Concentrated Differential Privacy: Simplifications, Extensions, and Lower Bounds

Introduction

Differential privacy [DMNS06] is a formal mathematical standard for protecting individual-level privacy in statistical data analysis. In its simplest form, (pure) differential privacy is parameterized by a real number $\varepsilon>0$, which controls how much “privacy loss”The privacy loss is a random variable which quantifies how much information is revealed about an individual by a computation involving their data; it depends on the outcome of the computation, the way the computation was performed, and the information that the individual wants to hide. We discuss it informally in this introduction and define it precisely in Definition 1.2 on page 1.2. an individual can suffer when a computation (i.e., a statistical data analysis task) is performed involving his or her data.

One particular hallmark of differential privacy is that it degrades smoothly and predictably under the composition of multiple computations. In particular, if one performs $k$ computational tasks that are each $\varepsilon$-differentially private and combines the results of those tasks, then the computation as a whole is $k\varepsilon$-differentially private. This property makes differential privacy amenable to the type of modular reasoning used in the design and analysis of algorithms: When a sophisticated algorithm is comprised of a sequence of differentially private steps, one can establish that the algorithm as a whole remains differentially private.

A widely-used relaxation of pure differential privacy is approximate or $(\varepsilon,\delta)$-differential privacy [DKM+06], which essentially guarantees that the probability that any individual suffers privacy loss exceeding $\varepsilon$ is bounded by $\delta$. For sufficiently small $\delta$, approximate $(\varepsilon,\delta)$-differential privacy provides a comparable standard of privacy protection as pure $\varepsilon$-differential privacy, while often permitting substantially more useful analyses to be performed.

Unfortunately, there are situations where, unlike pure differential privacy, approximate differential privacy is not a very elegant abstraction for mathematical analysis, particularly the analysis of composition. The “advanced composition theorem” of Dwork, Rothblum, and Vadhan [DRV10] (subsequently improved by [KOV15, MV16]) shows that the composition of $k$ tasks which are each $(\varepsilon,\delta)$-differentially private is $(\approx\!\!\sqrt{k}\varepsilon,\approx\!\!k\delta)$-differentially private. However, these bounds can be unwieldy; computing the tightest possible privacy guarantee for the composition of $k$ arbitrary mechanisms with differing $(\varepsilon_{i},\delta_{i})$-differential privacy guarantees is $\#\mathsf{P}$-hard [MV16]! Furthermore, these bounds are not tight even for simple and natural privacy-preserving computations. For instance, consider the mechanism which approximately answers $k$ statistical queries on a given database by adding independent Gaussian noise to each answer. Even for this basic computation, the advanced composition theorem does not yield a tight analysis.In particular, consider answering $k$ statistical queries on a dataset of $n$ individuals by adding noise drawn from $\mathcal{N}(0,(\sigma/n)^{2})$ independently for each query. Each individual query satisfies $(O(\sqrt{\log(1/\delta)}/\sigma),\delta)$-differential privacy for any $\delta>0$. Applying the advanced composition theorem shows that the composition of all $k$ queries satisfies $(O(\sqrt{k}\log(1/\delta)/\sigma),(k+1)\delta)$-differential privacy for any $\delta>0$. However, it is well-known that this bound can be improved to $(O(\sqrt{k\log(1/\delta)}/\sigma),\delta)$-differential privacy.

Dwork and Rothblum [DR16] recently put forth a different relaxation of differential privacy called concentrated differential privacy. Roughly, a randomized mechanism satisfies concentrated differentially privacy if the privacy loss has small mean and is subgaussian. Concentrated differential privacy behaves in a qualitatively similar way as approximate $(\varepsilon,\delta)$-differential privacy under composition. However, it permits sharper analyses of basic computational tasks, including a tight analysis of the aforementioned Gaussian mechanism.

Using the work of Dwork and Rothblum [DR16] as a starting point, we introduce an alternative formulation of the concept of concentrated differential privacy that we call “zero-concentrated differential privacy” (zCDP for short). To distinguish our definition from that of Dwork and Rothblum, we refer to their definition as “mean-concentrated differential privacy” (mCDP for short). Our definition uses the Rényi divergence between probability distributions as a different method of capturing the requirement that the privacy loss random variable is subgaussian.

As is typical in the literature, we model a dataset as a multiset or tuple of $n$ elements (or “rows”) in $\mathcal{X}^{n}$, for some “data universe” $\mathcal{X}$, where each element represents one individual’s information. A (privacy-preserving) computation is a randomized algorithm $M:\mathcal{X}^{n}\to\mathcal{Y}$, where $\mathcal{Y}$ represents the space of all possible outcomes of the computation.

A randomised mechanism $M:\mathcal{X}^{n}\to\mathcal{Y}$ is $(\xi,\rho)$-zero-concentrated differentially private (henceforth $(\xi,\rho)$-zCDP) if, for all $x,x^{\prime}\in\mathcal{X}^{n}$ differing on a single entry and all $\alpha\in(1,\infty)$,

We define $\rho$-zCDP to be $(0,\rho)$-zCDP.For clarity of exposition, we consider only $\rho$-zCDP in the introduction and give more general statements for $(\xi,\rho)$-zCDP later. We also believe that having a one-parameter definition is desirable.

where $Z=\mathsf{PrivLoss}\left(M(x)\middle\|M(x^{\prime})\right)$ is the privacy loss random variable:

Intuitively, the value of the privacy loss $Z=\mathsf{PrivLoss}\left(M(x)\middle\|M(x^{\prime})\right)$ represents how well we can distinguish $x$ from $x^{\prime}$ given only the output $M(x)$ or $M(x^{\prime})$. If $Z>0$, then the observed output of $M$ is more likely to have occurred if the input was $x$ than if $x^{\prime}$ was the input. Moreover, the larger $Z$ is, the bigger this likelihood ratio is. Likewise, $Z<0$ indicates that the output is more likely if $x^{\prime}$ is the input. If $Z=0$, both $x$ and $x^{\prime}$ “explain” the output of $M$ equally well.

for all $\lambda>0$.We only discuss bounds on the upper tail of $Z$. We can obtain similar bounds on the lower tail of $Z=\mathsf{PrivLoss}\left(M(x)\middle\|M(x^{\prime})\right)$ by considering $Z^{\prime}=\mathsf{PrivLoss}\left(M(x^{\prime})\middle\|M(x)\right)$.

Thus zCDP requires that the privacy loss random variable is concentrated around zero (hence the name). That is, $Z$ is “small” with high probability, with larger deviations from zero becoming increasingly unlikely. Hence we are unlikely to be able to distinguish $x$ from $x^{\prime}$ given the output of $M(x)$ or $M(x^{\prime})$. Note that the randomness of the privacy loss random variable is taken only over the randomnesss of the mechanism $M$.

