Differentially Private Mechanisms for Count Queries^∗¹¹1^∗This is a working paper. Comments to improve this work are welcome.

Parastoo Sadeghi^†, Shahab Asoodeh^‡ and Flavio du Pin Calmon^‡
^†RSEEME, Australian National University, Australia
^‡ School of Engineering and Applied Sciences, Harvard University, USA
Emails: parastoo.sadeghi@anu.edu.au, {shahab, flavio}@seas.harvard.edu

Abstract

In this paper, we consider the problem of responding to a count query (or any other integer-valued queries) evaluated on a dataset containing sensitive attributes. To protect the privacy of individuals in the dataset, a standard practice is to add continuous noise to the true count. We design a differentially-private mechanism which adds integer-valued noise allowing the released output to remain integer. As a trade-off between utility and privacy, we derive privacy parameters ${\varepsilon}$ and $\delta$ in terms of the the probability of releasing an erroneous count under the assumption that the true count is no smaller than half the support size of the noise. We then numerically demonstrate that our mechanism provides higher privacy guarantee compared to the discrete Gaussian mechanism that is recently proposed in the literature.

I Introduction

Conducting nationwide censuses is one of the most important tasks of national or federal agencies around the world. For example, the 2020 Census in the US is currently under way, which is conducted by the US Bureau of the Census every ten years [1]. In Australia, census is conducted by the Australian Bureau of Statistics (ABS) every five years and the next round is due in 2021 [2]. Responding to count queries about census outcomes is one of the most important tasks of such agencies. This can be important for distributing national funds, determining optimal voting districts and conducting various scientific or economic studies of the population. However, this might lead to dire privacy compromises.

In order to protect the privacy of individuals in the census records, the true census results are heavily guarded. Instead, noisy versions may be released to the public in a one-off general-purpose publication or privately disclosed to a data analyst in response to specific queries. There is clearly a tension between releasing an accurate and reliable version of the census outcome and protecting the privacy of individuals in a population. This tension gets aggravated particularly for underrespresented groups in small towns and counties. Oftentimes, their livelihoods and future funding depends on them being accurately accounted for in published census results. At the same, due to being very small in size, they are at the greatest risk of being re-identified even if perturbed versions of their data is published. For an interesting coverage of this issue in the 2010 and 2020 US Census rounds, the reader is referred to a recent article published in the New York Times [3].

Motivated by these applications, in this paper we are interested in formulating and studying optimal tradeoffs between utility and privacy when a data analyst sends a query to a data curator about the number of individuals with a common sensitive attribute in a large dataset. Assuming $n$ is the true count, the data curator releases a random variable $Y=n+Z$ , where $Z$ is an integer-valued noise variable with a suitably-chosen probability distribution.

It is not surprising that the celebrated differential privacy (DP) framework [4] has been applied to integer-valued mechanisms for count queries. In fact, DP is a strong candidate for publishing private 2020 US Census outcomes [5]. Other countries such as Australia and New Zealand are closely watching this space and have already taken steps in evaluating the performance of their existing mechanisms “from the lens of differential privacy” [6].

A standard approach to preserving ${\varepsilon}$ -DP is to perturb the count query by adding random noise $Z$ with Laplacian distribution whose variance is proportional to a certain property of the query (i.e., sensitivity). Adding continuous noise to an integer-valued query makes the output less interpretable. Geometric distribution, as the discrete counterpart of Laplace distribution, was shown in [7] to be ”optimal” for integer-valued queries with unit sensitivity. The optimality was defined in terms of minimizing the expected cost function (chosen from a family of utility functions with some mild regularity conditions) under a Bayesian framework. Their result, in particular, implies that adding (truncated or folded) geometric noise to the above-mentioned counting query preserves DP while minimizing the probability of error, $\Pr(Z\neq 0)$ . This setting was extended to the mini-max setting in [8] and to queries with general sensitivity and under the worst case setting in [9]. The design and implementation of geometric distribution on finite-precision machines were investigated in [10].

More recently, the problem of minimizing the $L_{p}$ -norm of error of the query output, subject to ${\varepsilon}$ -DP, was revisited in [11]. It was argued that despite minimizing the probability of error, the geometric mechanism suffers from a number of limitations. Most importantly, the error $p(Y\neq n)$ depends on the true count $n$ , leading to uneven accuracy for different queries. In the very high-privacy regime when ${\varepsilon}\to 0$ , this unevenness in the distribution results in overwhelmingly reporting two extreme values $Y=0$ or $Y=\max~{}n$ (zero count or maximum possible count in the database). To address this issue, they proposed an explicit fair mechanism (EM). However, the noise in the EM method adds bias, that is, $\mathbb{E}[Y|n]\neq n$ . Moreover, EM (and also truncated geometric) mechanism does not restrict the support size of the noise. As such, the output can be any number between the two extremes $y=0$ and $y=\max n$ with non-zero probability.

In a different, and quite recent, line of work, a discrete version of the Gaussian density was considered for designing privacy-preserving mechanism for count queries. In particular, it was shown in [12] that adding “discrete” Gaussian noise provides similar privacy and utility guarantees to those obtained by the well-understood Gaussian mechanism. Discrete Gaussian noise is supported over $\mathbb{Z}$ and thus the output of such mechanism can be all integers regardless of the domain of the query. This might lead to unpleasant outcomes in some practical scenarios. For example, according to the New York Times article [3], the population of a county in the 2010 US Census was over-reported by a factor of almost 8 (the true count was around 90, but was reported to be around 920). While post-processing (truncating or folding the probability mass function) can be used to limit the range of discrete Gaussian mechanisms, the question remains whether one can explicitly incorporate a finite support of the noise into the mechanism design process.

