[PPT] - Differen'al*Privacy:*Basics* CompSci(590.03( PowerPoint Presentation

SLIDE 1

Differen'alPrivacy:Basics*

CompSci(590.03( Instructor:(Ashwin(Machanavajjhala(

1* Lecture*2*:*590.03*Fall*16*

SLIDE 2

Outlineoflecture*

Differen'al*Privacy*
Basic*Algorithms*

– Laplace*Mechanism*

Composi'on*Theorems*
Exercise*

*

Lecture*2*:*590.03*Fall*16* 2*

SLIDE 3

Differen'alPrivacy

Foreveryoutput… O" D2" D1" Adversaryshouldnotbeabletodis'nguish* betweenanyD1andD2basedonanyO* ! ! !Pr[A(D1)!=!O]!!!! ! !Pr[A(D2)!=!O]!!!!!!!!!!!!!!!!.! Foreverypairofinputs* thatdifferinonerow" !!<!!ε!!!(ε>0)!

log*

[Dwork!ICALP!2006]!

Lecture*2*:*590.03*Fall*16* 3*

SLIDE 4

Whypairsofdatasetsthat(differ(in(one(row?*

D2" D1" Foreverypairofinputs* thatdifferinonerow" Simulatethepresenceorabsenceof asinglerecord" Foreveryoutput… O"

Lecture*2*:*590.03*Fall*16* 4*

SLIDE 5

Whyall(pairsofdatasets…?*

D2" D1" Foreverypairofinputs* thatdifferinonerow" GuaranteeholdsnomaTerwhatthe

ther*records*are."

Foreveryoutput… O"

Lecture*2*:*590.03*Fall*16* 5*

SLIDE 6

Whyalloutputs?*

Lecture*2*:*590.03*Fall*16* 6*

D2" D1"

Set of all

utputs

.! .! .! A(D1) = O1 P [ A(D1) = O1 ] P [ A(D2) = Ok ]

SLIDE 7

Should not be able to distinguish whether input was D1 or D2 no* maTerwhatthe*output

Lecture*2*:*590.03*Fall*16* 7*

.! .! .! Worst!discrepancy! in!probabiliGes!

D2" D1"

SLIDE 8

PrivacyParameterε*

D2" D1" Foreverypairofinputs* thatdifferinonerow" Pr[A(D1) = O] ≤ e Pr[A(D2) = O] Foreveryoutput… O" Controls the degree to which D1 and D2 can be distinguished. Smaller the more the privacy (and better the utility)

Lecture*2*:*590.03*Fall*16* 8*

SLIDE 9

OutlineoftheModule2*

Differen'al*Privacy*
Basic*Algorithms*

– Laplace*Mechanism*

Composi'on*Theorems*

Lecture*2*:*590.03*Fall*16* 9*

SLIDE 10

Candeterminis'calgorithmssa'sfydifferen'alprivacy?

10* Lecture*2*:*590.03*Fall*16*

SLIDE 11

NonYtrivialdeterminis'cAlgorithmsdonot* sa'sfydifferen'alprivacy*

Space!of!all!inputs! Space!of!all!outputs! (at!least!2!disGnct!ouputs)!

11* Lecture*2*:*590.03*Fall*16*

SLIDE 12

Each(input(mapped(to(a(disBnct(

utput.(

NonYtrivialdeterminis'cAlgorithmsdonot* sa'sfydifferen'alprivacy*

12* Lecture*2*:*590.03*Fall*16*

SLIDE 13

Pr!>!0! Pr!=!0!

Thereexisttwoinputsthatdifferinoneentry* mappedtodifferentoutputs.

13* Lecture*2*:*590.03*Fall*16*

SLIDE 14

RandomSampling…*

…alsodoesnotsa'sfydifferen'alprivacy

Input* Output* D2" D1" O"

!=!∞!

log*

Pr[D1 ! O] Pr[D2 ! O]

Pr[D2 ! O] = 0 implies

14* Lecture*2*:*590.03*Fall*16*

SLIDE 15

OutputRandomiza'on

Add*noise*to*answers*such*that:*

– Each*answer*does*not*leak*too*much*informa'on*about*the*database.* – Noisy*answers*are*close*to*the*original*answers.**

* Database!

