Additive noise differential privacy mechanisms

Last updated August 10, 2024

Adding controlled noise from predetermined distributions is a way of designing differentially private mechanisms. This technique is useful for designing private mechanisms for real-valued functions on sensitive data. Some commonly used distributions for adding noise include Laplace and Gaussian distributions.

Definition

Let ${\mathcal {D}}$ be a collection of all datasets and $f\colon {\mathcal {D}}\to \mathbb {R}$ be a real-valued function. The sensitivity^[1] of a function, denoted $\Delta f$ , is defined by

\Delta f=\max |f(x)-f(y)|,

where the maximum is over all pairs of datasets $x$ and $y$ in ${\mathcal {D}}$ differing in at most one element. For functions with higher dimensions, the sensitivity is usually measured under $\ell _{1}$ or $\ell _{2}$ norms.

Throughout this article, ${\mathcal {M}}$ is used to denote a randomized algorithm that releases a sensitive function $f$ under the $\epsilon$ - (or $(\epsilon ,\delta )$ -) differential privacy.

Real-valued functions

Laplace Mechanism

Introduced by Dwork et al.,^[1] this mechanism adds noise drawn from a Laplace distribution:

{\mathcal {M}}_{\mathrm {Lap} }(x,f,\epsilon )=f(x)+\mathrm {Lap} \left(\mu =0,b={\frac {\Delta f}{\epsilon }}\right),

where $\mu$ is the expectation of the Laplace distribution and $b$ is the scale parameter. Roughly speaking, a small-scale noise should suffice for a weak privacy constraint (corresponding to a large value of $\epsilon$ ), while a greater level of noise would provide a greater degree of uncertainty in what was the original input (corresponding to a small value of $\epsilon$ ).

To argue that the mechanism satisfies $\epsilon$ -differential privacy, it suffices to show that the output distribution of ${\mathcal {M}}_{\mathrm {Lap} }(x,f,\epsilon )$ is close in a multiplicative sense to ${\mathcal {M}}_{\mathrm {Lap} }(y,f,\epsilon )$ everywhere. ${\begin{aligned}{\frac {\mathrm {Pr} ({\mathcal {M}}_{\mathrm {Lap} }(x,f,\epsilon )=z)}{\mathrm {Pr} ({\mathcal {M}}_{\mathrm {Lap} }(y,f,\epsilon )=z)}}&={\frac {\mathrm {Pr} (f(x)+\mathrm {Lap} (0,{\frac {\Delta f}{\epsilon }})=z)}{\mathrm {Pr} (f(y)+\mathrm {Lap} (0,{\frac {\Delta f}{\epsilon }})=z)}}\\&={\frac {\mathrm {Pr} (\mathrm {Lap} (0,{\frac {\Delta f}{\epsilon }})=z-f(x))}{\mathrm {Pr} (\mathrm {Lap} (0,{\frac {\Delta f}{\epsilon }})=z-f(y))}}\\&={\frac {{\frac {1}{2b}}\exp \left(-{\frac {|z-f(x)|}{b}}\right)}{{\frac {1}{2b}}\exp \left(-{\frac {|z-f(y)|}{b}}\right)}}\\&=\exp \left({\frac {|z-f(y)|-|z-f(x)|}{b}}\right)\\&\leq \exp \left({\frac {|f(y)-f(x)|}{b}}\right)\\&\leq \exp \left({\frac {\Delta f}{b}}\right)=\exp(\epsilon ).\end{aligned}}$ The first inequality follows from the triangle inequality and the second from the sensitivity bound. A similar argument gives a lower bound of $\exp(-\epsilon )$ .