In this paper, we adopt a different approach than [11, 12]. We begin by enforcing three basic desired constraints on the noise distribution. These properties include zero bias, fixed hard support, and fixed error probability irrespective of the true count $n$ . By varying the probability of error we can trade off accuracy with privacy. The hard support for $Z$ ensures that for any given $n$ , the output $n+Z$ takes value in a pre-specified range with probability one; in particular $Y$ is required to be always non-negative. We first design a noise distribution satisfying above constraints and then use it to construct a differentially-private mechanism (under a mild condition on the dataset). The constraint on the noise support has two implications. First, the values of the noise added must depend on the true count $n$ (to ensure the non-negativity of the output). Second, the mechanism provides a slightly relaxed privacy guarantee: it is ${\varepsilon}$ -DP with probability $1-\delta$ for some parameter $\delta>0$ . This framework is known as approximate DP and usually denoted by $({\varepsilon},\delta)$ -DP [13, 14]. While the proposed noise has similar distribution as discrete Gaussian (with slightly heavier tail), our numerical findings indicate that the privacy performance of our mechanism (in terms of ${\varepsilon}$ and $\delta$ ) is tighter than what would be obtained via discrete Gaussian mechanism with the same variance.

We can summarize our observations about the interplay of privacy and utility parameters as follows. As expected, a lower privacy requirement, i.e., higher ${\varepsilon}$ , results in lower $\delta$ when the noise support size and probability of releasing an erroneous value are fixed. By moderately increasing the noise support size while keeping ${\varepsilon}$ and error probability fixed, we can also significantly improve $\delta$ . For example, increasing the noise support from $2D+1=9$ to $2D^{\prime}+1=13$ we obtain significantly smaller $\delta$ . It turns out that when ${\varepsilon}$ and the noise support size are fixed, reducing the error probability (and hence improving data reliability) can be tolerated up a certain threshold without significantly affecting $\delta$ . However, further reducing the error probability below such a threshold can have severe effects on the privacy performance through increasing $\delta$ beyond typically acceptable levels.

Notation: For an integer $N\in\mathbb{N}$ , we use $[N]$ to denote the set $\{1,2,\cdots,N\}$ . For $a,b\in\mathbb{Z}$ and $a\leq b$ , we use $[a:b]$ to denote the set $\{a,a+1,\cdots,b\}$ .

II Problem Formulation

Suppose a dataset of size at most $N$ is given. A query on the number of entries in the database that possess a certain sensitive attribute is received by the data curator. Assume $n\in[N]$ is the actual (positive) count of such attribute. To protect the privacy of individuals in the dataset, the data curator releases a noisy version of $n$ as

\displaystyle Y=n+Z,

(1)

where $Z$ is an integer-valued noise variable. We assume the noise distribution $p_{Z}(\cdot|n)$ satisfies the following intuitive properties:

P1.

Fix $D\in\mathbb{N}$ . Noise variable $Z$ takes values in $[-A:D]$ , where $A\doteq\min\{n,D\}$ , i.e., $p_{Z}(z|n)=0$ if $z\notin[-A:D]$ . This properties ensures that the mechanism’s output is always non-negative. A smaller $D$ implies a smaller noise support set, which in turn implies a larger accuracy in reporting the query.²²2Note that the support of the output for a given $n$ is limited to $[n-A:n+D]$ . For $\max\{1,N-D+1\}\leq n\leq N$ , we allow the output to be greater than the maximum possible real count $N$ (by at most $D$ ). If $N\gg D$ , this overshoot is negligible.
P2.

Fix $\eta\in(0,1)$ . The probability of releasing the correct value is set to

$p_{Y}(Y=n)=\eta,$

irrespective of the true count $n$ . Equivalently, the probability of releasing an erroneous value is

$p_{Y}(Y\neq n)=1-\eta\doteq\bar{\eta}.$

A larger $\eta$ means more reliability in releasing the correct value. Conversely, a smaller $\eta$ means better privacy in the sense of concealing the true count of the sensitive attribute in the dataset.
P3.

In addition, the error must have zero bias. That is, $\mathbb{E}[Z|n]=0$ , which is a statistically desirable property.³³3Note that if $n=0$ , maintaining zero bias is not possible jointly with $\eta<1$ and P1. Hence, we limit ourselves to queries with $n\geq 1$ .

The following proposition provides a simple family of noise distribution that satisfy these properties.

Proposition 1.

Let the true count for a query be $n\in[N]$ . For any $i_{1}\in[-A:-1]$ and $i_{2}\in[D]$ , the following distribution satisfies P1-P3

\displaystyle p^{(i_{1},i_{2})}_{Z}(z|n)=\begin{cases}\bar{\eta}\frac{i_{2}}{i_{2}+|i_{1}|},\quad&z=i_{1},\\ \eta,\quad&z=0,\\ \bar{\eta}\frac{|i_{1}|}{i_{2}+|i_{1}|},\quad&z=i_{2},\\ 0,\quad&\text{otherwise}.\end{cases}

(2)

In light of this proposition, we can obtain that any convex combination of $p^{(i_{1},i_{2})}_{Z}(z|n)$ , i.e.,

\displaystyle p_{Z}(z|n)\doteq\sum_{i_{1}=-A}^{-1}\sum_{i_{2}=1}^{D}\alpha_{i_{1},i_{2},n}\,\,p^{(i_{1},i_{2})}_{Z}(z|n),

(3)

with non-negative coefficients $\alpha_{i_{1},i_{2},n}$ satisfying $\sum_{i_{1}=-A}^{-1}\sum_{i_{2}=1}^{D}\alpha_{i_{1},i_{2},n}=1$ , also meets P1-P3. We can thus use this convex combination to obtain a general data-dependent noise distribution satisfying P1-P3. The following example makes this construction clear.

Example 1.