For comparison, Dwork and Rothblum [DR16] define $(\mu,\tau)$-concentrated differential privacy for a randomized mechanism $M:\mathcal{X}^{n}\to\mathcal{Y}$ as the requirement that, if $Z=\mathsf{PrivLoss}\left(M(x)\middle\|M(x^{\prime})\right)$ is the privacy loss for $x,x^{\prime}\in\mathcal{X}^{n}$ differing on one entry, then

Our definition, zCDP, is a relaxation of mCDP. In particular, a $(\mu,\tau)$-mCDP mechanism is also $(\mu-\tau^{2}/2,\tau^{2}/2)$-zCDP (which is tight for the Gaussian mechanism example), whereas the converse is not true. (However, a partial converse holds; see Lemma 4.3.)

2 Results

Like Dwork and Rothblum’s formulation of concentrated differential privacy, zCDP can be thought of as providing guarantees of $(\varepsilon,\delta)$-differential privacy for all values of $\delta>0$:

If $M$ provides $\rho$-zCDP, then $M$ is $(\rho+2\sqrt{\rho\log(1/\delta)},\delta)$-differentially private for any $\delta>0$.

We also prove a slight strengthening of this result (Lemma 3.6). Moreover, there is a partial converse, which shows that, up to a loss in parameters, zCDP is equivalent to differential privacy with this $\forall\delta>0$ quantification (see Lemma 3.7).

There is also a direct link from pure differential privacy to zCDP:

If $M$ satisfies $\varepsilon$-differential privacy, then $M$ satisfies $(\frac{1}{2}\varepsilon^{2})$-zCDP.

Dwork and Rothblum [DR16, Theorem 3.5] give a slightly weaker version of Proposition 1.4, which implies that $\varepsilon$-differential privacy yields $(\frac{1}{2}\varepsilon(e^{\varepsilon}-1))$-zCDP; this improves on an earlier bound [DRV10] by the factor $\frac{1}{2}$.

We give proofs of these and other properties using properties of Rényi divergence in Sections 2 and 3.

Propositions 1.3 and 1.4 show that zCDP is an intermediate notion between pure differential privacy and approximate differential privacy. Indeed, many algorithms satisfying approximate differential privacy do in fact also satisfy zCDP.

2.2 Gaussian Mechanism

Just as with mCDP, the prototypical example of a mechanism satisfying zCDP is the Gaussian mechanism, which answers a real-valued query on a database by perturbing the true answer with Gaussian noise.

We remark that either inequality defining zCDP — (1) or (2) — is exactly tight for the Gaussian mechanism for all values of $\alpha$. Thus the definition of zCDP seems tailored to the Gaussian mechanism.

2.3 Basic Properties of zCDP

Our definition of zCDP satisfies the key basic properties of differential privacy. Foremost, these properties include smooth degradation under composition, and invariance under postprocessing:

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ and $M^{\prime}:\mathcal{X}^{n}\to\mathcal{Z}$ be randomized algorithms. Suppose $M$ satisfies $\rho$-zCDP and $M^{\prime}$ satisfies $\rho^{\prime}$-zCDP. Define $M^{\prime\prime}:\mathcal{X}^{n}\to\mathcal{Y}\times\mathcal{Z}$ by $M^{\prime\prime}(x)=(M(x),M^{\prime}(x))$. Then $M^{\prime\prime}$ satisfies $(\rho+\rho^{\prime})$-zCDP.

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ and $f:\mathcal{Y}\to\mathcal{Z}$ be randomized algorithms. Suppose $M$ satisfies $\rho$-zCDP. Define $M^{\prime}:\mathcal{X}^{n}\to\mathcal{Z}$ by $M^{\prime}(x)=f(M(x))$. Then $M^{\prime}$ satisfies $\rho$-zCDP.

These properties follow immediately from corresponding properties of the Rényi divergence outlined in Lemma 2.2.

We remark that Dwork and Rothblum’s definition of mCDP is not closed under postprocessing; we provide a counterexample in Appendix A. (However, an arbitrary amount of postprocessing can worsen the guarantees of mCDP by at most constant factors.)

2.4 Group Privacy

A mechanism $M$ guarantees group privacy if no small group of individuals has a significant effect on the outcome of a computation (whereas the definition of zCDP only refers to individuals, which are groups of size $1$). That is, group privacy for groups of size $k$ guarantees that, if $x$ and $x^{\prime}$ are inputs differing on $k$ entries (rather than a single entry), then the outputs $M(x)$ and $M(x^{\prime})$ are close.

Dwork and Rothblum [DR16, Theorem 4.1] gave nearly tight bounds on the group privacy guarantees of concentrated differential privacy, showing that a $(\mu=\tau^{2}/2,\tau)$-concentrated differentially private mechanism affords $(k^{2}\mu\cdot(1+o(1)),k\tau\cdot(1+o(1)))$-concentrated differential privacy for groups of size $k=o(1/\tau)$. We are able to show a group privacy guarantee for zCDP that is exactly tight and works for a wider range of parameters:

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfy $\rho$-zCDP. Then $M$ guarantees $(k^{2}\rho)$-zCDP for groups of size $k$ — i.e. for every $x,x^{\prime}\in\mathcal{X}^{n}$ differing in up to $k$ entries and every $\alpha\in(1,\infty)$, we have

In particular, this bound is achieved (simultaneously for all values $\alpha$) by the Gaussian mechanism. Our proof is also simpler than that of Dwork and Rothblum; see Section 5.

2.5 Lower Bounds

The strong group privacy guarantees of zCDP yield, as an unfortunate consequence, strong lower bounds as well. We show that, as with pure differential privacy, zCDP is susceptible to information-based lower bounds, as well as to so-called packing arguments [HT10, MMP+10, De12]:

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfy $\rho$-zCDP. Let $X$ be a random variable on $\mathcal{X}^{n}$. Then

where $I(\cdot;\cdot)$ denotes the mutual information between the random variables (in nats, rather than bits). Furthermore, if the entries of $X$ are independent, then $I(X;M(X))\leq\rho\cdot n$.

Theorem 1.10 yields strong lower bounds for zCDP mechanisms, as we can construct distributions $X$ such that, for any accurate mechanism $M$, $M(X)$ reveals a lot of information about $X$ (i.e. $I(X;M(X))$ is large for any accurate $M$).

In particular, we obtain a strong separation between approximate differential privacy and zCDP. For example, we can show that releasing an accurate approximate histogram (or, equivalently, accurately answering all point queries) on a data domain of size $k$ requires an input with at least $n=\Theta(\sqrt{\log k})$ entries to satisfy zCDP. In contrast, under approximate differential privacy, $n$ can be independent of the domain size $k$ [BNS13]! In particular, our lower bounds show that “stability-based” techniques (such as those in the propose-test-release framework [DL09]) are not compatible with zCDP.