A discrete variant of the Laplace mechanism, called the geometric mechanism, is universally utility-maximizing.^[2] It means that for any prior (such as auxiliary information or beliefs about data distributions) and any symmetric and monotone univariate loss function, the expected loss of any differentially private mechanism can be matched or improved by running the geometric mechanism followed by a data-independent post-processing transformation. The result also holds for minimax (risk-averse) consumers.^[3] No such universal mechanism exists for multi-variate loss functions.^[4]

Gaussian Mechanism

Analogous to Laplace mechanism, Gaussian mechanism adds noise drawn from a Gaussian distribution whose variance is calibrated according to the sensitivity and privacy parameters. For any $\delta \in (0,1)$ and $\epsilon \in (0,1)$ , the mechanism defined by:

${\mathcal {M}}_{\text{Gauss}}(x,f,\epsilon ,\delta )=f(x)+{\mathcal {N}}\left(\mu =0,\sigma ^{2}={\frac {2\ln(1.25/\delta )\cdot (\Delta f)^{2}}{\epsilon ^{2}}}\right)$

provides $(\epsilon ,\delta )$ -differential privacy.

Note that, unlike Laplace mechanism, ${\mathcal {M}}_{\text{Gauss}}$ only satisfies $(\epsilon ,\delta )$ -differential privacy with $\epsilon <1$ . To prove so, it is sufficient to show that, with probability at least $1-\delta$ , the distribution of ${\mathcal {M}}_{\text{Gauss}}(x,f,\epsilon ,\delta )$ is close to ${\mathcal {M}}_{\text{Gauss}}(y,f,\epsilon ,\delta )$ . See Appendix A in Dwork and Roth for a proof of this result^[5]).

High dimensional functions

For high dimensional functions of the form $f\colon {\mathcal {D}}\to \mathbb {R} ^{d}$ , where $d\geq 2$ , the sensitivity of $f$ is measured under $\ell _{1}$ or $\ell _{2}$ norms. The equivalent Gaussian mechanism that satisfies $(\epsilon ,\delta )$ -differential privacy for such function (still under the assumption that $\epsilon <1$ ) is

${\mathcal {M}}_{\text{Gauss}}(x,f,\epsilon ,\delta )=f(x)+{\mathcal {N}}^{d}\left(\mu =0,\sigma ^{2}={\frac {2\ln(1.25/\delta )\cdot (\Delta _{2}f)^{2}}{\epsilon ^{2}}}\right),$

where $\Delta _{2}f$ represents the sensitivity of $f$ under $\ell _{2}$ norm and ${\mathcal {N}}^{d}(0,\sigma ^{2})$ represents a $d$ -dimensional vector, where each coordinate is a noise sampled according to ${\mathcal {N}}(0,\sigma ^{2})$ independent of the other coordinates (see Appendix A in Dwork and Roth^[5] for proof).

Related Research Articles

In mathematics and physics, Laplace's equation is a second-order partial differential equation named after Pierre-Simon Laplace, who first studied its properties. This is often written as $or where is the Laplace operator, is the divergence operator, is the gradient operator, and is a twice-differentiable real-valued function. The Laplace operator therefore maps a scalar function to another scalar function.$

In mathematics, the Laplace operator or Laplacian is a differential operator given by the divergence of the gradient of a scalar function on Euclidean space. It is usually denoted by the symbols $, (where is the nabla operator), or . In a Cartesian coordinate system, the Laplacian is given by the sum of second partial derivatives of the function with respect to each independent variable. In other coordinate systems, such as cylindrical and spherical coordinates, the Laplacian also has a useful form. Informally, the Laplacian Δ f (p) of a function f at a point p measures by how much the average value of f over small spheres or balls centered at p deviates from f (p) .$

Poisson's equation is an elliptic partial differential equation of broad utility in theoretical physics. For example, the solution to Poisson's equation is the potential field caused by a given electric charge or mass density distribution; with the potential field known, one can then calculate electrostatic or gravitational (force) field. It is a generalization of Laplace's equation, which is also frequently seen in physics. The equation is named after French mathematician and physicist Siméon Denis Poisson.

In the calculus of variations and classical mechanics, the Euler–Lagrange equations are a system of second-order ordinary differential equations whose solutions are stationary points of the given action functional. The equations were discovered in the 1750s by Swiss mathematician Leonhard Euler and Italian mathematician Joseph-Louis Lagrange.

In the calculus of variations, a field of mathematical analysis, the functional derivative relates a change in a functional to a change in a function on which the functional depends.

<span class="mw-page-title-main">Path integral formulation</span> Formulation of quantum mechanics

The path integral formulation is a description in quantum mechanics that generalizes the stationary action principle of classical mechanics. It replaces the classical notion of a single, unique classical trajectory for a system with a sum, or functional integral, over an infinity of quantum-mechanically possible trajectories to compute a quantum amplitude.

Acoustic impedance and specific acoustic impedance are measures of the opposition that a system presents to the acoustic flow resulting from an acoustic pressure applied to the system. The SI unit of acoustic impedance is the pascal-second per cubic metre, or in the MKS system the rayl per square metre (Rayl/m²), while that of specific acoustic impedance is the pascal-second per metre (Pa·s/m), or in the MKS system the rayl (Rayl). There is a close analogy with electrical impedance, which measures the opposition that a system presents to the electric current resulting from a voltage applied to the system.

In electromagnetism, the electromagnetic tensor or electromagnetic field tensor is a mathematical object that describes the electromagnetic field in spacetime. The field tensor was first used after the four-dimensional tensor formulation of special relativity was introduced by Hermann Minkowski. The tensor allows related physical laws to be written concisely, and allows for the quantization of the electromagnetic field by the Lagrangian formulation described below.

In general relativity, the Gibbons–Hawking–York boundary term is a term that needs to be added to the Einstein–Hilbert action when the underlying spacetime manifold has a boundary.

The covariant formulation of classical electromagnetism refers to ways of writing the laws of classical electromagnetism in a form that is manifestly invariant under Lorentz transformations, in the formalism of special relativity using rectilinear inertial coordinate systems. These expressions both make it simple to prove that the laws of classical electromagnetism take the same form in any inertial coordinate system, and also provide a way to translate the fields and forces from one frame to another. However, this is not as general as Maxwell's equations in curved spacetime or non-rectilinear coordinate systems.

In information theory, information dimension is an information measure for random vectors in Euclidean space, based on the normalized entropy of finely quantized versions of the random vectors. This concept was first introduced by Alfréd Rényi in 1959.

<span class="mw-page-title-main">Genus of a multiplicative sequence</span> A ring homomorphism from the cobordism ring of manifolds to another ring

In mathematics, a genus of a multiplicative sequence is a ring homomorphism from the ring of smooth compact manifolds up to the equivalence of bounding a smooth manifold with boundary to another ring, usually the rational numbers, having the property that they are constructed from a sequence of polynomials in characteristic classes that arise as coefficients in formal power series with good multiplicative properties.

In mathematics, Weyl's lemma, named after Hermann Weyl, states that every weak solution of Laplace's equation is a smooth solution. This contrasts with the wave equation, for example, which has weak solutions that are not smooth solutions. Weyl's lemma is a special case of elliptic or hypoelliptic regularity.

In fluid dynamics, Luke's variational principle is a Lagrangian variational description of the motion of surface waves on a fluid with a free surface, under the action of gravity. This principle is named after J.C. Luke, who published it in 1967. This variational principle is for incompressible and inviscid potential flows, and is used to derive approximate wave models like the mild-slope equation, or using the averaged Lagrangian approach for wave propagation in inhomogeneous media.

The exponential mechanism is a technique for designing differentially private algorithms. It was developed by Frank McSherry and Kunal Talwar in 2007. Their work was recognized as a co-winner of the 2009 PET Award for Outstanding Research in Privacy Enhancing Technologies.

Differential privacy (DP) is a mathematically rigorous framework for releasing statistical information about datasets while protecting the privacy of individual data subjects. It enables a data holder to share aggregate patterns of the group while limiting information that is leaked about specific individuals. This is done by injecting carefully calibrated noise into statistical computations such that the utility of the statistic is preserved while provably limiting what can be inferred about any individual in the dataset.

In mathematics, the infinity Laplace operator is a 2nd-order partial differential operator, commonly abbreviated $. It is alternately defined, for a function of the variables, by$

Lagrangian field theory is a formalism in classical field theory. It is the field-theoretic analogue of Lagrangian mechanics. Lagrangian mechanics is used to analyze the motion of a system of discrete particles each with a finite number of degrees of freedom. Lagrangian field theory applies to continua and fields, which have an infinite number of degrees of freedom.

In the study of differential equations, the Loewy decomposition breaks every linear ordinary differential equation (ODE) into what are called largest completely reducible components. It was introduced by Alfred Loewy.

In two-dimensional conformal field theory, Virasoro conformal blocks are special functions that serve as building blocks of correlation functions. On a given punctured Riemann surface, Virasoro conformal blocks form a particular basis of the space of solutions of the conformal Ward identities. Zero-point blocks on the torus are characters of representations of the Virasoro algebra; four-point blocks on the sphere reduce to hypergeometric functions in special cases, but are in general much more complicated. In two dimensions as in other dimensions, conformal blocks play an essential role in the conformal bootstrap approach to conformal field theory.

References

1 2 Dwork, Cynthia; McSherry, Frank; Nissim, Kobbi; Smith, Adam (2006). "Calibrating Noise to Sensitivity in Private Data Analysis". Theory of Cryptography. Lecture Notes in Computer Science. Vol. 3876. pp. 265–284. doi: 10.1007/11681878_14 . ISBN 978-3-540-32731-8.
↑ Ghosh, Arpita; Roughgarden, Tim; Sundararajan, Mukund (2012). "Universally Utility-maximizing Privacy Mechanisms". SIAM Journal on Computing. 41 (6): 1673–1693. arXiv: 0811.2841 . doi:10.1137/09076828X.
↑ Gupte, Mangesh; Sundararajan, Mukund (June 2010). "Universally optimal privacy mechanisms for minimax agents". Proceedings of the twenty-ninth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems. pp. 135–146. arXiv: 1001.2767 . doi:10.1145/1807085.1807105. ISBN 9781450300339. S2CID 11553565.
↑ Brenner, Hai; Nissim, Kobbi (January 2014). "Impossibility of Differentially Private Universally Optimal Mechanisms". SIAM Journal on Computing. 43 (5): 1513–1540. arXiv: 1008.0256 . doi:10.1137/110846671. S2CID 17362150.
1 2 Dwork, Cynthia; Roth, Aaron (2013). "The Algorithmic Foundations of Differential Privacy" (PDF). Foundations and Trends in Theoretical Computer Science. 9 (3–4): 211–407. doi:10.1561/0400000042. ISSN 1551-305X.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[DMNS06-1] 1 2 Dwork, Cynthia; McSherry, Frank; Nissim, Kobbi; Smith, Adam (2006). "Calibrating Noise to Sensitivity in Private Data Analysis". Theory of Cryptography. Lecture Notes in Computer Science. Vol. 3876. pp. 265–284. doi: 10.1007/11681878_14 . ISBN 978-3-540-32731-8.

[2] Ghosh, Arpita; Roughgarden, Tim; Sundararajan, Mukund (2012). "Universally Utility-maximizing Privacy Mechanisms". SIAM Journal on Computing. 41 (6): 1673–1693. arXiv: 0811.2841 . doi:10.1137/09076828X.

[3] Gupte, Mangesh; Sundararajan, Mukund (June 2010). "Universally optimal privacy mechanisms for minimax agents". Proceedings of the twenty-ninth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems. pp. 135–146. arXiv: 1001.2767 . doi:10.1145/1807085.1807105. ISBN 9781450300339. S2CID 11553565.

[4] Brenner, Hai; Nissim, Kobbi (January 2014). "Impossibility of Differentially Private Universally Optimal Mechanisms". SIAM Journal on Computing. 43 (5): 1513–1540. arXiv: 1008.0256 . doi:10.1137/110846671. S2CID 17362150.

[DworkRoth-5] 1 2 Dwork, Cynthia; Roth, Aaron (2013). "The Algorithmic Foundations of Differential Privacy" (PDF). Foundations and Trends in Theoretical Computer Science. 9 (3–4): 211–407. doi:10.1561/0400000042. ISSN 1551-305X.

[1]

[2]

[3]

[4]

[5]