Let $N=3$ , $\eta=\frac{1}{2}$ and $D=2$ . Note that for $n=1$ , two distributions are possible for $p^{(i_{1},i_{2})}_{Z}(z|1)$ by choosing $(i_{1},i_{2})=(-1,1)$ and $(i_{1},i_{2})=(-1,2)$ , as described below

p^{(-1,1)}_{Z}(z|1)=\begin{cases}\frac{1}{4},\quad&z=-1,1\\ \frac{1}{2},\quad&z=0,\\ 0,\quad&\text{otherwise},\end{cases}\qquad\text{and}\qquad p^{(-1,2)}_{Z}(z|1)=\begin{cases}\frac{1}{3},\quad&z=-1,\\ \frac{1}{2},\quad&z=0,\\ \frac{1}{6},\quad&z=2,\\ 0,\quad&\text{otherwise}.\end{cases}

(4)

For $n=2$ and $n=3$ , four distributions are similarly possible by combining $i_{1}=-2,-1$ with $i_{2}=1,2$ . Overall, the general convex structure in (3) produces the noise distributions $p_{Z}(\cdot|1),p_{Z}(\cdot|2),$ and $p_{Z}(\cdot|3)$ given by

\displaystyle p_{Z}(z|n)=\left(\begin{matrix}n=1&&n=2&&n=3\\ \hline\cr\\ 0&&\frac{1}{4}\alpha_{-2,2,2}+\frac{1}{6}\alpha_{-2,1,2}&&\frac{1}{4}\alpha_{-2,2,3}+\frac{1}{6}\alpha_{-2,1,3}\\ \frac{1}{4}\alpha_{-1,1,1}+\frac{1}{3}\alpha_{-1,2,1}&&\frac{1}{4}\alpha_{-1,1,2}+\frac{1}{3}\alpha_{-1,2,2}&&\frac{1}{4}\alpha_{-1,1,3}+\frac{1}{3}\alpha_{-1,2,3}\\ \frac{1}{2}&&\frac{1}{2}&&\frac{1}{2}\\ \frac{1}{4}\alpha_{-1,1,1}&&\frac{1}{4}\alpha_{-1,1,2}+\frac{1}{3}\alpha_{-2,1,2}&&\frac{1}{4}\alpha_{-1,1,3}+\frac{1}{3}\alpha_{-2,1,3}\\ \frac{1}{6}\alpha_{-1,2,1}&&\frac{1}{4}\alpha_{-2,2,2}+\frac{1}{6}\alpha_{-1,2,2}&&\frac{1}{4}\alpha_{-2,2,3}+\frac{1}{6}\alpha_{-1,2,3}\end{matrix}\right).

(5)

Each column of this matrix is a valid noise distribution for a given $n\in[N]$ , subject to $\sum_{i_{1}=-A}^{-1}\sum_{i_{2}=1}^{D}\alpha_{i_{1},i_{2},n}=1$ . Note that row indices range from $z=-D$ to $z=D$ . Also, note that $p_{Z}(-2|1)=0$ . This is because for $n=1$ , we have $A=\min\{n,D\}=1$ , dictating $[-1:2]$ as the support set of $p_{1}$ , instead of $[-2:2]$ . Moreover, $p_{Z}(z|n)=0$ for $n\geq 4$ or $z\notin[-2:2]$ . By adding such noise to the true count $n$ , the distribution of $Y$ , given $n$ , becomes

\displaystyle p_{Y}(y|n)=\left(\begin{matrix}n=1&&n=2&&n=3\\ \hline\cr\\ \frac{1}{4}\alpha_{-1,1,1}+\frac{1}{3}\alpha_{-1,2,1}&&\frac{1}{4}\alpha_{-2,2,2}+\frac{1}{6}\alpha_{-2,1,2}&&0\\ \frac{1}{2}&&\frac{1}{4}\alpha_{-1,1,2}+\frac{1}{3}\alpha_{-1,2,2}&&\frac{1}{4}\alpha_{-2,2,3}+\frac{1}{6}\alpha_{-2,1,3}\\ \frac{1}{4}\alpha_{-1,1,1}&&\frac{1}{2}&&\frac{1}{4}\alpha_{-1,1,3}+\frac{1}{3}\alpha_{-1,2,3}\\ \frac{1}{6}\alpha_{-1,2,1}&&\frac{1}{4}\alpha_{-1,1,2}+\frac{1}{3}\alpha_{-2,1,2}&&\frac{1}{2}\\ 0&&\frac{1}{4}\alpha_{-2,2,2}+\frac{1}{6}\alpha_{-1,2,2}&&\frac{1}{4}\alpha_{-1,1,3}+\frac{1}{3}\alpha_{-2,1,3}\\ 0&&0&&\frac{1}{4}\alpha_{-2,2,3}+\frac{1}{6}\alpha_{-1,2,3}\end{matrix}\right),

(6)

where the rows range from $y=0$ to $y=N+D=5$ . The value of $p_{Y}(y|n)$ for all other values of $y$ and $n$ not shown above is identical to zero.

II-A Incorporating $({\varepsilon},\delta)$ -DP Conditions

Consider the mechanism $Y=n+Z$ with $Z$ being a data-dependant noise with distribution $p_{Z}(\cdot|n)$ given in (3). Our objective is to determine the smallest ${\varepsilon}\geq 0$ and $\delta\in(0,1)$ such that this mechanism is $({\varepsilon},\delta)$ -differentially private (DP) [13].

Definition 1.

Given ${\varepsilon}\geq 0$ and $\delta\in[0,1)$ , a randomized algorithm $M:\mathcal{X}^{N}\to\mathcal{Y}$ is said to be $({\varepsilon},\delta)$ -differentially private (DP) if $p(M(x)\in S)\leq e^{\varepsilon}p(M(x^{\prime})\in S)+\delta$ for all $S\subset\mathcal{Y}$ and all neighboring datasets $x,x^{\prime}\in\mathcal{X}^{N}$ differing in one element.