Researcher!

Query! Add!noise!to! true!answer!

15* Lecture*2*:*590.03*Fall*16*

SLIDE 16

LaplaceMechanism

0! 0.2! 0.4! 0.6! P10! P8! P6! P4! P2! 0! 2! 4! 6! 8! 10!

Laplace!DistribuGon!–!Lap(λ)!

Database!

Researcher!

Query!q!

True!answer!

q(D)! q(D)!+!η! η!

h(η)αexp(Yη/λ)*

Privacydependson* theλparameter* Mean:*0,** Variance:2λ2*

16* Lecture*2*:*590.03*Fall*16*

SLIDE 17

Howmuchnoiseforprivacy?*

* SensiGvity:Consideraqueryq:I!R.S(q)isthesmallestnumber* s.t.foranyneighboringtablesD,D’,** |q(D)–q(D’)|≤S(q)** * * Thm:IfsensiGvity!ofthequeryisS,thenthefollowingguaranteesεY differen'alprivacy.**

λ=S/ε*

17* Lecture*2*:*590.03*Fall*16*

[Dwork*et*al.,*TCC*2006]*

SLIDE 18

Sensi'vity:COUNTquery*

Number*of*people*having*disease*
Sensi'vity*=*1*
Solu'on:*3*+*η,**

whereηisdrawnfromLap(1/ε) – Mean=0** – Variance=2/ε2** *

Lecture*2*:*590.03*Fall*16* 18*

Disease!(Y/ N)! Y* Y* N* Y* N* N* D!

SLIDE 19

Sensi'vity:SUMquery*

Suppose*all*values*x*are*in*[a,b]*
* Sensi'vity*=*b*

Lecture*2*:*590.03*Fall*16* 19*

SLIDE 20

PrivacyofLaplaceMechanism

Consider*neighboring*databases*D*and*D’*
Consider*some*output*O*

* *

Lecture*2*:*590.03*Fall*16* 20*

SLIDE 21

U'lityofLaplaceMechanism

Laplace*mechanism*works*for*any!funcGon!that*returns*a*real*

number*

Error:*E(true*answer*–*noisy*answer)2**

* * ** * * =Var(Lap(S(q)/ε))* * * ** * * =2S(q)2/ε2

Lecture*2*:*590.03*Fall*16* 21*

SLIDE 22

OutlineoftheModule2*

Differen'al*Privacy*
Basic*Algorithms*

– Laplace*&*Exponen'al*Mechanism* – Randomized*Response*

Composi'on*Theorems*

*

Lecture*2*:*590.03*Fall*16* 22*

SLIDE 23

Why*Composi'on?**

Reasoning*about*privacy*of**

acomplexalgorithmishard.**

Helps*sotware*design*

– If*building*blocks*are*proven*to*be*private,*it*would*be*easy*to*reason* about*privacy*of*a*complex*algorithm*built*en'rely*using*these*building* blocks.*

Lecture*2*:*590.03*Fall*16* 23*

SLIDE 24

Aboundonthenumberofqueries*

In*order*to*ensure*u'lity,*a*sta's'cal*database*must*leak*some*

informa'onabouteach*individual**

We*can*only*hope*to*bound*the**

amountofdisclosure*

Hence,*there*is*a*limit*on*number*of**

queriesthatcanbeanswered*

Lecture*2*:*590.03*Fall*16* 24*

SLIDE 25

DinurNissimResult*

A*vast*majority*of*records*in*a*database*of*size*n(can*be*

reconstructedwhenn(log(n)2queriesareansweredbya sta's'caldatabase…* * …evenifeachanswerhasbeenarbitrarilyalteredtohaveupto*

(√n)*error*

.**

[DinurPNissim!PODS!2003]!