Our lower bound exploits the strong group privacy guarantee afforded by zCDP. Group privacy has been used to prove tight lower bounds for pure differential privacy [HT10, De12] and approximate differential privacy [SU15a]. These results highlight the fact that group privacy is often the limiting factor for private data analysis. For $(\varepsilon,\delta)$-differential privacy, group privacy becomes vacuous for groups of size $k=\Theta(\log(1/\delta)/\varepsilon)$. Indeed, stability-based techniques exploit precisely this breakdown in group privacy.

As a result of this strong lower bound, we show that any mechanism for answering statistical queries that satisfies zCDP can be converted into a mechanism satisfying pure differential privacy with only a quadratic blowup in its sample complexity. More precisely, the following theorem illustrates a more general result we prove in Section 7.

for all $x\in\mathcal{X}^{n}$. Then there exists $M^{\prime}:\mathcal{X}^{n^{\prime}}\to^{k}$ for $n^{\prime}=5n^{2}$ satisfying $\varepsilon$-differential privacy and

For some classes of queries, this reduction is essentially tight. For example, for $k$ one-way marginals, the Gaussian mechanism achieves sample complexity $n=\Theta(\sqrt{k})$ subject to zCDP, whereas the Laplace mechanism achieves sample complexity $n=\Theta(k)$ subject to pure differential privacy, which is known to be optimal.

2.6 Approximate zCDP

To circumvent these strong lower bounds for zCDP, we consider a relaxation of zCDP in the spirit of approximate differential privacy that permits a small probability $\delta$ of (catastrophic) failure:

where $M(x)|_{E}$ denotes the distribution of $M(x)$ conditioned on the event $E$. We further define $\delta$-approximate $\rho$-zCDP to be $\delta$-approximate $(0,\rho)$-zCDP.

In particular, setting $\delta=0$ gives the original definition of zCDP. However, this definition unifies zCDP with approximate differential privacy:

If $M$ satisfies $(\varepsilon,\delta)$-differential privacy, then $M$ satisfies $\delta$-approximate $\frac{1}{2}\varepsilon^{2}$-zCDP.

Approximate zCDP retains most of the desirable properties of zCDP, but allows us to incorporate stability-based techniques and bypass the above lower bounds. This also presents a unified tool to analyse a composition of zCDP with approximate differential privacy; see Section 8.

3 Related Work

Our work builds on the aforementioned prior work of Dwork and Rothblum [DR16].Although Dwork and Rothblum’s work only appeared publicly in March 2016, they shared a preliminary draft of their paper with us before we commenced this work. As such, our ideas are heavily inspired by theirs. We view our definition of concentrated differential privacy as being “morally equivalent” to their definition of concentrated differential privacy, in the sense that both definitions formalize the same concept.We refer to our definition as “zero-concentrated differential privacy” (zCDP) and their definition as “mean-concentrated differential privacy” (mCDP). We use “concentrated differential privacy” (CDP) to refer to the underlying concept formalized by both definitions. (The formal relationship between the two definitions is discussed in Section 4.) However, the definition of zCDP generally seems to be easier to work with than that of mCDP. In particular, our formulation in terms of Rényi divergence simplifies many analyses.

Dwork and Rothblum prove several results about concentrated differential privacy that are similar to ours. Namely, they prove analogous properties of mCDP as we prove for zCDP (cf. Sections 1.2.1, 1.2.2, 1.2.3, and 1.2.4). However, as noted, some of their bounds are weaker than ours; also, they do not explore lower bounds.

Several of the ideas underlying concentrated differential privacy are implicit in earlier works. In particular, the proof of the advanced composition theorem of Dwork, Rothblum, and Vadhan [DRV10] essentially uses the ideas of concentrated differential privacy. Their proof contains analogs of Propositions 1.7, 1.3, and 1.4,.

We also remark that Tardos [Tar08] used Rényi divergence to prove lower bounds for cryptographic objects called fingerprinting codes. Fingerprinting codes turn out to be closely related to differential privacy [Ull13, BUV14, SU15b], and Tardos’ lower bound can be (loosely) viewed as a kind of privacy-preserving algorithm.

4 Further Work

We believe that concentrated differential privacy is a useful tool for analysing private computations, as it provides both simpler and tighter bounds. We hope that CDP will be prove useful in both the theory and practice of differential privacy.

Furthermore, our lower bounds show that CDP can really be a much more stringent condition than approximate differential privacy. Thus CDP defines a “subclass” of all $(\varepsilon,\delta)$-differentially private algorithms. This subclass includes most differentially private algorithms in the literature, but not all — the most notable exceptions being algorithms that use the propose-test-release approach [DL09] to exploit low local sensitivity.

This “CDP subclass” warrants further exploration. In particular, is there a “complete” mechanism for this class of algorithms, in the same sense that the exponential mechanism [MT07, BLR13] is complete for pure differential privacy? Can we obtain a simple characterization of the sample complexity needed to satisfy CDP? The ability to prove stronger and simpler lower bounds for CDP than for approximate DP may be useful for showing the limitations of certain algorithmic paradigms. For example, any differentially private algorithm that only uses the Laplace mechanism, the exponential mechanism, the Gaussian mechanism, and the “sparse vector” technique, along with composition and postprocessing will be subject to the lower bounds for CDP.

There is also room to examine how to interpret the zCDP privacy guarantee. In particular, we leave it as an open question to understand the extent to which $\rho$-zCDP provides a stronger privacy guarantee than the implied $(\varepsilon,\delta)$-DP guarantees (cf. Proposition 1.3).

In general, much of the literature on differential privacy can be re-examined through the lens of CDP, which may yield new insights and results.

Rényi Divergence

Recall the definition of Rényi divergence:

Let $P$ and $Q$ be probability distributions on $\Omega$. For $\alpha\in(1,\infty)$, we define the Rényi divergence of order $\alpha$ between $P$ and $Q$ as

Alternatively, Rényi divergence can be defined in terms of the privacy loss (Definition 1.2) between $P$ and $Q$:

We record several useful and well-known properties of Rényi divergence. We refer the reader to [vEH14] for proofs and discussion of these (and many other) properties. Self-contained proofs are given in Appendix B.1.

Let $P$ and $Q$ be probability distributions and $\alpha\in[1,\infty]$.

Composition: Suppose $P$ and $Q$ are distributions on $\Omega\times\Theta$. Let $P^{\prime}$ and $Q^{\prime}$ denote the marginal distributions on $\Omega$ induced by $P$ and $Q$ respectively. For $x\in\Omega$, let $P^{\prime}_{x}$ and $Q^{\prime}_{x}$ denote the conditional distributions on $\Theta$ induced by $P$ and $Q$ respectively, where $x$ specifies the first coordinate. Then

In particular if $P$ and $Q$ are product distributions, then the Rényi divergence between $P$ and $Q$ is just the sum of the Rényi divergences of the marginals.

Note that quasi-convexity allows us to extend this guarantee to the case where $f$ is a randomized mapping.