Below we specialize this standard definition for our count query setup. Given an integer-valued query $q:\mathcal{X}^{N}\to[N]$ about a dataset $x$ , mechanism $q$ randomizes the true query response, say $n$ , via a data-dependent additive noise process, i.e., $q(x)=n+Z$ . Since the query is integer-valued, we have $|q(x)-q(x^{\prime})|\leq 1$ for all pairs of neighboring datasets $x$ and $x^{\prime}$ . Without loss of generality, in the following we assume that $|q(x)-q(x^{\prime})|=1$ for neighboring $x$ and $x$ in the computation of DP parameters. Assuming $q(x)=n$ , then it implies that we need to verify the DP requirement for dataset $x^{\prime}$ for which $q(x^{\prime})=n+1$ or $q(x^{\prime})=n-1$ .

Remark 1.

Our approach to computing the DP parameters of mechanism (16) is as follows. We first consider Definition 1 for the singular events $S\subset[0:N+D]$ , i.e., all subsets $S$ satisfying $|S|=1$ and determine the corresponding parameters ${\varepsilon}$ and $\delta$ . Clearly, these parameters differ from the DP parameters. We then convert these parameters to a valid set of DP parameters. In the following, we use ${\varepsilon}$ and $\delta$ to denote the parameters of mechanism (16) when applying Definition 1 for singular events $S$ .

To formulate our goal, we fix ${\varepsilon}\geq 0$ and consider the following linear program

$\displaystyle\delta^{*}\doteq$	$\displaystyle~{}\min~{}\delta,$
	$\displaystyle~{}~{}\text{s.t.}~{}p_{Y}(y\|n)\leq e^{\varepsilon}p_{Y}(y\|n+1)+\delta,~{}~{}\forall n\in[1:N-1],~{}~{}\forall y\in[0:N+D],$	(7)
	$\displaystyle~{}~{}~{}~{}~{}~{}p_{Y}(y\|n)\leq e^{\varepsilon}p_{Y}(y\|n-1)+\delta,~{}~{}\forall n\in[2:N],~{}~{}\forall y\in[0:N+D].$	(8)

Given the mechanism $Y=n+Z$ and Proposition 1, we can explicitly write the optimization of $\delta$ in terms of $\alpha_{i_{1},i_{2},n}$ as follows.

Proposition 2.

For given ${\varepsilon}\geq 0$ , the optimal value $\delta^{*}$ is the solution of the following linear program

	$\displaystyle\min\delta$	(9)
	s.t.
$\displaystyle\sum_{i_{1},i_{2}}\alpha_{i_{1},i_{2},n}\,\,p^{(i_{1},i_{2})}_{Z}(y-n\|n)$	$\displaystyle\leq e^{\varepsilon}\sum_{i_{1},i_{2}}\alpha_{i_{1},i_{2},n+1}\,\,p^{(i_{1},i_{2})}_{Z}(y-n-1\|n+1)+\delta,~{}\forall n\in[1:N-1],$	(10)
$\displaystyle\sum_{i_{1},i_{2}}\alpha_{i_{1},i_{2},n}\,\,p^{(i_{1},i_{2})}_{Z}(y-n\|n)$	$\displaystyle\leq e^{\varepsilon}\sum_{i_{1},i_{2}}\alpha_{i_{1},i_{2},n-1}\,\,p^{(i_{1},i_{2})}_{Z}(y-n+1\|n-1)+\delta,~{}\forall n\in[2:N],$	(11)
$\displaystyle\alpha_{i_{1},i_{2},n}$	$\displaystyle\geq 0,\qquad\forall i_{1}\in[-A:-1],~{}\forall i_{2}\in[D],~{}\forall n\in[1:N],$	(12)
$\displaystyle\sum_{i_{1}=-A}^{-1}\sum_{i_{2}=1}^{D}\alpha_{i_{1},i_{2},n}$	$\displaystyle=1,\qquad\forall n\in[1:N],$	(13)

where $p^{(i_{1},i_{2})}_{Z}(\cdot|n)$ was defined in (2) and $y\in[0:N+D]$ .

Clearly, this above optimization problem is a linear program. If the computational complexity allows, an explicit expression for $\delta^{*}$ can be obtained through Fourier-Motzkin elimination of all $\alpha_{i_{1},i_{2},n}$ . Nevertheless, we show in the next section that such expression can be derived directly if we make a minor assumption on $D$ .

III Explicit Solutions for $n\geq D$

In this section, we show that if the true count satisfies $n\geq D$ , then $\delta^{*}$ can be readily derived.

Proposition 3.

If noise support parameter $D$ satisfies $D\leq n$ , then the following data-independent noise distribution satisfies P1-P3

\displaystyle p_{Z}(z)=\begin{cases}\alpha_{i}\frac{\bar{\eta}}{2},\quad&z=-i,i\\ \eta,\quad&z=0,\\ 0,\quad&\text{otherwise},\end{cases}

(14)

for all $i\in[1:D]$ and $\alpha_{i}\geq 0$ such that $\sum_{i=1}^{D}\alpha_{i}=1$ . In this case,

\displaystyle p_{Y}(y|n)=\begin{cases}\alpha_{i}\frac{\bar{\eta}}{2},\quad&y=n-i,n+i\\ \eta,\quad&y=n,\\ 0,\quad&\text{otherwise}.\end{cases}

(15)

Notice that the assumption $n\geq D$ enables us to design a noise distribution that satisfies P1-P3 while being independent of the query (i.e., $n$ ). The simple mechanism given in Proposition 3 can be represented by the matrix

