Presentation is loading. Please wait.

Presentation is loading. Please wait.

An brief tour of Differential Privacy Avrim Blum Computer Science Dept Your guide:

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "An brief tour of Differential Privacy Avrim Blum Computer Science Dept Your guide:"— Presentation transcript:

1 An brief tour of Differential Privacy Avrim Blum Computer Science Dept Your guide:

2 Itinerary Stop 1: A motivating example. Why seemingly similar notions from crypto aren’t sufficient. Stop 2: Definition of differential privacy and a basic mechanism for preserving it. Stop 3: Privacy/utility tradeoffs: ask a silly (sensitive) question, get a silly answer. Stop 4: Other kinds of mechanisms, releasing sanitized databases, more privacy/utility tradeoffs, and discussion.

3 A preliminary story A classic cool result from theoretical crypto: –Say you want to figure out the average salary of people in the room, without revealing anything about your own salary other than what is inherent in the answer. Turns out you can actually do this. In fact, any function at all. “secure multiparty computation”. –It’s really cool. Want to try? Anyone have to go to the bathroom? –What happens if we do it again?

4 Differential Privacy [Dwork et al.] “Lets you go to the bathroom in peace” –What we want is a protocol that has a probability distribution over outputs such that if person i changed their input from x i to any other allowed x i ’, the relative probabilities of any output do not change by much. –So, for instance, can pretend your input was any other allowed value you want. Can view as model of “plausible deniability”. –Even if no bad intent, who knows what prior info people have?

5 Differential Privacy: Definition It’s a property of a protocol A which you run on some dataset X producing some output A(X). A is ² -differentially private if for any two neighbor datasets X, X’ (differ in just one element x i ! x i ’), for all outcomes v, e - ² · Pr(A(X)=v)/Pr(A(X’)=v) · e ² xixi x’ i ¼ 1- ² ¼ 1+ ² probability over randomness in A

6 Differential Privacy: Definition It’s a property of a protocol A which you run on some dataset X producing some output A(X). A is ² -differentially private if for any two neighbor datasets X, X’ (differ in just one element x i ! x i ’), for all outcomes v, e - ² · Pr(A(X)=v)/Pr(A(X’)=v) · e ² ¼ 1- ² ¼ 1+ ² probability over randomness in A View as model of plausible deniability (pretend after the fact that my input was really x i ’ )

7 Differential Privacy: Definition It’s a property of a protocol A which you run on some dataset X producing some output A(X). A is ² -differentially private if for any two neighbor datasets X, X’ (differ in just one element x i ! x i ’), for all outcomes v, e - ² · Pr(A(X)=v)/Pr(A(X’)=v) · e ² ¼ 1- ² ¼ 1+ ² probability over randomness in A Outcomes leading to embarrassment Outcomes leading to new understanding No-op outcomes

8 Differential Privacy: Definition It’s a property of a protocol A which you run on some dataset X producing some output A(X). A is ² -differentially private if for any two neighbor datasets X, X’ (differ in just one element x i ! x i ’), for all outcomes v, e - ² · Pr(A(X)=v)/Pr(A(X’)=v) · e ² ¼ 1- ² ¼ 1+ ² probability over randomness in A What if you participate in two protocols A and B? e - 2² · Pr(A(X)=v & B(X)=w)/Pr(A(X’)=v & B(X’)=w) · e 2² So, combination is 2 ² -DP.

9 Differential Privacy: Definition It’s a property of a protocol A which you run on some dataset X producing some output A(X). A is ² -differentially private if for any two neighbor datasets X, X’ (differ in just one element x i ! x i ’), for all outcomes v, e - ² · Pr(A(X)=v)/Pr(A(X’)=v) · e ² ¼ 1- ² ¼ 1+ ² probability over randomness in A OK, great. How can we achieve it? What kind of ² can we get with reasonable utility? Silly algorithm: A(X)=0 no matter what. Or A(X)=unif[0,b]

10 Differential Privacy via output perturbation Say have n inputs in range [0,b]. Want to release average while preserving privacy. Natural idea: take output and perturb with noise. First thought: add Gaussian noise. Value with me b/n e - ¾ (x-b/n)^2 / e - ¾ x^2 ¼ e 2 ¾ xb/n x Value without me

11 Differential Privacy via output perturbation Say have n inputs in range [0,b]. Want to release average while preserving privacy. Natural idea: take output and perturb with noise. Better: Laplace (or geometric) distrib p(x) / e -|x|/ ¸ Value without me Value with me e -(x-b/n)/ ¸ /e -x/ ¸ = e b/n ¸ x b/n Set ¸ = b/(n ² )

12 “Laplace mechanism” So, add noise roughly 1/ ² £ (effect any individual can have on outcome) gives desired ratio e ² ¼ (1+ ² ). If want answer within § ® b, need n ¸ 1/( ²® ). Utility/privacy/database-size tradeoff Value without me Value with me x b/n Set ¸ = b/(n ² )

13 Laplace mechanism more generally E.g., f = standard deviation of income E.g., f = result of some fancy computation. f f(X) + noise Global Sensitivity of f: GS f = max neighbors X,X’ |f(X) – f(X’)| Just add noise Lap(GS f / ² ).