The following lemma gives the postprocessing and (adaptive) composition bounds (extending Lemmas 1.7 and 1.8).

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ and $M^{\prime}:\mathcal{X}^{n}\times\mathcal{Y}\to\mathcal{Z}$. Suppose $M$ satisfies $(\xi,\rho)$-zCDP and $M^{\prime}$ satisfies $(\xi^{\prime},\rho^{\prime})$-zCDP (as a function of its first argument). Define $M^{\prime\prime}:\mathcal{X}^{n}\to\mathcal{Z}$ by $M^{\prime\prime}(x)=M^{\prime}(x,M(x))$. Then $M^{\prime\prime}$ satisfies $(\xi+\xi^{\prime},\rho+\rho^{\prime})$-zCDP.

The proof is immediate from Lemma 2.2. Note that, while Lemma 2.3 is only stated for the composition of two mechanisms, it can be inductively applied to analyse the composition of arbitrarily many mechanisms.

2 Gaussian Mechanism

The following lemma gives the Rényi divergence between two Gaussian distributions with the same variance.

Consequently, the Gaussian mechanism, which answers a sensitivity-$\Delta$ query by adding noise drawn from $\mathcal{N}(0,\sigma^{2})$, satisfies $\left(\frac{\Delta^{2}}{2\sigma^{2}}\right)$-zCDP (Proposition 1.6).

For the multivariate Gaussian mechanism, Lemma 2.4 generalises to the following.

Relation to Differential Privacy

We now discuss the relationship between zCDP and the traditional definitions of pure and approximate differential privacy. There is a close relationship between the notions, but not an exact characterization.

For completeness, we state the definition of differential privacy:

A randomized mechanism $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $(\varepsilon,\delta)$-differential privacy if, for all $x,x^{\prime}\in\mathcal{X}$ differing in a single entry, we have

for all (measurable) $S\subset\mathcal{Y}$. Further define $\varepsilon$-differential privacy to be $(\varepsilon,0)$-differential privacy.

Pure differential privacy is exactly characterized by $(\xi,0)$-zCDP:

A mechanism $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $\varepsilon$-DP if and only if it satisfies $(\varepsilon,0)$-zCDP.

for all $\alpha$. So $M$ satisfies $(\varepsilon,0)$-zCDP. Conversely, suppose $M$ satisfies $(\varepsilon,0)$-zCDP. Then

We now show that $\varepsilon$-differential privacy implies $(\frac{1}{2}\varepsilon^{2})$-zCDP (Proposition 1.4).

We may assume $\frac{1}{2}\varepsilon\alpha\leq 1$, as otherwise $\frac{1}{2}\varepsilon^{2}\alpha>\varepsilon$, whence the result follows from monotonicity. We must show that

The result now follows from the following inequality, which is proved in Lemma B.1.

2 Approximate DP versus zCDP

The statements in this section show that, up to some loss in parameters, zCDP is equivalent to a family of $(\varepsilon,\delta)$-DP guarantees for all $\delta>0$.

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfy $(\xi,\rho)$-zCDP. Then $M$ satisfies $(\varepsilon,\delta)$-DP for all $\delta>0$ and

Thus to achieve a given $(\varepsilon,\delta)$-DP guarantee it suffices to satisfy $(\xi,\rho)$-zCDP with

Choosing $\alpha=(\varepsilon-\xi+\rho)/2\rho>1$ gives

Now, for any measurable $S\subset\mathcal{Y}$,

Lemma 3.5 is not tight. In particular, we have the following refinement of Lemma 3.5, the proof of which is deferred to the appendix (Lemma B.2).

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfy $(\xi,\rho)$-zCDP. Then $M$ satisfies $(\varepsilon,\delta)$-DP for all $\delta>0$ and

Alternatively $M$ satisfies $(\varepsilon,\delta)$-DP for all $\varepsilon\geq\xi+\rho$ and

Note that the last of three options in the minimum dominates the first two options. We have included the first two options as they are simpler.

Now we show a partial converse to Lemma 3.5, which is proved in the appendix (Lemma B.3).

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfy $(\varepsilon,\delta)$-DP for all $\delta>0$ and

for some constants $\hat{\xi},\hat{\rho}\in$. Then $M$ is $\left(\hat{\xi}-\frac{1}{4}\hat{\rho}+5\sqrt{\hat{\rho}},\frac{1}{4}\hat{\rho}\right)$-zCDP.

Thus zCDP and DP are equivalent up to a (potentially substantial) loss in parameters and the quantification over all $\delta$.

Zero- versus Mean-Concentrated Differential Privacy

We begin by stating the definition of mean-concentrated differential privacy:

A randomized mechanism $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $(\mu,\tau)$-mean-concentrated differential privacy if, for all $x,x^{\prime}\in\mathcal{X}^{n}$ differing in one entry, and letting $Z=\mathsf{PrivLoss}\left(M(x)\middle\|M(x^{\prime})\right)$, we have

If $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $(\mu,\tau)$-mCDP, then $M$ satisfies $(\mu-\tau^{2}/2,\tau^{2}/2)$-zCDP.

If $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $(\xi,\rho)$-zCDP, then $M$ satisfies $(\xi+\rho,O(\sqrt{\xi+2\rho}))$-mCDP.

The proof of Lemma 4.3 is deferred to the appendix.

Thus we can convert $(\mu,\tau)$-mCDP into $(\mu-\tau^{2}/2,\tau^{2}/2)$-zCDP and then back to $(\mu,O(\sqrt{\mu+\tau^{2}/2}))$-mCDP. This may result in a large loss in parameters, which is why, for example, pure DP can be characterised in terms of zCDP, but not in terms of mCDP.

We view zCDP as a relaxation of mCDP; mCDP requires the privacy loss to be “tightly” concentrated about its mean and that the mean is close to the origin. The triangle inequality then implies that the privacy loss is “weakly” concentrated about the origin. (The difference between “tightly” and “weakly” accounts for the use of the triangle inequality.) On the other hand, zCDP direcly requires that the privacy loss is weakly concentrated about the origin. That is to say, zCDP gives a subgaussian bound on the privacy loss that is centered at zero, whereas mCDP gives a subgaussian bound that is centered at the mean and separately bounds the mean.

There may be some advantage to the stronger requirement of mCDP, either in terms of what kind of privacy guarantee it affords, or how it can be used as an analytic tool. However, it seems that for most applications, we only need what zCDP provides.

Group Privacy

In this section we show that zCDP provides privacy protections to small groups of individuals.

We say that a mechanism $M:\mathcal{X}^{n}\to\mathcal{Y}$ provides $(\xi,\rho)$-zCDP for groups of size $k$ if, for every $x,x^{\prime}\in\mathcal{X}^{n}$ differing in at most $k$ entries, we have

The usual definition of zCDP only applies to groups of size $1$. Here we show that it implies bounds for all group sizes. We begin with a technical lemma.