\displaystyle p_{Y}(y|n)=\left(\begin{matrix}n=D&&n=D+1&&\cdots&&n=N\\ \hline\cr\\ \alpha_{D}\frac{\bar{\eta}}{2}&&0&&\cdots&&0\\ \alpha_{D-1}\frac{\bar{\eta}}{2}&&\alpha_{D}\frac{\bar{\eta}}{2}&&\cdots&&0\\ \cdots&&\cdots&&\cdots&&\cdots\\ \alpha_{1}\frac{\bar{\eta}}{2}&&\alpha_{2}\frac{\bar{\eta}}{2}&&\cdots&&0\\ \eta&&\alpha_{1}\frac{\bar{\eta}}{2}&&\cdots&&\alpha_{D}\frac{\bar{\eta}}{2}\\ \alpha_{1}\frac{\bar{\eta}}{2}&&\eta&&\cdots&&\alpha_{D-1}\frac{\bar{\eta}}{2}\\ \cdots&&\cdots&&\cdots&&\cdots\\ \alpha_{D}\frac{\bar{\eta}}{2}&&\alpha_{D-1}\frac{\bar{\eta}}{2}&&\cdots&&\eta\\ 0&&\alpha_{D}\frac{\bar{\eta}}{2}&&\cdots&&\alpha_{1}\frac{\bar{\eta}}{2}\\ 0&&0&&\cdots&&\cdots\\ 0&&0&&0&&\alpha_{D}\frac{\bar{\eta}}{2}\end{matrix}\right),

(16)

where for exposition we have assumed $N=2D$ . Each column of this matrix represents $p_{Y}(y|n)$ for $y\in[0:3D]$ .

III-A Lower bounds on $\delta^{*}$

To compute $\delta^{*}$ for mechanism (16), we first derive a lower bound for $\delta^{*}$ (this subsection) and then show that it is in fact achievable (next subsection). For notational brevity, define $E\doteq e^{\varepsilon}$ . The main tool for deriving the lower bound is the following proposition.

Proposition 4.

For the noise distribution given by Proposition 3, $\delta^{*}$ satisfies the following inequalities

$\displaystyle\frac{\bar{\eta}}{2}\alpha_{D}$	$\displaystyle\leq\delta^{*},$	(17)
$\displaystyle\frac{\bar{\eta}}{2}\alpha_{i}$	$\displaystyle\leq E\frac{\bar{\eta}}{2}\alpha_{i+1}+\delta^{*},\quad i\in[1:D-1],$	(18)
$\displaystyle\eta$	$\displaystyle\leq E\frac{\bar{\eta}}{2}\alpha_{1}+\delta^{*}.$	(19)

This proposition follows simply by comparing consecutive columns of the matrix (16). Letting $B\doteq\frac{2}{\bar{\eta}}$ and $C\doteq\frac{2\eta}{\bar{\eta}}$ , the system of inequalities given in Proposition 4 can be expressed as

$\displaystyle\alpha_{D}$	$\displaystyle\leq B\delta^{*},$	(20)
$\displaystyle\alpha_{i+1}$	$\displaystyle\geq\frac{\alpha_{i}-B\delta^{*}}{E},\qquad 1\leq i\leq D-1,$	(21)
$\displaystyle\alpha_{1}$	$\displaystyle\geq\frac{C-B\delta^{*}}{E}.$	(22)

We now present a series of lower bounds on $\delta^{*}$ that we term Type-I lower bounds.

Lemma 1.

For the noise distribution given by Proposition 3, we have

\displaystyle\delta^{*}\geq\delta_{k}\doteq\frac{C\sum_{j=0}^{k-1}E^{j}-E^{k}}{B\sum_{j=0}^{k-1}E^{j}(j+1)},\qquad k\in[D].

(23)

Proof.

First note that, since $\alpha_{1}\leq 1$ , we have from (22),

\displaystyle\delta^{*}\geq\delta_{1}.

(24)

Since $\alpha_{2}\leq 1-\alpha_{1}$ , a second lower bound is obtained from (21) for $i=2$ by eliminating both $\alpha_{2}$ and $\alpha_{1}$ as follows

	$\displaystyle\frac{\alpha_{1}-B\delta^{*}}{E}\leq\alpha_{2}\leq 1-\alpha_{1}\quad$	$\displaystyle\Rightarrow\quad\alpha_{1}(1+E)-E\leq B\delta^{*}$		(25)
	$\displaystyle\Rightarrow\frac{C-B\delta^{}}{E}(1+E)-E\leq B\delta^{}\quad$	$\displaystyle\Rightarrow\quad\delta^{*}\geq\delta_{2}.$		(26)

Generalizing this for $1\leq k\leq D$ , we obtain a general class of lower bounds as follows

	$\displaystyle\frac{\alpha_{k-1}-B\delta^{*}}{E}\leq\alpha_{k}\leq 1-\alpha_{1}-\cdots\alpha_{k-1}$		(27)
	$\displaystyle\Rightarrow\qquad\alpha_{k-1}(1+E)+E\alpha_{k-2}+\cdots+E\alpha_{1}-E\leq B\delta^{*}$		(28)
	$\displaystyle\Rightarrow\alpha_{k-2}(1+E+E^{2})+E^{2}\alpha_{k-3}+\cdots+E^{2}\alpha_{1}-E^{2}\leq B(1+2E)\delta^{*}.$		(29)

Iterating this process, we obtain

	$\displaystyle\alpha_{1}\sum_{j=0}^{k-1}E^{j}-E^{k-1}\leq B\delta^{*}\sum_{j=0}^{k-2}E^{j}(j+1)$		(30)
	$\displaystyle\Rightarrow\left(\frac{C-B\delta^{}}{E}\right)\sum_{j=0}^{k-1}E^{j}-E^{k-1}\leq B\delta^{}\sum_{j=0}^{k-2}E^{j}(j+1),$		(31)

which upon rearranging implies $\delta^{*}\geq\delta_{k}$ . ∎

In general, none of these lower bounds dominates another. We will shortly elaborate on the relationship between $\delta_{k}$ for $k\in[D]$ . Before doing so, we first obtain another lower bound for $\delta^{*}$ , termed a Type-II lower bound.

Lemma 2.

For the noise distribution given by Proposition 3, we have

\displaystyle\delta^{*}

\displaystyle\geq\delta_{D+1}\doteq\frac{1}{B\sum_{j=0}^{D-1}E^{j}(D-j)}.

