The Optimal Mechanism in Differential Privacy

Size: px

Start display at page:

Download "The Optimal Mechanism in Differential Privacy"

Dustin Williamson
5 years ago
Views:

1 The Optimal Mechanism in Differential Privacy Quan Geng Advisor: Prof. Pramod Viswanath 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 1

2 Outline Background on differential privacy Problem formulation Main result on the optimal mechanism Extensions to other settings Conclusion and future work 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 2

3 Motivation Vast amounts of personal information are collected Data analysis produces a lot of useful applications 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 3

4 Motivation Big Data Release data/info. Applications Analyst How to release the data while protecting individual s privacy? 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 4

5 Motivation: Netflix Prize (2006) Netflix hosted a contest to improve movie recommendation Released dataset 100 million ratings 500 thousand users 18 thousand movies 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 5 Image Credit: Arvind Narayanan

6 Motivation: Netflix Prize (2006) Netflix hosted a contest to improve movie recommendation Released dataset 100 million ratings 500 thousand users 18 thousand movies Anonymization to protect customer privacy 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 6 Image Credit: Arvind Narayanan

7 Motivation: Netflix Prize Dataset Release Image Credit: Arvind Narayanan [Narayanan, Shmatikov 2008] 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 7

8 Motivation How to protect PRIVACY resilient to attacks with arbitrary side information? 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 8

9 Motivation How to protect PRIVACY resilient to attacks with arbitrary side information? Ans: randomized releasing mechanism 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 9

10 Motivation How to protect PRIVACY resilient to attacks with arbitrary side information? Ans: randomized releasing mechanism How much randomness is needed? completely random (no utility) deterministic (no privacy) 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 10

11 Motivation How to protect PRIVACY resilient to attacks with arbitrary side information? Ans: randomized releasing mechanism How much randomness is needed? completely random (no utility) deterministic (no privacy) Differential Privacy [Dwork et. al. 06]: one way to quantify the level of randomness and privacy 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 11

12 Background on Differential Privacy Collect data Users database Query Analyst Database Curator Released info. Database Curator: How to answer a query, providing useful data information to the analyst, while still protecting the privacy of each user. 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 12

dataset: D query function: q (D) randomized released mechanism: K D Age A: 20 B: 35 C: 43 D:

13 Background on Differential Privacy Collect data Users database Query Analyst Database Curator Released info. dataset: D query function: q (D) randomized released mechanism: K D Age A: 20 B: 35 C: 43 D: 30 q: How many people are older than 32? q(d) = 2 K(D) = 1 w.p. 1/8 K(D) = 2 w.p. 1/2 K(D) = 3 w.p. 1/4 K(D) = 4 w.p. 1/8 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 13

14 Background on Differential Privacy Two neighboring datasets: differ only at one element Age A: 20 B: 35 C: 43 D: 30 Age A: 20 B: 35 D: 30 D 1 D 2 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 14

15 Background on Differential Privacy Two neighboring datasets: differ only at one element Age A: 20 B: 35 C: 43 D: 30 Age A: 20 B: 35 D: 30 K D 1 K(D 2 ) D 1 D 2 Differential Privacy: presence or absence of any individual record in the dataset should not affect the released information significantly. 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 15

16 Background on Differential Privacy A randomized mechanism K gives ε-differential privacy, if for any two neighboring datasets D 1, D 2, and all S Range(K), Pr K D 1 S e ε Pr K D 2 S (make hypothesis testing hard) ε quantifies the level of privacy ε 0, high privacy ε +, low privacy a social question to choose ε (can be 0.01, 0.1, 1, 10 ) 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 16

17 Background on Differential Privacy Q: How much perturbation needed to achieve ε-dp? A: depends on how different q D 1, q(d 2 ) are 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 17

18 Background on Differential Privacy Q: How much perturbation needed to achieve ε-dp? A: depends on how different q D 1, q(d 2 ) are If q D 1 = q D 2, no perturbation is needed. q D 1, q(d 2 ) 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 18

19 Background on Differential Privacy Q: How much perturbation needed to achieve ε-dp? A: depends on how different q D 1, q(d 2 ) are f D1 (x) f D2 (x) If q D 1 q D 2 is small, use small perturbation q D 1 q(d 2 ) 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 19