Let $P$, $Q$, and $R$ be probability distributions. Then

Let $p=\frac{k\alpha-1}{\alpha(k-1)}$ and $q=\frac{k\alpha-1}{\alpha-1}$. Then $\frac{1}{p}+\frac{1}{q}=\frac{\alpha(k-1)+(\alpha-1)}{k\alpha-1}=1$. By Hölder’s inequality,

Now $p\alpha=\frac{k\alpha-1}{k-1}$, $q(\alpha-1)+1=k\alpha$, and

If $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $(\xi,\rho)$-zCDP, then $M$ gives $(\xi\cdot k\sum_{i=1}^{k}\frac{1}{i},\rho\cdot k^{2})$-zCDP for groups of size $k$.

Thus $(\xi,\rho)$-zCDP implies $(\xi\cdot O(k\log k),\rho\cdot k^{2})$-zCDP for groups of size $k$.

The Gaussian mechanism shows that $k^{2}\rho$ is the optimal dependence on $\rho$. However, $O(k\log k)\xi$ is not the optimal dependence on $\xi$: $(\xi,0)$-zCDP implies $(k\xi,0)$-zCDP for groups of size $k$.

We show this by induction on $k$. The statement is clearly true for groups of size $1$. We now assume the statement holds for groups of size $k-1$ and will verify it for groups of size $k$.

Let $x,x^{\prime}\in\mathcal{X}^{n}$ differ in $k$ entries. Let $\hat{x}\in\mathcal{X}^{n}$ be such that $x$ and $\hat{x}$ differ in $k-1$ entries and $x^{\prime}$ and $\hat{x}$ differ in one entry.

where the last inequality follows from the fact that $\frac{k\alpha}{k\alpha-1}$ is a decreasing function of $\alpha$ for $\alpha>1$. ∎

Lower Bounds

In this section we develop tools to prove lower bounds for zCDP. We will use group privacy to bound the mutual information between the input and the output of a mechanism satisfying zCDP. Thus, if we are able to construct a distribution on inputs such that any accurate mechanism must reveal a high amount of information about its input, we obtain a lower bound showing that no accurate mechanism satisfying zCDP can be accurate for this data distribution.

We begin with the simplest form of our mutual information bound, which is an analogue of the bound of [MMP+10] for pure differential privacy:

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfy $(\xi,\rho)$-zCDP. Let $X$ be a random variable in $\mathcal{X}^{n}$. Then

where $I$ denotes mutual information (measured in nats, rather than bits).

By Proposition 5.3, $M$ provides $(\xi\cdot n\sum_{i=1}^{n}\frac{1}{i},\rho\cdot n^{2})$-zCDP for groups of size $n$. Thus

for all $x,x^{\prime}\in\mathcal{X}^{n}$. Since KL-divergence is convex,

The reason this lower bound works is the strong group privacy guarantee — even for groups of size $n$, we obtain nontrivial privacy guarantees. While this is good for privacy it is bad for usefulness, as it implies that even information that is “global” (rather than specific to a individual or a small group) is protected. These lower bounds reinforce the connection between group privacy and lower bounds [HT10, De12, SU15a].

In contrast, $(\varepsilon,\delta)$-DP is not susceptible to such a lower bound because it gives a vacuous privacy guarantee for groups of size $k=O(\log(1/\delta)/\varepsilon)$. This helps explain the power of the propose-test-release paradigm.

Furthermore, we obtain even stronger mutual information bounds when the entries of the distribution are independent:

Let $M:\mathcal{X}^{m}\to\mathcal{Y}$ satisfy $(\xi,\rho)$-zCDP. Let $X$ be a random variable in $\mathcal{X}^{m}$ with independent entries. Then

where $I$ denotes mutual information (measured in nats, rather than bits).

First, by the chain rule for mutual information,

By zCDP, we know that for all $x\in\mathcal{X}^{i-1}$, $y,y^{\prime}\in\mathcal{X}$, and $z\in\mathcal{X}^{m-i}$, we have

for all $x$ and $y$. The result follows. ∎

More generally, we can combine dependent and independent entries as follows.

where $I$ denotes the mutual information (measured in nats, rather than bits).

By the chain rule for mutual information,

By (6) and the convexity of KL-divergence,

for all $x$ and $y$. The result follows. ∎

We informally discuss a few applications of our information-based lower bounds to some simple and well-studied problems in differential privacy.

Consider $M:\mathcal{X}^{n}\to\mathcal{Y}$ where $\mathcal{X}=\{0,1\}^{d}$ and $\mathcal{Y}=^{d}$. The goal of $M$ is to estimate the attribute means, or one-way marginals, of its input database $x$:

We now analyze what can be accomplished with zCDP. Adding independent noise drawn from $\mathcal{N}(0,d/2n^{2}\rho)$ to each of the $d$ coordinates of $\overline{x}$ satisfies $\rho$-zCDP. This gives accurate answers as long as $n\gg\sqrt{d/\rho}$.

For a lower bound, consider sampling $X_{1}\in\{0,1\}^{d}$ uniformly at random. Set $X_{i}=X_{1}$ for all $i\in[n]$. By Proposition 6.1,

for any $\rho$-zCDP $M:(\{0,1\}^{d})^{n}\to^{d}$. However, if $M$ is accurate, we can recover (most of) $X_{1}$ from $M(X)$, whence $I(X;M(X))\geq\Omega(d)$. This yields a lower bound of $n\geq\Omega(\sqrt{d/\rho})$, which is tight up to constant factors.

For $\varepsilon$-DP it is possible to do this if and only if $n=\Theta(\log(T)/\varepsilon))$; the optimal algorithm is to independently sample

However, for $(\varepsilon,\delta)$-DP, it is possible to attain sample complexity $n=O(\log(1/\delta)/\varepsilon)$ [BNS13, BNS16b, Theorem 3.13]. Interestingly, for zCDP we can show that $n=\Theta(\sqrt{\log(T)/\rho})$ is sufficient and necessary:

independently for $t\in[T]$ satisfies $\rho$-zCDP. Moreover,

On the other hand, if we sample $X_{1}\in[T]$ uniformly at random and set $X_{i}=X_{1}$ for all $i\in[n]$, then $I(X;M(X))\geq\Omega(\log T)$ for any accurate $M$, as we can recover $X_{1}$ from $M(X)$ if $M$ is accurate. Proposition 6.1 thus implies that $n\geq\Omega(\sqrt{\log(T)/\rho})$ is necessary to obtain accuracy.

This gives a strong separation between approximate DP and zCDP.

Consider $M:\{\pm 1\}^{n}\to\{\pm 1\}^{n}$ where the goal is to maximize $\langle x,M(x)\rangle$ subject to $\rho$-zCDP.

One solution is randomized response [War65]: Each output bit $i$ of $M$ is chosen independently with

Turning our attention to lower bounds: Let $X\in\{\pm 1\}^{n}$ be uniformly random. By Lemma 6.2, since the bits of $X$ are independent, we have $I(X;M(X))\leq\rho\cdot n$ for any $\rho$-zCDP $M$. However, if $M$ is accurate, we can recover part of $X$ from $M(X)$ [BSU16], whence $I(X;M(X))\geq\Omega(n)$.

Randomized response is a special case of the exponential mechanism [MT07, BLR13]. Consequently this can be interpreted as a lower bound for search problems.

The above examples can be easily discussed in terms of a more formal and quantitative definition of accuracy. In particular, we consider the histogram example again:

then $n\geq\Omega(\sqrt{\log(\alpha^{2}T)/\rho\alpha^{2}})$.

where $X=(X_{1},\cdots,X_{m})\in\mathcal{X}^{n}$. However,

for any functions $f$ and $g$, where $H$ is the entropy (in nats). In particular, we let

Clearly $H(X)=m\log T$. Furthermore, $H(X|f(X))\leq m\log m$, since $X$ can be specified by naming $m$ elements of $f(X)$, which is a set of at most $m$ elements.

then $g(M(X))$ contains exactly all the values in $X$ — i.e. $f(X)=g(M(X))$. By Markov’s inequality, (8) holds with probability at least $4/5$.

Now we can upper bound $H(f(X)|g(M(X)))$ by giving a scheme for specifying $f(X)$ given $g(M(X))$. If (8) holds, we simply need one bit to say so. If (8) does not hold, we need one bit to say this and $m\log_{2}T$ bits to describe $f(X)$. This gives

Combining this with (7) completes the proof. ∎

We remark that our lower bounds for zCDP can be converted to lower bounds for mCDP using Lemma 4.2.

Obtaining Pure DP Mechanisms from zCDP

We now establish limits on what more can be achieved with zCDP over pure differential privacy. In particular, we will prove that any mechanism satisfying zCDP can be converted into a mechanism satisfying pure DP with at most a quadratic blowup in sample complexity. Formally, we show the following theorem.

Assume $\xi\leq\alpha^{2}$, $\rho\leq\alpha^{2}$, and

for all $x\in\mathcal{X}^{n^{\prime}}$ and $\beta>0$.

Before discussing the proof of Theorem 7.1, we make some remarks about its statement:

If $\xi=0$, we have $n^{\prime}=O(n^{2}\rho/\varepsilon\alpha)$. So, if $\rho$, $\varepsilon$, and $\alpha$ are all constants, we have $n^{\prime}=O(n^{2})$. This justifies our informal statement that we can convert any mechanism satisfying zCDP into one satisfying pure DP with a quadratic blowup in sample complexity.

This example illustrates that the theorem is not tight in terms of $\alpha$; it loses a $1/\alpha^{2}$ factor here. However, the other parameters are tight.

The requirement that $\xi,\rho\leq\alpha^{2}$ is only used to show that

using Lemma 7.5. However, in many situations (9) holds even when $\xi,\rho\gg\alpha^{2}$. For example, if $n\geq O(\log(k)/\alpha^{2})$ or even $n\geq O(VC(q)/\alpha^{2})$ then (9) is automatically satisfied.

The technical condition (9) is needed to relate the part of the proof with inputs of size $n$ to the part with inputs of size $n^{\prime}$.

Thus we can restate Theorem 7.1 with the condition $\xi,\rho\leq\alpha^{2}$ replaced by (9). This would be more general, but also more mysterious.

Alas, the proof of Theorem 7.1 is not constructive. Rather than directly constructing a mechanism satisfying pure DP from any mechanism satisfying zCDP, we show the contrapositive statement: any lower bound for pure DP can be converted into a lower bound for zCDP. Pure DP is characterized by so-called packing lower bounds and the exponential mechanism.

We begin by giving a technical lemma showing that for any output space and any desired accuracy we have a “packing” and a “net:”

Let $(\mathcal{Y},d)$ be a metric space. Fix $\alpha>0$. Then there exists a countable $T\subset\mathcal{Y}$ such that both of the following hold.

(Net:) Either $T$ is infinite or for all $y^{\prime}\in\mathcal{Y}$ there exists $y\in T$ with $d(y,y^{\prime})\leq\alpha$.

(Packing:) For all $y,y^{\prime}\in T$, if $y\neq y^{\prime}$, then $d(y,y^{\prime})>\alpha$.

Consider the following procedure for producing $T$.

Initialize $A\leftarrow\mathcal{Y}$ and $T\leftarrow\emptyset$.

Update $A\leftarrow\{y^{\prime}\in A:d(y^{\prime},y)>\alpha\}$.

This procedure either terminates giving a finite $T$ or runs forever enumerating a countably infinite $T$.

(Net:) If $T$ is infinite, we immediately can dispense the first condition, so suppose the procedure terminates and $T$ is finite. Fix $y^{\prime}\in\mathcal{Y}$. Since the procedure terminates, $A=\emptyset$ at the end, which means $y^{\prime}$ was removed from $A$ at some point. This means some $y\in T$ was added such that $d(y^{\prime},y)\leq\alpha$, as required.

(Packing:) Fix $y\neq y^{\prime}\in T$. We assume, without loss of generality, that $y$ was added to $T$ before $y^{\prime}$. This means $y^{\prime}$ was not removed from $A$ when $y$ was added to $T$. In particular, this means $d(y^{\prime},y)>\alpha$. ∎

It is well-known that a net yields a pure DP algorithm:

for all $x\in\mathcal{X}^{n}$ and $\beta>0$.

The analysis can be found in [DR14, Theorems 3.10 and 3.11] and [BNS+16a, Lemma 7.1]. ∎

We also show that a packing yields a lower bound for zCDP:

Let $(\mathcal{Y},d)$ be a metric space and $q:\mathcal{X}^{n}\to\mathcal{Y}$ a function. Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ be a $(\xi,\rho)$-zCDP mechanism satisfying

for all $x\in\mathcal{X}^{n}$. Let $T\subset\mathcal{Y}$ be such that $d(y,y^{\prime})>\alpha$, for all $y,y^{\prime}\in T$ with $y\neq y^{\prime}$. Assume that for all $y\in T$ there exists $x\in\mathcal{X}^{n}$ with $q(x)=y$. Then

Let $q^{-1}:T\to\mathcal{X}^{n}$ be a function such that $q(q^{-1}(y))=y$ for all $y\in T$. Define $f:\mathcal{Y}\to T$ by

Let $Y$ be a uniformly random element of $T$ and let $X=q^{-1}(Y)$. By the data processing inequality and Proposition 6.1,

Clearly $H(Y)=\log|T|$ and $H(E|Z)\leq H(E)\leq\log 2$. Moreover,

The result now follows by combining inequalities. ∎

for all $x\in\mathcal{X}^{n}$. For all $n^{\prime}$,

The proof of Lemma 7.5 is deferred to the appendix.