14 What can we do with this? Interface to ask questions Run learning algorithms by breaking down interaction into series of queries. But, each answer leaks some privacy: –If k questions and want total privacy loss of ², better answer each with ² /k. f f(x) + noise

15 Remainder of talk Local sensitivity / Smooth sensitivity [Nissim- Raskhodnikova-Smith ’07] Objective perturbation [Chaudhuri-Monteleoni-Sarwate ‘08] Sample and Aggregate [NRS ‘07] Exponential Mechanism [McSherry-Talwar ‘07] What can you say about publishing a sanitized database?

16 Local Sensitivity Consider f = median income –On some databases, f could be *very* sensitive. E.g., 3 people at salary=0, 3 people at salary=b, and you. –But on many databases, it’s not. –If f is not very sensitive on the actual input X, does that mean we don’t need to add much noise? f f(X) + noise LS f (X) = max nbrs X’ |f(X)-f(X’)|

17 Local Sensitivity Consider f = median income –If f is not very sensitive on the actual input X, does that mean we don’t need to add much noise? Be careful: what if sensitivity itself is sensitive? f f(X) + noise X ! X’ ! X’’

18 Smooth Sensitivity [NRS07] prove can instead use (roughly) the following smooth bound instead: Max Y [ LS f (Y) ¢ e - ² d(X,Y) ] f f(X) + noise With Anupam Datta, Jeremiah Blocki, Or Sheffet: looking at how to efficiently compute for various graph quantities in networks.

19 Aside… What should differential privacy mean in a networks context? –You can plausibly claim your actual set of neighbors was anything you want –Too stringent? How about “subject to being a non- celebrity?” –Too risky? Impact of your presence in network on other parts of network structure? f f(X) + noise

20 Smooth Sensitivity In principle, could apply sensitivity idea to any learning algorithm (say) that you’d like to run on your data. But might be hard to figure out or might give really bad bounds. Alg Alg(X) + noise

21 Sample-and-aggregate (also [NRS07]) Say you have some learning algorithm and hard to tell how sensitive it would be to changing a single input. Some way to run it privately anyway? Alg Alg(X) + noise

22 Sample-and-aggregate (also [NRS07]) Get outputs Then average these outputs. Run learning algorithm on disjoint pieces

23 Objective perturbation [CMS08] Idea: add noise to the objective function used by the learning algorithm. Natural for algorithms like SVMs that have regularization term. [CMS] show how to do this, if use a smooth loss function. Also show nice experimental results. Alg* = Alg + noise Alg*(X)

24 Exponential Mechanism [MT07] What about running some generic optimization algorithm? [[skip for now]] Alg Alg*(X)

25 What about outputting sanitized databases? So far, just question-answering. Each answer leaks some privacy – at some point, have to shut down. What about outputting a sanitized database that people could then examine as they wish? And is related to the original database…

26 What about outputting sanitized databases? Could ask a few questions (using previous mechs) and then engineer a database that roughly agrees on these answers. But really, we want a database that matches on questions we haven’t asked yet. Do you need to leak privacy in proportion to number of questions asked?

27 What about outputting sanitized databases? Actually, no you don’t [B-Ligett-Roth] Fix a class C of quantities to preserve. E.g., fraction of entries with x[i 1 ]=1, x[i 2 ]=0…x[i k ]=1. Want ² -privacy and preserve all q 2 C up to § ®. [BLR] show: in principle, can do with database of size only n = O(d log |C|). n d Allowing exponentially- many questions! (At least not for count-queries)

28 Pr(D) / e -O( ² n penalty( D )) What about outputting sanitized databases? Idea: Standard results from learning/statistics say that there exist small databases that apx preserve all quantities in C. m = O(log |C|) is sufficient. Put explicit distribution on them, using exponential mechanism of [McSherry-Talwar] Solve to get n ¼ (d log C)/( ²® 3 ) n m d

29 Pr(D) / e -O( ² n penalty( D )) What about outputting sanitized databases? Idea: Standard results from learning/statistics say that there exist small databases that apx preserve all quantities in C. m = O(log |C|) is sufficient. Put explicit distribution on them, using exponential mechanism of [McSherry-Talwar] But, seems extremely hard to get efficient alg. n m d

30 Differential Privacy summary & discussion Positives: Clear semantic definition. Any event (anything an adversary might do to you) has nearly same prob if you join or don’t join, lie or tell the truth. Nice composability properties. Variety of mechanisms developed for question answering in this framework. *Some* work on sanitized database release.