Lecture*2*:*590.03*Fall*16* 25*

SLIDE 26

Sequen'alComposi'on

If*M1,*M2,*...,*Mk(are*algorithms*that*access*a*private*database*D*

suchthateachMi((sa'sfiesεi(Ydifferen'al*privacy,** * thenthecombina'onoftheiroutputssa'sfies** εYdifferen'alprivacywithε=ε1+...+εk**

Lecture*2*:*590.03*Fall*16* 26*

SLIDE 27

PrivacyasConstrainedOp'miza'on

Three*axes*

– Privacy** – Error* – Queries*that*can*be*answered*

E.g.:*Given*a*fixed*set*of*queries*and*privacy!budget!ε,*what*is*the*

minimumerrorthatcanbe*achieved?**

Lecture*2*:*590.03*Fall*16* 27*

SLIDE 28

ParallelComposi'on

If*M1,*M2,*...,*Mk(are*algorithms*that*access*disjoint*databases*D1,*

D2,…,DksuchthateachMi((sa'sfiesεi(Ydifferen'alprivacy,** * thenthecombina'onoftheiroutputssa'sfies** εYdifferen'alprivacywithε=max{ε1,...,εk}

Lecture*2*:*590.03*Fall*16* 28*

SLIDE 29

Postprocessing*

If*M1*is*an*εdifferen'ally*private*algorithm*that*accesses*a*private*

database*D,** * thenoutpu{ngM2(M1(D))alsosa'sfiesεYdifferen'alprivacy.*

Lecture*2*:*590.03*Fall*16* 29*

SLIDE 30

CaseStudy:KYmeansClustering

Lecture*2*:*590.03*Fall*16* 30*

SLIDE 31

Kmeans*

Par''on*a*set*of*points*x1,*x2,*…,*xn*into*k*clusters*S1,*S2,*…,*Sk*such*

thatthefollowingisminimized:**

Lecture*2*:*590.03*Fall*16* 31*

!! − !!

! ! !!∈!! ! !!!

!

Mean*of*the*cluster*Si*

SLIDE 32

Kmeans*

Algorithm:**

Ini'alize*a*set*of*k*centers*
Repeat*

Assigneachpointtoitsnearestcenter Recomputethesetofcenters Un'lconvergence…**

Output*the*final*k*centers*

Lecture*2*:*590.03*Fall*16* 32*

SLIDE 33

Exercise**

What*is*a*differen'ally*private*algorithm*for*releasing*a*kYmeans*

clustering(i.e.,outpu{ngthefinalsetofkcenters)?**

Lecture*2*:*590.03*Fall*16* 33*

SLIDE 34

Summary*

Differen'ally*private*algorithms*ensure*an*aTacker*can’t*infer*the*

presenceorabsenceofa*singlerecordintheinputbasedonany

utput.**
Building*blocks**

– Laplace*mechanism**

Composi'on*rules*help*build*complex*algorithms*using*building*

blocks*

Lecture*2*:*590.03*Fall*16* 34*

Differen'al*Privacy:*Basics*

CompSci(590.03( Instructor:(Ashwin(Machanavajjhala(

Outline*of*lecture*

*

Differen'al*Privacy*

For*every*output*…* O" D2" D1" Adversary*should*not*be*able*to*dis'nguish* between*any*D1*and*D2*based*on*any*O* ! ! !Pr[A(D1)!=!O]!!!! ! !Pr[A(D2)!=!O]!!!!!!!!!!!!!!!!.! For*every*pair*of*inputs* that*differ*in*one*row" !!<!!ε!!!(ε>0)!

log*

Why*pairs*of*datasets*that(differ(in(one(row?*

D2" D1" For*every*pair*of*inputs* that*differ*in*one*row" Simulate*the*presence*or*absence*of* a*single*record" For*every*output*…* O"

Why*all(pairs*of*datasets*…?*

D2" D1" For*every*pair*of*inputs* that*differ*in*one*row" Guarantee*holds*no*maTer*what*the*

For*every*output*…* O"

Why*all*outputs?*

D2" D1"

Should not be able to distinguish whether input was D1 or D2 no* maTer*what*the*output

D2" D1"