Now we can combine Lemmas 7.2, 7.3, 7.4, and 7.5 to prove Theorem 7.1:

(Packing:) For all $y,y^{\prime}\in T$, if $y\neq y^{\prime}$, then $\|y-y^{\prime}\|>4\alpha$.

This gives an upper bound on $|T|$. In particular, $T$ must be finite.

for all $x\in\mathcal{X}^{n^{\prime}}$. For $x\in\mathcal{X}^{n^{\prime}}$, by the Net property and Lemma 7.5,

The theorem now follows by combining inequalities. ∎

Approximate zCDP

In the spirit of approximate DP, we propose a relaxation of zCDP:

A randomised mechanism $M:\mathcal{X}^{n}\to\mathcal{Y}$ is $\delta$-approximately $(\xi,\rho)$-zCDP if, for all $x,x^{\prime}\in\mathcal{X}^{n}$ differing on a single entry, there exist events $E=E(M(x))$ and $E^{\prime}=E^{\prime}(M(x^{\prime}))$ such that, for all $\alpha\in(1,\infty)$,

Clearly -approximate zCDP is simply zCDP. Hence we have a generalization of zCDP. As we will show later in this section, $\delta$-approximate $(\varepsilon,0)$-zCDP is equivalent to $(\varepsilon,\delta)$-DP. Thus we have also generalized approximate DP. Hence, this definition unifies both relaxations of pure DP.

Approximate zCDP is a three-parameter definition which allows us to capture many different aspects of differential privacy. However, three parameters is quite overwhelming. We believe that use of the one-parameter $\rho$-zCDP (or the two-parameter $\delta$-approximate $\rho$-zCDP if necessary) is sufficient for most purposes.

It is easy to verify that the definition of approximate zCDP satisfies the following basic properties.

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ and $M^{\prime}:\mathcal{X}^{n}\times\mathcal{Y}\to\mathcal{Z}$ be randomized algorithms. Suppose $M$ satisfies $\delta$-approximate $(\xi,\rho)$-zCDP and, for all $y\in\mathcal{Y}$, $M^{\prime}(\cdot,y):\mathcal{X}^{n}\to\mathcal{Z}$ satisfies $\delta^{\prime}$-approximate $(\xi^{\prime},\rho^{\prime})$-zCDP. Define $M^{\prime\prime}:\mathcal{X}^{n}\to\mathcal{Z}$ by $M^{\prime\prime}(x)=M^{\prime}(x,M(x))$. Then $M^{\prime\prime}$ satisfies $(\delta+\delta^{\prime}-\delta\cdot\delta^{\prime})$-approximate $(\xi+\xi^{\prime},\rho+\rho^{\prime})$-zCDP.

Suppose $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $\delta$-approximate $(\xi,0)$-zCDP. Then $M$ satisfies $\delta$-approximate $\xi$-zCDP and $\delta$-approximate $\frac{1}{2}\xi^{2}$-zCDP.

However, the strong group privacy guarantees of Section 5 no longer apply to approximate zCDP and, hence, the strong lower bounds of Section 6 also no longer hold. Circumventing these lower bounds is part of the motivation for considering approximate zCDP. However, approximate zCDP is not necessarily the only way to relax zCDP that circumvents our lower bounds:

Consider relaxing the definition of zCDP to only require the bound (1) or (2) to hold when $\alpha\leq m$:

This relaxed definition may also be able to circumvent the group privacy-based lower bounds, as our group privacy proof would no longer work for groups of size larger than $m$. We do not know what group privacy guarantees Definition 8.4 provides for groups of size $k\gg m$. This relaxed definition may be worth exploring, but is beyond the scope of our work.

We can convert approximate DP to approximate zCDP using the following lemma.

First we define a approximate DP version of the randomized response mechanism:

The above mechanism is “complete” for approximate DP:

If $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $(\varepsilon,\delta)$-DP, then $M$ satisfies $\delta$-approximate $(\varepsilon,0)$-zCDP, which, in turn, implies $\delta$-approximate $(0,\frac{1}{2}\varepsilon^{2})$-zCDP.

Fix neighbouring $x_{0},x_{1}\in\mathcal{X}^{n}$. Let $T:\{0,1\}\times\{\bot,\top\}\to\mathcal{Y}$ be as in Lemma 8.6.

for both $b\in\{0,1\}$ and all $\alpha\in(1,\infty)$. Thus we have satisfied the definition of $\delta$-approximate $(\varepsilon,0)$-zCDP.

Applying Proposition 3.3 shows that this also implies $\delta$-approximate $(0,\frac{1}{2}\varepsilon^{2})$-zCDP. ∎

2 Approximate zCDP Implies Approximate DP

Suppose $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $\delta$-approximate $(\xi,\rho)$-zCDP. If $\rho=0$, then $M$ satisfies $(\xi,\delta)$-DP. In general, $M$ satisfies $(\varepsilon,\delta+(1-\delta)\delta^{\prime})$-DP for all $\varepsilon\geq\xi+\rho$, where

which proves the first half of the lemma.

Secondly, by Lemma B.2 (cf. Lemma 3.5), for all $\varepsilon\geq\xi+\rho$,

3 Application of Approximate zCDP

Approximate zCDP subsumes approximate DP. A result of this is that we can apply our tightened lemmas to give a tighter version of the so-called advanced composition theorem [DRV10].

Note that the following results are subsumed by the bounds of Kairouz, Oh, and Viswanath [KOV15] and Murtagh and Vadhan [MV16]. However, these bounds may be extended to analyse the composition of mechanisms satisfying CDP with mechanisms satisfying approximate DP. We believe that such a “unified” analysis of composition will be useful.

Applying Corollary 8.7, Lemma 8.2, and Lemma 8.8 yields the following result.

Let $M_{1},\cdots,M_{k}:\mathcal{X}^{n}\to\mathcal{Y}$ and let $M:\mathcal{X}^{n}\to\mathcal{Y}^{k}$ be their composition. Suppose each $M_{i}$ satisfies $(\varepsilon_{i},\delta_{i})$-DP. Set $\rho=\frac{1}{2}\sum_{i}^{k}\varepsilon_{i}^{2}$. Then $M$ satisfies

Let $M_{1},\cdots,M_{k}:\mathcal{X}^{n}\to\mathcal{Y}$ and let $M:\mathcal{X}^{n}\to\mathcal{Y}^{k}$ be their composition. Suppose each $M_{i}$ satisfies $(\varepsilon_{i},\delta_{i})$-DP. Set $\varepsilon^{2}=\frac{1}{2}\sum_{i}^{k}\varepsilon_{i}^{2}$. Then $M$ satisfies

Finally, by picking the second term in the minimum and using $1-\prod_{i}(1-\delta_{i})\leq\sum_{i}\delta_{i}$, we have the following simpler form of the lemma.