31 Differential Privacy summary & discussion Negatives / open issues It’s a pessimistic/paranoid quantity, so may be more restrictive than needed. “ ² ” is not zero. Privacy losses add up with most mechanisms (but see, e.g., [RR10],[HR10]) Doesn’t address group information. Notion of “neighboring database” might need to be different in network settings. …

Download ppt "An brief tour of Differential Privacy Avrim Blum Computer Science Dept Your guide:"

Similar presentations

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
Publishing Set-Valued Data via Differential Privacy Rui Chen, Concordia University Noman Mohammed, Concordia University Benjamin C. M. Fung, Concordia.

Publishing Set-Valued Data via Differential Privacy Rui Chen, Concordia University Noman Mohammed, Concordia University Benjamin C. M. Fung, Concordia.
Differentially Private Recommendation Systems Jeremiah Blocki Fall 2009 18739A: Foundations of Security and Privacy.

Differentially Private Recommendation Systems Jeremiah Blocki Fall A: Foundations of Security and Privacy.
Lecture 24 Coping with NPC and Unsolvable problems. When a problem is unsolvable, that's generally very bad news: it means there is no general algorithm.

Lecture 24 Coping with NPC and Unsolvable problems. When a problem is unsolvable, that's generally very bad news: it means there is no general algorithm.
Distributed Machine Learning: Communication, Efficiency, and Privacy Avrim Blum [RaviKannan60] Joint work with Maria-Florina Balcan, Shai Fine, and Yishay.

Distributed Machine Learning: Communication, Efficiency, and Privacy Avrim Blum [RaviKannan60] Joint work with Maria-Florina Balcan, Shai Fine, and Yishay.
Private Analysis of Graph Structure With Vishesh Karwa, Sofya Raskhodnikova and Adam Smith Pennsylvania State University Grigory Yaroslavtsev

Private Analysis of Graph Structure With Vishesh Karwa, Sofya Raskhodnikova and Adam Smith Pennsylvania State University Grigory Yaroslavtsev
Raef Bassily Adam Smith Abhradeep Thakurta Penn State Yahoo! Labs Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds Penn.

Raef Bassily Adam Smith Abhradeep Thakurta Penn State Yahoo! Labs Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds Penn.
Quick Sort, Shell Sort, Counting Sort, Radix Sort AND Bucket Sort

Quick Sort, Shell Sort, Counting Sort, Radix Sort AND Bucket Sort
Foundations of Privacy Lecture 4 Lecturer: Moni Naor.

Foundations of Privacy Lecture 4 Lecturer: Moni Naor.
Theoretical Probability Distributions We have talked about the idea of frequency distributions as a way to see what is happening with our data. We have.

Theoretical Probability Distributions We have talked about the idea of frequency distributions as a way to see what is happening with our data. We have.
Privacy Enhancing Technologies

Privacy Enhancing Technologies
ALADDIN Workshop on Graph Partitioning in Vision and Machine Learning Jan 9-11, 2003 Welcome! [Organizers: Avrim Blum, Jon Kleinberg, John Lafferty, Jianbo.

ALADDIN Workshop on Graph Partitioning in Vision and Machine Learning Jan 9-11, 2003 Welcome! [Organizers: Avrim Blum, Jon Kleinberg, John Lafferty, Jianbo.
COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.

COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.
Seminar in Foundations of Privacy 1.Adding Consistency to Differential Privacy 2.Attacks on Anonymized Social Networks Inbal Talgam March 2008.

Seminar in Foundations of Privacy 1.Adding Consistency to Differential Privacy 2.Attacks on Anonymized Social Networks Inbal Talgam March 2008.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb.

How Should We Solve Search Problems Privately? Kobbi Nissim – BGU A. Beimel, T. Malkin, and E. Weinreb.
CPSC 689: Discrete Algorithms for Mobile and Wireless Systems Spring 2009 Prof. Jennifer Welch.

CPSC 689: Discrete Algorithms for Mobile and Wireless Systems Spring 2009 Prof. Jennifer Welch.
Foundations of Privacy Lecture 3 Lecturer: Moni Naor.

Foundations of Privacy Lecture 3 Lecturer: Moni Naor.
Machine Learning for Mechanism Design and Pricing Problems Avrim Blum Carnegie Mellon University Joint work with Maria-Florina Balcan, Jason Hartline,

Machine Learning for Mechanism Design and Pricing Problems Avrim Blum Carnegie Mellon University Joint work with Maria-Florina Balcan, Jason Hartline,

Similar presentations

Ads by Google