20 Background on Differential Privacy Q: How much perturbation needed to achieve ε-dp? A: depends on how different q D 1, q(d 2 ) are f D1 (x) If q D 1 q D 2 is large, use large perturbation f D2 (x) q D 1 q(d 2 ) 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 20

21 Background on Differential Privacy Global Sensitivity Δ: how different when q is applied to neighboring datasets Δ max q D 1 q D 2 (D 1,D 2 ) are neighbors Example: for a count query, Δ = 1 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 21

22 Background on Differential Privacy Laplace Mechanism: K D = q D + Lap( Δ ε ), Lap Δ ε is a r.v. with p.d.f f x = 1 2λ e x λ, λ = Δ ε f D1 (x) f D2 (x) Basic tool in DP 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 22

23 Optimality of Existing work? Laplace Mechanism: K D = q D + Lap( Δ ε ), Two Questions: Is data-independent perturbation optimal? Assume data-independent perturbation, is Laplacian distribution optimal? 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 23

24 Optimality of Existing work? Laplace Mechanism: K D = q D + Lap( Δ ε ), Two questions: Is data-independent perturbation optimal? Assume data-independent perturbation, is Laplacian distribution optimal? Our results: data-independent perturbation is optimal Laplacian distribution is not optimal: the optimal is staircase distribution 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 24

25 Problem Formulation: DP constraint A generic randomized mechanism K is a family of noise probability measures (t is query output) K = {ν t t R } DP constraint: t 1, t 2 R, s. t. t 1 t 2 Δ, ν t1 S e ε ν t2 S + t 1 t 2, measurable set S 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 25

26 Problem Formulation: utility (cost) model Cost function on the noise L: R R Given query output t, Cost(ν t ) = L x ν t dx Example L(x) = x, noise magnitude L x = x 2, noise power Objective(minmax): minimize sup t R x R L x ν t (dx) 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 26

27 Problem Formulation: put things all together Minimize sup t R L x ν t (dx) x R s.t. ν t1 S e ϵ ν t2 S + t 1 t 2, measurable set S, t 1, t 2 R, s. t. t 1 t 2 Δ, 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 27

28 Main Result: ν t = ν In the optimal mechanism, ν t is independent of t (under a technical condition). 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 28

29 Main Result: ν t = ν In the optimal mechanism, ν t is independent of t (under a technical condition). ν t (S) -T T n 2T n T 2T t 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 29

30 Main Result: ν t = ν ν t (S) -T T n 2T n T 2T t In the optimal mechanism among T>0 n 1 K T,n, ν t is independent of t 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 30

31 Optimal noise probability distribution K D = q D + X, Minimize L x P dx s.t. Pr X S e ϵ Pr X S + d, d Δ, measurable set S 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 31

32 Optimal noise probability distribution K D = q D + X, L x satisfies: symmetric, and increasing of x sup L T+1 L T Minimize L x P dx s.t. Pr X S e ϵ Pr X S + d, d Δ, measurable set S < + 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 32

33 Main Result The optimal probability distribution has staircase-shaped p.d.f. 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 33

34 Main Result 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 34

35 Main Result R.V. generation Sign: binary r.v. Interval: geometric r.v. Segment: binary r.v. Uniform r.v. 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 35

36 Proof Ideas Key idea: Divide each interval [kδ,(k+1)δ) into i bins Approximate using piecewise constant p.d.f. a i = P(interval) length(interval) a 1 a 2 a 3 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 36

37 Proof Ideas p.d.f. should be decreasing a 2 a 3 a 2 a 3 a 1 a 1 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 37

38 Proof Ideas p.d.f. should be geometrically decreasing Divide each interval kδ, k + 1 Δ into i bins a k a k+i = e ε a 1 a 2 a 1 a 3 = e ε, a 2 a 4 = e ε a 3 a 4 Δ 2Δ 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 38

39 Proof Ideas The shape of p.d.f. in the first interval 0, Δ should be a step function a 1 a 2 a 3 a 4 Increase a 2, decrease a 3 a 1 a 2 a 3 a 4 Δ Δ 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 39