(32)

Proof.

First note that we can write from (17) that $\alpha_{D}\leq B\delta^{*}$ . We can extend this inequality for all $\alpha_{i}$ via (18) as follows

\alpha_{D-k}\leq B\delta^{*}\sum_{j=0}^{k}E^{j},

(33)

for $k\in[0:D-1]$ . Since $\sum_{i=1}^{D}\alpha_{i}=1$ , the above inequality implies that

\displaystyle 1

\displaystyle=\sum_{k=0}^{D-1}\alpha_{D-k}\leq B\delta^{*}\sum_{k=0}^{D-1}\sum_{j=0}^{k}E^{j}=B\delta^{*}\sum_{j=0}^{D-1}\sum_{k=j}^{D-1}E^{j}=B\delta^{*}\sum_{j=0}^{D-1}E^{j}(D-j),

from which the result follows by a arrangement. ∎

Putting lemmas 1 and 2 together, the following theorem is straightforward.

Theorem 1.

For the noise distribution given by Proposition 3, we have

\delta^{*}\geq\tilde{\delta},

where $\tilde{\delta}\triangleq\max_{k\in[D+1]}{\delta_{k}}$ and $\delta_{k}$ ’s were defined in (23) for $k\in[D]$ and in (32) for $k=D+1$ .

To show that this lower bound is in fact tight, we need to carefully investigate the dynamic of $\delta_{k}$ ’s. To do so, we define crossover values $C_{k}$ as

\displaystyle C_{k}

\displaystyle\doteq\frac{\sum_{j=0}^{k}E^{j}}{\sum_{j=0}^{k-1}E^{j}(k-j)},\quad k\in[D].

(34)

For any $k\in[D]$ , the relational order between two consecutive lower bounds $\delta_{k}$ and $\delta_{k+1}$ is uniquely determined by the relation of the parameter $C\doteq\frac{2\eta}{\bar{\eta}}$ with the crossover value $C_{k}$ as prescribed in the following lemma. This, together with strictly decreasing behavior of the sequence $\{C_{k}\}_{k=1}^{D}$ (to be proved in Lemma 4) will ensure that we can find the maximum among all $\delta_{k}$ , $k\in[D+1]$ analytically.

Lemma 3.

We have $\delta_{k}\geq\delta_{k+1}$ for $k\in[D]$ if and only if $\eta$ is such that $C\doteq\frac{2\eta}{\bar{\eta}}\geq C_{k}$ .

Proof.

First consider $k=1$ and note that

\displaystyle\delta_{1}-\delta_{2}\geq 0\quad\Leftrightarrow\quad C-E\geq\frac{C+CE-E^{2}}{1+2E}\quad\Leftrightarrow\quad C\geq 1+E=C_{1}.

(35)

For $k\in[2:D-1]$ , it follows that $\delta_{k}\geq\delta_{k+1}$ if and only if

\displaystyle\frac{C\sum_{j=0}^{k-1}E^{j}-E^{k}}{B\sum_{j=0}^{k-1}E^{j}(j+1)}

\displaystyle\geq\frac{C\sum_{j=0}^{k}E^{j}-E^{k+1}}{B\sum_{j=0}^{k}E^{j}(j+1)}.

After a straightforward algebraic manipulation, we can show that it is equivalent to

C\geq\frac{\sum_{j=0}^{k}E^{j}}{\sum_{j=0}^{k-1}E^{j}(k-j)}=C_{k}.

Last, we have $\delta_{D}\geq\delta_{D+1}$ if and only if

\displaystyle\frac{C\sum_{j=0}^{D-1}E^{j}-E^{D}}{B\sum_{j=0}^{D-1}E^{j}(j+1)}\geq\frac{1}{B\sum_{j=0}^{D-1}E^{j}(D-j)},

which is in turn equivalent to

	$\displaystyle C\left(\sum_{j=0}^{D-1}E^{j}\right)\left(\sum_{j=0}^{D-1}E^{j}(D-j)\right)\geq E^{D}\left(\sum_{j=0}^{D-1}E^{j}(D-j)\right)+\sum_{j=0}^{D-1}E^{j}(j+1)$
	$\displaystyle=\left(\sum_{j=0}^{D-1}E^{j}\right)\left(\sum_{j=0}^{D}E^{j}\right).$

Hence, we conclude $\delta_{D}\geq\delta_{D+1}$ if and only if

C\geq\frac{\sum_{j=0}^{D-1}E^{j}}{\sum_{j=0}^{D-1}E^{j}(D-j)}=C_{D}.

∎

Lemma 4.

The sequence $\{C_{k}\}_{k=1}^{D}$ is strictly decreasing.

Proof.

This can be easily verified by writing the difference between $C_{k}$ and $C_{k+1}$ and checking that

\displaystyle C_{k}-C_{k+1}=\frac{\sum_{j=0}^{k}E^{j}(j+1)}{(\sum_{j=0}^{k-1}E^{j}(k-j))(\sum_{j=0}^{k}E^{j}(k+1-j))}>0,\quad k\in[D].

(36)

∎

For notational simplicity, define $C_{D+1}\doteq 0$ and $C_{0}\doteq\infty$ . Thus, $\{C_{k}\}_{k=0}^{D+1}$ is still monotonically decreasing. Combining Lemma 3 with Lemma 4, we obtain the following result.

Theorem 2.

For the noise distribution given by Proposition 3, we have

\tilde{\delta}\doteq\max_{i\in[D+1]}{\delta_{i}}=\delta_{k},

if and only if $\eta$ is such that $C_{k}<C\leq C_{k-1}$ .

Proof.