Let $M_{1},\cdots,M_{k}:\mathcal{X}^{n}\to\mathcal{Y}$ and let $M:\mathcal{X}^{n}\to\mathcal{Y}^{k}$ be their composition. Suppose each $M_{i}$ satisfies $(\varepsilon_{i},\delta_{i})$-DP. Then $M$ satisfies

for all $\lambda\geq 0$. Alternatively $M$ satisfies

In comparison to the composition theorem of [DRV10], we save modestly by a constant factor in the first term and, in most cases $\sqrt{\pi/2}\|\varepsilon\|_{2}<1$, whence the logarithmic term is an improvement over the usual advanced composition theorem.

We thank Cynthia Dwork and Guy Rothblum for sharing a preliminary draft of their work with us. We also thank Ilya Mironov, Kobbi Nissim, Adam Smith, Salil Vadhan, and the Harvard Differential Privacy Research Group for helpful discussions and suggestions.

References

Appendix A Postprocessing and mCDP

In this appendix we give a family of counterexamples showing that mCDP is not closed under postprocessing (unlike zCDP).

We examine the mCDP guarantees of the postprocessed mechanism $M^{\prime}:\{-1,1\}\to\{-1,0,1\}$ defined by $M^{\prime}(x)=T(M(x))$:

Let $\sigma\geq 1$ and let $t\geq 6\sigma^{3}+1$. Then while the mechanism $M$ is $(2/\sigma^{2},2/\sigma)$-mCDP, the postprocessed mechanism $M^{\prime}$ is not $(2/\sigma^{2},2/\sigma)$-mCDP.

Note that $p>q$. Hence, for each $x\in\{-1,1\}$,

Now consider the privacy loss random variable $Z=\mathsf{PrivLoss}\left(M(1)\middle\|M(-1)\right)=f(M(1))$. Then $Z$ is distributed according to

The values $p,q$ satisfy the following inequalities:

$\sqrt{\frac{1}{2\pi}}\cdot\frac{\sigma}{t+\sigma-1}\cdot e^{-(t-1)^{2}/2\sigma^{2}}\leq p\leq\sqrt{\frac{1}{2\pi}}\cdot\frac{\sigma}{t-1}\cdot e^{-(t-1)^{2}/2\sigma^{2}}$

The first part now follows from the fact that $\sigma\leq t-1$.

To establish the second inequality, we write

Now set $\lambda=\frac{t}{2}$. Then this quantity becomes

The expression $\exp((t-1)/2\sigma^{2})/2t$ is monotone increasing for $t\geq 2\sigma^{2}$. Thus, it is strictly larger than $\sqrt{2\pi}$ as long as $t\geq 6\sigma^{3}+1$. ∎

Appendix B Miscellaneous Proofs and Lemmata

This technical lemma may be “verified” numerically by inspecting a plot of $z=e^{\frac{1}{2}xy}\cdot\sinh(x-y)-(\sinh(x)-\sinh(y))$ for $(x,y)\in^{2}$.

For intuition, consider the third-order Taylor approximation to $\sinh(x)$ about :

Unfortunately, turning this intuition into an actual proof is quite involved. We instead provide a proof from [hh]:

We need the following hyperbolic trigonometric identities.

We also use the fact that $0\leq\tanh(z)<\min\{z,1\}$ for all $z>0$. Thus

where $t=\tanh\left(\frac{x}{2}\right)\tanh\left(\frac{y}{2}\right)<1$. Now

So it only remains to show that $\tanh\left(\frac{x}{2}\right)\tanh\left(\frac{y}{2}\right)\leq\tanh\left(\frac{xy}{4}\right)$. This is clearly true when $y=0$. Now

Since $0\leq y<x\leq 2$, we have $0\leq xy/4\leq y/2$ and, hence, $\cosh(y/2)\geq\cosh(xy/4)$. Thus

The inequality now follows by integration of the inequality on the derivatives. ∎

The following lemma immediately implies Lemma 3.6 and is also used to prove Lemma 8.8.

As in Lemma 3.5, by Markov’s inequality, for all $\alpha>1$ and $\lambda>\xi+\rho$,

Choosing $\alpha=(\lambda-\xi+\rho)/2\rho>1$ gives

Now we can substitute upper bounds on $h$ to obtain the desired results.

Let $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfy $(\varepsilon,\delta)$-DP for all $\delta>0$ and

for some constants $\hat{\xi},\hat{\rho}\in$. Then $M$ is $\left(\hat{\xi}-\frac{1}{4}\hat{\rho}+5\sqrt{\hat{\rho}},\frac{1}{4}\hat{\rho}\right)$-zCDP.

We use the inequality $1+xe^{\xi}\leq e^{x+\xi}$ for all $x,\xi\geq 0$. We have

We make use of the following technical lemma taken from [DSS+15].

Let $X^{\prime}$ be an independent copy of $X$ and let $Y\in\{0,1\}$ be uniformly random and independent from $X$ and $X^{\prime}$. By Jensen’s inequality,

If $M:\mathcal{X}^{n}\to\mathcal{Y}$ satisfies $(\xi,\rho)$-zCDP, then $M$ satisfies $(\xi+\rho,O(\sqrt{\xi+2\rho}))$-CDP.

The other side of the inequality is symmetric. ∎

Unfortunately Rényi divergence is not convex for $\alpha>1$. (Although KL-divergence is.) However, the following property implies that Rényi divergence is quasi-convex.

Let $P_{0},P_{1},Q_{0},Q_{1}$ be distributions on $\Omega$. For $t\in$, define $P_{t}=tP_{1}+(1-t)P_{0}$ and $Q_{t}=tQ_{1}+(1-t)Q_{0}$ to be the convex combinations specified by $t$. Then

Moreover, the limit as $\alpha\to 1+$ gives

Let $h(x)=x^{\alpha}$. Note that $h$ is convex. Let $f^{-1}(y)=\{x\in\Omega:f(x)=y\}$. Let $Q_{y}$ be the conditional distribution on $x\sim Q$ conditioned on $f(x)=y$. By Jensen’s inequality,

Let $1<\alpha\leq\alpha^{\prime}<\infty$. Let $h(x)=x^{\frac{\alpha^{\prime}-1}{\alpha-1}}$. Then

Appendix C Privacy versus Sampling

In this appendix we prove the technical Lemma 7.5. Essentially we show that if a private mechanism can accurately answer a set of queries with a given sample complexity, then those queries can be approximated on an unknown distribution with the same sample complexity. This is related to lower bounds on private sample complexity using Vapnik-Chervonenkis dimension e.g. [DR14, Theorem 4.8] and [BNSV15, Theorem 5.5].

First we state Pinsker’s inequality [vEH14, Theorem 31].

Let $X$ and $Y$ be random variables on $$. Then

We can also generalise Pinsker’s inequality using Rényi divergence:

for all $x\in\mathcal{X}^{n}$. Then, for any distribution $\mathcal{D}$ on $\mathcal{X}$,