40 Application: L(x) = x γ = 1 1+e ε 2, and the minimum expectation of noise amplitude is V P γ = Δ e ε 2 e ε 1 ε 0, the additive gap 0 V Lap = Δ ε ε +, V P γ = Θ(Δe ε 2) 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 40

41 Numeric Comparison with Laplacian Mechanism 15 V Lap / V Optimal /29/

42 Numeric Comparison with Laplacian Mechanism 15 V Lap / V Optimal V Lap / V Optimal /29/

43 Application: L x = x 2 (b: = e ε ) Minimum noise power 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 43

44 Application: L x = x 2 (b: = e ε ) The minimum noise power is V Lap = 2Δ2 ε 2 ε 0, the additive gap cδ 2 ε +, V P γ = Θ(Δ 2 e 2ε 3 ) 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 44

45 Numeric Comparison with Laplacian Mechanism V Lap / V Optimal /29/

46 Numeric Comparison with Laplacian Mechanism V Lap / V Optimal V Lap / V Optimal /29/

47 Properties of γ L x = x m, Also holds for cost functions which are positive linear combinations of momentum functions. 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 47

48 Extension to Discrete Setting Query function: q(d) is integer-valued 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 48

49 Extension to Discrete Setting Query function: q(d) is integer-valued Adding data-independent noise is optimal 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 49

50 Extension to Discrete Setting Query function: q(d) is integer-valued Adding data-independent noise is optimal 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 50

51 Extension to Abstract Setting K: D R (can be arbitrary), with base measure μ. Cost function: C: D R [0, + ] Sensitivity Δ max C D 1, r C(D 2, r) r R,D 1,D 2 : D 1 D 2 1 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 51

52 Extension to Abstract Setting K: D R (can be arbitrary), with base measure μ. Cost function: C: D R [0, + ] Sensitivity Δ max C D 1, r C(D 2, r) r R,D 1,D 2 : D 1 D 2 1 Staircase mechanism: Random sampling over the output range with staircase distribution. 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 52

53 Extension to Abstract Setting K: D R (can be arbitrary), with base measure μ. Cost function: C: D R [0, + ] Sensitivity Δ max C D 1, r C(D 2, r) r R,D 1,D 2 : D 1 D 2 1 Staircase mechanism: Random sampling over the output range with staircase distribution. If R is real space, and C d, r = r q d mechanism, regular staircase 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 53

54 Conclusion Fundamental tradeoff between privacy and utility in DP Staircase Mechanism, optimal mechanism for single real-valued query Huge improvement in low privacy regime Extension to discrete setting and abstract setting 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 54

55 Future Work: Multidimensional setting: Query output can have multiple components q D = q 1 D, q 2 D,, q n D 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 55

56 Future Work: Multidimensional setting: Query output can have multiple components q D = q 1 D, q 2 D,, q n D If all components are uncorrelated, perturb each component independently to preserve DP. 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 56

57 Future Work: Multidimensional setting: Query output can have multiple components q D = q 1 D, q 2 D,, q n D For some query, all components are coupled together. Histogram query: one user can affect only one component 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 57

58 Future Work: Multidimensional setting: Query output can have multiple components q D = q 1 D, q 2 D,, q n D For some query, all components are coupled together. Global sensitivity Δ max q D 1 q D 2 1 D 1,D 2 are neighbors Histogram query: Δ = 1 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 58

59 Future Work: Multidimensional setting: Conjecture: for histogram-like query, optimal noise probability distribution is multidimensional staircase-shaped 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 59

60 Future Work: (ε, δ)-differential privacy (ε, δ)-differential privacy Pr K D 1 S e ε Pr K D 2 S + δ The standard approach is to add Gaussian noise. What is the optimal noise probability distribution in this setting? 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 60

61 Thank you! 3/29/2013 PhD Prelimary Exam of Quan Geng, ECE, UIUC 61

The Optimal Mechanism in Differential Privacy

The Optimal Mechanism in Differential Privacy Quan Geng Advisor: Prof. Pramod Viswanath 11/07/2013 PhD Final Exam of Quan Geng, ECE, UIUC 1 Outline Background on Differential Privacy ε-differential Privacy: