Additive noise differential privacy mechanisms

Template:Main

Additive noise differential privacy mechanisms are a class of techniques used to ensure differential privacy when releasing the results of computations on sensitive datasets. They work by adding carefully calibrated random noise, drawn from specific probability distributions, to the true output of a function. This added noise obscures the influence of any single individual's data, thereby protecting their privacy while still allowing for meaningful statistical analysis. Common distributions used for noise generation include the Laplace and Gaussian distributions. These mechanisms are particularly useful for functions that output real-valued numbers.

Both mechanisms require that the sensitivity of a query function first be determined. The sensitivity is the amount that the result of the query can be changed by adding or removing a person's data from the dataset, where "a person" is any possible person. For queries that count the number of people who meet a requirement, the sensitivity is 1.

Here is the formal definition of sensitivity.

Let ${\displaystyle 𝒟}$ be a collection of all datasets and ${\displaystyle f:𝒟\to ℝ}$ be a real-valued function. The sensitivity ^[1] of a function, denoted ${\displaystyle \mathrm{\Delta }f}$, is defined by

${\displaystyle \mathrm{\Delta }f=\max |f(x)-f(y)|,}$

where the maximum is over all pairs of datasets ${\displaystyle x}$ and ${\displaystyle y}$ in ${\displaystyle 𝒟}$ differing in at most one element. For functions with higher dimensions, the sensitivity is usually measured under ${\displaystyle {\ell }_1}$ or ${\displaystyle {\ell }_2}$ norms.

Throughout this article, ${\displaystyle ℳ}$ is used to denote a randomized algorithm that releases a sensitive function ${\displaystyle f}$ under the ${\displaystyle ϵ}$- (or ${\displaystyle (ϵ,\delta )}$-) differential privacy.

A Real-valued function is any function that returns a "real" value --- that is, a positive or negative number that can be represented by decimal fraction (e.g. 0.5, or 1.32).

Introduced by Dwork et al.,^[1] this mechanism adds noise drawn from a Laplace distribution:

${\displaystyle {ℳ}_{\mathrm{L}\mathrm{a}\mathrm{p}}(x,f,ϵ)=f(x)+\mathrm{L}\mathrm{a}\mathrm{p}(\mu =0,b=\frac{\mathrm{\Delta }f}{ϵ}),}$

where ${\displaystyle \mu }$ is the expectation of the Laplace distribution and ${\displaystyle b}$ is the scale parameter. Roughly speaking, a small-scale noise should suffice for a weak privacy constraint (corresponding to a large value of ${\displaystyle ϵ}$), while a greater level of noise would provide a greater degree of uncertainty in what was the original input (corresponding to a small value of ${\displaystyle ϵ}$).

To argue that the mechanism satisfies ${\displaystyle ϵ}$-differential privacy, it suffices to show that the output distribution of ${\displaystyle {ℳ}_{\mathrm{L}\mathrm{a}\mathrm{p}}(x,f,ϵ)}$ is close in a multiplicative sense to ${\displaystyle {ℳ}_{\mathrm{L}\mathrm{a}\mathrm{p}}(y,f,ϵ)}$ everywhere.$${\displaystyle \begin{array}{cc}\frac{\mathrm{P}\mathrm{r}({ℳ}_{\mathrm{L}\mathrm{a}\mathrm{p}}(x,f,ϵ)=z)}{\mathrm{P}\mathrm{r}({ℳ}_{\mathrm{L}\mathrm{a}\mathrm{p}}(y,f,ϵ)=z)}& =\frac{\mathrm{P}\mathrm{r}(f(x)+\mathrm{L}\mathrm{a}\mathrm{p}(0,\frac{\mathrm{\Delta }f}{ϵ})=z)}{\mathrm{P}\mathrm{r}(f(y)+\mathrm{L}\mathrm{a}\mathrm{p}(0,\frac{\mathrm{\Delta }f}{ϵ})=z)}\\ & =\frac{\mathrm{P}\mathrm{r}(\mathrm{L}\mathrm{a}\mathrm{p}(0,\frac{\mathrm{\Delta }f}{ϵ})=z-f(x))}{\mathrm{P}\mathrm{r}(\mathrm{L}\mathrm{a}\mathrm{p}(0,\frac{\mathrm{\Delta }f}{ϵ})=z-f(y))}\\ & =\frac{\frac{1}{2b}\exp (-\frac{|z-f(x)|}{b})}{\frac{1}{2b}\exp (-\frac{|z-f(y)|}{b})}\\ & =\exp \left(\frac{|z-f(y)|-|z-f(x)|}{b}\right)\\ & \le \exp \left(\frac{|f(y)-f(x)|}{b}\right)\\ & \le \exp \left(\frac{\mathrm{\Delta }f}{b}\right)=\exp (ϵ).\end{array}}$$ The first inequality follows from the triangle inequality and the second from the sensitivity bound. A similar argument gives a lower bound of ${\displaystyle \exp (-ϵ)}$.

A discrete variant of the Laplace mechanism, called the geometric mechanism, is universally utility-maximizing.^[2] It means that for any prior (such as auxiliary information or beliefs about data distributions) and any symmetric and monotone univariate loss function, the expected loss of any differentially private mechanism can be matched or improved by running the geometric mechanism followed by a data-independent post-processing transformation. The result also holds for minimax (risk-averse) consumers.^[3] No such universal mechanism exists for multi-variate loss functions.^[4]

Analogous to Laplace mechanism, Gaussian mechanism adds noise drawn from a Gaussian distribution whose variance is calibrated according to the sensitivity and privacy parameters. For any ${\displaystyle \delta \in (0,1)}$ and ${\displaystyle ϵ\in (0,1)}$, the mechanism defined by:

${\displaystyle {ℳ}_{\text{Gauss}}(x,f,ϵ,\delta )=f(x)+𝒩(\mu =0,{\sigma }^2=\frac{2\ln (1.25/\delta )\cdot (\mathrm{\Delta }f{)}^2}{{ϵ}^2})}$

provides ${\displaystyle (ϵ,\delta )}$-differential privacy.

Note that, unlike Laplace mechanism, ${\displaystyle {ℳ}_{\text{Gauss}}}$ only satisfies ${\displaystyle (ϵ,\delta )}$-differential privacy with ${\displaystyle ϵ<1}$. To prove so, it is sufficient to show that, with probability at least ${\displaystyle 1-\delta }$, the distribution of ${\displaystyle {ℳ}_{\text{Gauss}}(x,f,ϵ,\delta )}$ is close to ${\displaystyle {ℳ}_{\text{Gauss}}(y,f,ϵ,\delta )}$. See Appendix A in Dwork and Roth for a proof of this result^[5]).

For high dimensional functions of the form ${\displaystyle f:𝒟\to {ℝ}^d}$, where ${\displaystyle d\ge 2}$, the sensitivity of ${\displaystyle f}$ is measured under ${\displaystyle {\ell }_1}$ or ${\displaystyle {\ell }_2}$ norms. The equivalent Gaussian mechanism that satisfies ${\displaystyle (ϵ,\delta )}$-differential privacy for such function (still under the assumption that ${\displaystyle ϵ<1}$) is

${\displaystyle {ℳ}_{\text{Gauss}}(x,f,ϵ,\delta )=f(x)+{𝒩}^d(\mu =0,{\sigma }^2=\frac{2\ln (1.25/\delta )\cdot ({\mathrm{\Delta }}_{2}f{)}^2}{{ϵ}^2}),}$

where ${\displaystyle {\mathrm{\Delta }}_{2}f}$ represents the sensitivity of ${\displaystyle f}$ under ${\displaystyle {\ell }_2}$ norm and ${\displaystyle {𝒩}^d(0,{\sigma }^2)}$ represents a ${\displaystyle d}$-dimensional vector, where each coordinate is a noise sampled according to ${\displaystyle 𝒩(0,{\sigma }^2)}$ independent of the other coordinates (see Appendix A in Dwork and Roth^[5] for proof).

Template:Reflist