Privacy*Parameter*ε*

D2" D1" For*every*pair*of*inputs* that*differ*in*one*row" Pr[A(D1) = O] ≤ e Pr[A(D2) = O] For*every*output*…* O" Controls the degree to which D1 and D2 can be distinguished. Smaller the more the privacy (and better the utility)

Outline*of*the*Module*2*

Can*determinis'c*algorithms*sa'sfy*differen'al*privacy?*

NonYtrivial*determinis'c*Algorithms*do*not* sa'sfy*differen'al*privacy*

Space!of!all!inputs! Space!of!all!outputs! (at!least!2!disGnct!ouputs)!

Each(input(mapped(to(a(disBnct(

NonYtrivial*determinis'c*Algorithms*do*not* sa'sfy*differen'al*privacy*

Pr!>!0! Pr!=!0!

There*exist*two*inputs*that*differ*in*one*entry* mapped*to*different*outputs.*

Random*Sampling*…*

*…*also*does*not*sa'sfy*differen'al*privacy*

Input* Output* D2" D1" O"

!=!∞!

log*

Pr[D1 ! O] Pr[D2 ! O]

Pr[D2 ! O] = 0 implies

Output*Randomiza'on*

* Database!

Query! Add!noise!to! true!answer!

Laplace*Mechanism*

Database!

Query!q!

q(D)! q(D)!+!η! η!

h(η)*α*exp(Yη*/*λ)*

Privacy*depends*on* the*λ*parameter* Mean:*0,** Variance:*2*λ2*

How*much*noise*for*privacy?*

* SensiGvity:*Consider*a*query*q:*I*!*R.*S(q)*is*the*smallest*number* s.t.*for*any*neighboring*tables*D,*D’,** |*q(D)*–*q(D’)*|**≤**S(q)** * * Thm:*If*sensiGvity!of*the*query*is*S,*then*the*following*guarantees*εY differen'al*privacy.**

λ*=*S/ε*

Sensi'vity:*COUNT*query*

where*η*is*drawn*from*Lap(1/ε)* – Mean*=*0** – Variance*=*2/ε2** *

Sensi'vity:*SUM*query*

Privacy*of*Laplace*Mechanism*

* *

U'lity*of*Laplace*Mechanism*

number*

* * ** * * *=*Var(*Lap(S(q)/ε)*)* * * ** * * *=*2*S(q)2*/*ε2*

Outline*of*the*Module*2*

*

Why*Composi'on?**

a*complex*algorithm*is*hard.**

A*bound*on*the*number*of*queries*

informa'on*about*each*individual**

amount*of*disclosure*

queries*that*can*be*answered*

Dinur*Nissim*Result*

reconstructed*when*n(log(n)2*queries*are*answered*by*a* sta's'cal*database*…* * …*even*if*each*answer*has*been*arbitrarily*altered*to*have*up*to*

.**

Sequen'al*Composi'on*

such*that*each*Mi((sa'sfies*εi(Ydifferen'al*privacy,** * then*the*combina'on*of*their*outputs*sa'sfies** εYdifferen'al*privacy*withε=ε1+...+εk**

Privacy*as*Constrained*Op'miza'on*

minimum*error*that*can*be*achieved?**

Parallel*Composi'on*

D2,*…,*Dk*such*that*each*Mi((sa'sfies*εi(Ydifferen'al*privacy,** * then*the*combina'on*of*their*outputs*sa'sfies** εYdifferen'al*privacy*withε=*max{ε1,...,εk}*

Postprocessing*

database*D,** * then*outpu{ng*M2(M1(D))*also*sa'sfies*εYdifferen'al*privacy.*

Case*Study:*KYmeans*Clustering*

Kmeans*

that*the*following*is*minimized:**

Kmeans*

Algorithm:**

*Assign*each*point*to*its*nearest*center* *Recompute*the*set*of*centers* Un'l*convergence*…**

Exercise**

clustering*(i.e.,*outpu{ng*the*final*set*of*k*centers)?**

Differen'alPrivacy:Basics*

Outlineoflecture*

Differen'alPrivacy

Foreveryoutput… O" D2" D1" Adversaryshouldnotbeabletodis'nguish* betweenanyD1andD2basedonanyO* ! ! !Pr[A(D1)!=!O]!!!! ! !Pr[A(D2)!=!O]!!!!!!!!!!!!!!!!.! Foreverypairofinputs* thatdifferinonerow" !!<!!ε!!!(ε>0)!

