Differential Privacy (2)

Outline Using differential privacy

Database queries Data mining

Non interactive case New developments

Definition

Mechanism: K(x) = f(x) + D, D is some noise. It is an output perturbation method.

Sensitivity function

Captures how great a difference must be hidden by the additive noise

How to design the noise D? It is actually linked back to the function f(x)

Adding LAP noise

Why does this work?

Proof sketch

Let K(x) = f(x) + D =r. Thus, r-f(x) has Lap distribution with the scale df/e. Similarly, K(x’) = f(x’)+D=r, and r-f(x’) has the same distributionP(K(x) = r) = exp(-|f(x)-r|(e/df))P(K(x’)= r) = exp(-|f(x’)-r|(e/df))

P(K(x)=r)/P(K(x’)=r) = exp( (|f(x’)-r|-|f(x)-r|)(e/df)) apply triangle inequality <= exp( |f(x’)-f(x)|(e/df)) = exp(e)

Composition Sequential composition

Parallel composition --for disjoint sets, the ultimate privacy

guarantee depends only on the worst of the guarantees of each analysis, not the sum.

Database queries (PINQ) Basic aggregate operations

Noisy count Noisy sum Noisy average

composition rule Stable transformation

|T(A) - T(B)| <= c|A-B|, and M provides e-diff privacy

=> Composite computation M(T(x)) is ce-diff privacy

Data mining with differential privacy (paper) Decision tree

Basic operation: scan through the domain to find the split that maximizes some classification measure

Basic idea of the diff-privacy version Users interact with the data server to find

out required information These operations can be transformed to

counting operations -- apply NoisyCount Sensitivity of the function is determined by

the classification measure

Privacy budget e User specified total budget e Composite operations need a specific e’

for each operation

Tradeoff between utility and privacy

Non interactive differential privacy Noisy histogram release

Sampling and filtering

Partitioning

New settings Against an adversary who has access

to the algorithm’s internal state Differential privacy under continual

observation