To prove the only-if direction, note that due to strict monotonicity of $\{C_{k}\}_{k=0}^{D+1}$ , $C>C_{k}$ implies $C>C_{k+1}>\cdots>C_{D}$ . Therefore, according to Lemma 3, $C>C_{k}$ implies $\delta_{k}>\delta_{k+1}>\delta_{k+2}>\dots>\delta_{D+1}$ . Similarly, $C\leq C_{k-1}$ implies $C<C_{k-2}<\cdots<C_{1}$ . Therefore, $C\leq C_{k-1}$ implies $\delta_{k}\geq\delta_{k-1}>\delta_{k-2}>\dots>\delta_{1}$ . In summary, $C_{k}<C\leq C_{k-1}$ implies $\tilde{\delta}=\delta_{k}$ . The forward direction can be similarly argued. ∎

Together with Theorem 1, this theorem implies that if $C_{k}<C\leq C_{k-1}$ , then

\delta^{*}\geq\delta_{k}.

Next, we design a mechanism for which this lower bound is achieved.

III-B Achievability of Lower Bounds

In this section, we show that the lower bound $\tilde{\delta}=\max_{i\in[D+1]}{\delta_{i}}$ on $\delta^{*}$ is in fact achievable, i.e., there exists $\{\alpha_{i}\}_{i=1}^{D}$ with $\alpha_{i}\geq 0$ and $\sum_{i=1}^{D}\alpha_{i}=1$ such that the mechanism (16) satisfies the constraints of the linear program (9) with $\delta=\tilde{\delta}$ .

Definition 2 (Optimal $\alpha$ ’s).

Set $\tilde{\delta}=\max_{i\in[D+1]}{\delta_{i}}$ as given in Theorem 1. If $\eta$ is such that $0<C\leq C_{D}$ , then $\tilde{\delta}=\delta_{D+1}$ and we define $\alpha_{j}^{*}$ ’s as follows

	$\displaystyle\alpha_{D}^{*}$	$\displaystyle=B\tilde{\delta}=\frac{1}{\sum_{\ell=0}^{D-1}E^{\ell}(D-\ell)},$		(37)
	$\displaystyle\alpha_{j}^{*}$	$\displaystyle=E\alpha_{j+1}^{*}+B\tilde{\delta}=\frac{\sum_{\ell=0}^{D-j}E^{\ell}}{\sum_{\ell=0}^{D-1}E^{\ell}(D-\ell)},\qquad j\in[1:D-1].$		(38)

If $\eta$ is such that $C>C_{D}$ , then $\tilde{\delta}=\delta_{k}$ for some $k\in[D]$ . We then define $\alpha_{j}^{*}$ ’s for $j\in[k]$ as

\displaystyle\alpha_{1}^{*}=\frac{C-B\tilde{\delta}}{E},\qquad\alpha^{*}_{j}=\frac{\alpha_{j-1}^{*}-B\tilde{\delta}}{E},\qquad j\in[2:k]

(39)

and set $\alpha^{*}_{j}=0$ for $j\in[k+1:D]$ .⁴⁴4In the proof of Theorem 3, we will show $\alpha_{1}^{*}>0$ , $\alpha_{j}^{*}\geq 0$ for $j\in[2:k]$ in (39) and that $\sum_{j=1}^{D}\alpha_{j}^{*}=1$ as desired.

Now we are ready for the main result of this section.

Theorem 3.

The mechanism (16) with coefficients $\{\alpha_{i}^{*}\}$ defined in Definition 2 satisfies the constraints of the linear program (9) with $\delta=\tilde{\delta}$ , defined in Theorem 1. In particular,

\delta^{*}=\tilde{\delta}.

Proof.

First note that once we prove that $\tilde{\delta}$ is achievable, Theorem 1 implies that $\delta^{*}=\tilde{\delta}$ . Thus, we only need to prove the achievability of $\tilde{\delta}$ . Note further that $\{\alpha^{*}_{j}\}$ satisfy the inequalities in Proposition 4, with $\delta^{*}$ replaced by $\tilde{\delta}$ , with equality. Therefore, we only need to show that $\{\alpha^{*}_{i}\}$ are valid in the sense that they are non-negative and sum to 1.

Assume $C>C_{D}$ in general and in particular, we have $C_{k}<C\leq C_{k-1}$ , for some $k\in[D]$ (recall that $C_{0}=\infty$ ). It follows from Theorem 2 that $\tilde{\delta}=\delta_{k}$ , where $\delta_{k}$ is a Type-I lower bound given in (23). First, we note that according to (39)

\displaystyle\alpha_{1}^{*}=\frac{C-B\tilde{\delta}}{E}=\frac{C\sum_{\ell=0}^{k-2}E^{\ell}(\ell+1)+E^{k-1}}{\sum_{\ell=0}^{k-1}E^{\ell}(\ell+1)}>0.

(40)

Now consider $\alpha_{k}^{*}$ in (39). Applying (39) iteratively, we obtain

$\displaystyle\alpha_{k}^{*}$	$\displaystyle=\frac{\alpha_{k-1}^{*}-B\tilde{\delta}}{E}=\frac{C-B\delta_{k}\sum_{\ell=0}^{k-1}E^{\ell}}{E^{k}}$	(41)
	$\displaystyle=\frac{\sum_{\ell=0}^{k-1}E^{\ell}-C\sum_{\ell=0}^{k-2}E^{\ell}(k-1-\ell)}{{\sum_{\ell=0}^{k-1}E^{\ell}(\ell+1)}}$	(42)
	$\displaystyle\geq\frac{\sum_{\ell=0}^{k-1}E^{\ell}-C_{k-1}\sum_{\ell=0}^{k-2}E^{\ell}(k-1-\ell)}{{\sum_{\ell=0}^{k-1}E^{\ell}(\ell+1)}}=0,$	(43)

where in the last two steps we have used the fact that $C\leq C_{k-1}$ and the definition of $C_{k-1}$ in (34). Note that the definition of $\{\alpha_{i}^{*}\}$ in (39) together with⁵⁵5Note that from (32) we conclude $\delta_{D+1}>0$ . Therefore, $\tilde{\delta}=\max_{i}\delta_{i}>0$ . $\tilde{\delta}>0$ implies that $\alpha^{*}_{i}<\alpha^{*}_{j}$ for $2\leq j<i\leq D$ . In particular, we have $\alpha_{k-j}^{*}>\alpha_{k}^{*}\geq 0$ for $j\in[k-1]$ . Note that

\displaystyle\sum_{i=1}^{D}\alpha_{i}^{*}=\sum_{i=1}^{k}\alpha_{i}^{*}=\frac{C\sum_{j=0}^{k-1}E^{j}-B\delta_{k}\sum_{j=1}^{k}jE^{j-1}}{E^{k}}=1,

(44)

where we use the fact that $\alpha_{j}^{*}=0$ for $j\in[k+1:D]$ .