Whypairsofdatasetsthat(differ(in(one(row?*

D2" D1" Foreverypairofinputs* thatdifferinonerow" Simulatethepresenceorabsenceof asinglerecord" Foreveryoutput… O"

Whyall(pairsofdatasets…?*

D2" D1" Foreverypairofinputs* thatdifferinonerow" GuaranteeholdsnomaTerwhatthe

Foreveryoutput… O"

Whyalloutputs?*

Should not be able to distinguish whether input was D1 or D2 no* maTerwhatthe*output

PrivacyParameterε*

D2" D1" Foreverypairofinputs* thatdifferinonerow" Pr[A(D1) = O] ≤ e Pr[A(D2) = O] Foreveryoutput… O" Controls the degree to which D1 and D2 can be distinguished. Smaller the more the privacy (and better the utility)

OutlineoftheModule2*

Candeterminis'calgorithmssa'sfydifferen'alprivacy?

NonYtrivialdeterminis'cAlgorithmsdonot* sa'sfydifferen'alprivacy*

NonYtrivialdeterminis'cAlgorithmsdonot* sa'sfydifferen'alprivacy*

Thereexisttwoinputsthatdifferinoneentry* mappedtodifferentoutputs.

RandomSampling…*

…alsodoesnotsa'sfydifferen'alprivacy

OutputRandomiza'on

LaplaceMechanism

h(η)αexp(Yη/λ)*

Privacydependson* theλparameter* Mean:*0,** Variance:2λ2*

Howmuchnoiseforprivacy?*

* SensiGvity:Consideraqueryq:I!R.S(q)isthesmallestnumber* s.t.foranyneighboringtablesD,D’,** |q(D)–q(D’)|≤S(q)** * * Thm:IfsensiGvity!ofthequeryisS,thenthefollowingguaranteesεY differen'alprivacy.**

λ=S/ε*

Sensi'vity:COUNTquery*

whereηisdrawnfromLap(1/ε) – Mean=0** – Variance=2/ε2** *

Sensi'vity:SUMquery*

PrivacyofLaplaceMechanism

U'lityofLaplaceMechanism

* * ** * * =Var(Lap(S(q)/ε))* * * ** * * =2S(q)2/ε2

OutlineoftheModule2*

acomplexalgorithmishard.**

Aboundonthenumberofqueries*

informa'onabouteach*individual**

amountofdisclosure*

queriesthatcanbeanswered*

DinurNissimResult*

reconstructedwhenn(log(n)2queriesareansweredbya sta's'caldatabase…* * …evenifeachanswerhasbeenarbitrarilyalteredtohaveupto*

Sequen'alComposi'on

suchthateachMi((sa'sfiesεi(Ydifferen'al*privacy,** * thenthecombina'onoftheiroutputssa'sfies** εYdifferen'alprivacywithε=ε1+...+εk**

PrivacyasConstrainedOp'miza'on

minimumerrorthatcanbe*achieved?**

ParallelComposi'on

D2,…,DksuchthateachMi((sa'sfiesεi(Ydifferen'alprivacy,** * thenthecombina'onoftheiroutputssa'sfies** εYdifferen'alprivacywithε=max{ε1,...,εk}

database*D,** * thenoutpu{ngM2(M1(D))alsosa'sfiesεYdifferen'alprivacy.*

CaseStudy:KYmeansClustering

thatthefollowingisminimized:**

Assigneachpointtoitsnearestcenter Recomputethesetofcenters Un'lconvergence…**

clustering(i.e.,outpu{ngthefinalsetofkcenters)?**

presenceorabsenceofa*singlerecordintheinputbasedonany