by construction, on any round ii such that aiaipuba_{i}\neq a^{\textrm{pub}}_{i}, we have Consistenti12Consistenti1|\textrm{Consistent}_{i}|\leq\frac{1}{2}\cdot|\textrm{Consistent}_{i-1}| (because on any such round, the median dataset SS^{\prime} – and hence at least half of the datasets in Consistenti1\textrm{Consistent}_{i-1} were inconsistent with the answer given, and hence removed.) The lemma follows from the fact that there can therefore be at most log(Xlogm/α2)\log\left(\left|\mathcal{X}\right|^{\log m/\alpha^{2}}\right) many such rounds. ∎

Our analysis proceeds by viewing the interaction between the data analyst and the Median Mechanism (Fig. 5) as a single algorithm A{\cal A}. A{\cal A} takes as input a dataset SS and outputs a set of queries and answers A(S)={ϕi,ai}i=1m{\cal A}(S)=\{\phi_{i},a_{i}\}_{i=1}^{m}. We will show that A{\cal A}’s output has short randomized description length (the data analyst is a possibly randomized algorithm and hence A{\cal A} might be randomized).

Algorithm A{\cal A} has randomized description length of at most

We observe that for every fixing of the random bits of the data analyst the entire sequence of queries asked by the analyst, together with the answers he receives, can be reconstructed from a record of the indices ii of the queries ϕi\phi_{i} such that aiaipuba_{i}\neq a^{\textrm{pub}}_{i}, together with their answers aia_{i} (i.e. it is sufficient to encode M:={(i,ai)  aiaipub}M:=\{(i,a_{i})\ |\ a_{i}\neq a^{\textrm{pub}}_{i}\}. Once this is established, the lemma follows because by Lemma 37, there are at most (logXlogmα2)\left(\frac{\log|\mathcal{X}|\log m}{\alpha^{2}}\right) such queries, and for each one, its index can be encoded with logm\log m bits, and its answer with log1α\log\frac{1}{\alpha} bits.

To see why this is so, consider the following procedure for reconstructing the sequence (ϕ1,a1,,ϕm,am)(\phi_{1},a_{1},\ldots,\phi_{m},a_{m}) of queries asked and answers received. For every fixing of the random bits of the data analyst, her queries can be expressed as a sequence of functions (f1,,fm)(f_{1},\ldots,f_{m}) that take as input the queries previously asked to the Median Mechanism, and the answers previously received, and output the next query to be asked. That is, we have:

Finally, we can complete the proof. By Hoeffding’s concentration inequality and the union bound we know that for any every sequence of queries ϕ1,,ϕm\phi_{1},\ldots,\phi_{m} and a dataset S{\bm{S}} of size nn drawn from the distribution Pn\mathcal{P}^{n}:

Applying Theorem 29 to the set R(ϕ1,a1,,ϕm,am)={S  i, ES[ϕi]P[ϕi]α}R(\phi_{1},a_{1},\ldots,\phi_{m},a_{m})=\{S\ |\ \exists i,\ \left|{\cal E}_{S}[\phi_{i}]-\mathcal{P}[\phi_{i}]\right|\geq\alpha\} we obtain that for the queries ϕ1,,ϕm{\bm{\phi}}_{1},\ldots,{\bm{\phi}}_{m} generated on the dataset S{\bm{S}} and corresponding answers of the Median Mechanism a1,,am{\bm{a}}_{1},\ldots,{\bm{a}}_{m} we have

Plugging in τ=3α\tau=3\alpha gives the theorem. ∎