Finally, if $C\leq C_{D}$ then from Theorem 2, we conclude $\delta^{*}=\delta_{D+1}$ , which is the Type-II lower bound on $\delta^{*}$ . In this case, $\{\alpha^{*}_{i}\}$ are given in (37) and (38). A similar argument as above shows that $0\leq\alpha^{*}_{i}\leq 1$ for each $i\in[D]$ and also $\sum_{i}\alpha^{*}_{i}=1$ .

∎

This theorem demonstrates that $\{\alpha^{*}_{i}\}$ , defined in Definition 2, constructs the “optimal” mechanism when plugging into (16) or equivalently the optimal noise distribution when plugging into (14). Fig. 1 shows such optimal noise distribution for ${\varepsilon}=2.18$ ( $E=8.8463$ ), $\eta=0.8$ ( $C=8$ ), and $D=6$ for $z\geq 0$ (noting the symmetry for $z<0$ ). Note that the minimum true count is assumed to be $n\geq D=6$ , which seems a reasonable assumption in large datasets with hundreds of participants. Using (34), we find that $7.8867=C_{3}<C\leq C_{2}=8.1229$ . Therefore, $\tilde{\delta}=\delta_{3}=0.0049$ according to Theorem 2. It follows from (39) that only $\alpha_{1}^{*}$ , $\alpha_{2}^{*}$ , and $\alpha_{3}^{*}$ are non-zero. Consequently, the noise distribution is in fact supported on $[-3:3]$ , instead of what we originally required in P1, i.e., $[-6:6]$ .

Using Equation (1) in [12], we also plot in Fig. 1, discrete Gaussian distribution, denoted by $p_{\text{G},Z}(z)$ , for $z\geq 0$ . We set its variance identical to that of our noise distribution, i.e., $\sigma^{2}=\bar{\eta}\sum_{i=1}^{D}\alpha_{i}^{*}i^{2}$ . It is worth noting that discrete Gaussian distribution is not compactly supported; however, the probability that it assigns to points outside $[-D:D]$ is negligible and is not shown in Fig. 1. While the two distributions may look somewhat similar, they have important differences that substantially impact their privacy performance. Notice, for instance, that $p_{\text{G},Z}(\pm 1)=0.11685$ and $p_{\text{G},Z}(\pm 2)=0.000416$ , and hence $\frac{p_{Y}(n+2|n+1)}{p_{Y}(n+2|n)}=\frac{p_{Y}(n-1|n)}{p_{Y}(n-1|n+1)}$ can be as large as about 282. Note that in our proposed distribution, $p_{Z}(\pm 1)=\frac{\bar{\eta}}{2}\alpha_{1}^{*}=0.08987$ and $p_{Z}(\pm 2)=\frac{\bar{\eta}}{2}\alpha_{2}^{*}=0.00960$ , and hence $\frac{p_{Y}(n+2|n+1)}{p_{Y}(n+2|n)}=\frac{p_{Y}(n-1|n)}{p_{Y}(n-1|n+1)}=\frac{\alpha^{*}_{1}}{\alpha^{*}_{2}}=\frac{0.08987\cdots}{0.00960\cdots}=9.3617$ . Consequently, in the discrete Gaussian mechanism the smallest ${\varepsilon}$ such that $p_{Y}(n-1|n)\leq e^{\varepsilon}p_{Y}(n-1|n+1)+\tilde{\delta}$ for $\tilde{\delta}=0.0049$ is ${\varepsilon}=5.6$ , while for our mechanism ${\varepsilon}=2.18$ is sufficient. This indicates that the optimally-chosen coefficient $\{\alpha_{i}\}$ in our setting improves the privacy guarantee of discrete Gaussian mechanism. In the next section, we provide more detailed comparison between there two mechanisms.

Refer to caption — Figure 1: The noise distribution (14) with $\{\alpha_{i}\}$ being chosen according to Definition 2 is compared with the discrete Gaussian noise [12] with the identical variance. Here, we assume for ${\varepsilon}=2.18$ , $\eta=0.8$ , and $D=6$ . The more ‘graceful‘ transition in our noise distribution from $z=1$ to $z=2$ results in an improved privacy performance.

Remark 2.

As mentioned in Remark 1, we restricted the definition of differential privacy in Definition 1 to the singular events. As a result, the parameters ${\varepsilon}$ and $\delta$ computed in this section do not correspond to the DP parameters. To compute the relationship between these parameters, recall that the mechanism (16) is $({\varepsilon},\delta)$ -DP if for any event $S\subset[N+D]$

p_{Y|n}(S)\leq e^{\varepsilon}p_{Y|n+1}(S)+\delta\qquad\text{and}\qquad p_{Y|n}(S)\leq e^{\varepsilon}p_{Y|n-1}(S)+\delta,

for all possible query responses $n\in[N]$ . Since $p_{Y|n}(S)=\sum_{y\in S}p_{Y|n}(y)$ , our analysis in this section implies that for any $S\subset[N+D]$

	$\displaystyle p_{Y\|n}(S)-e^{\varepsilon}p_{Y\|n+1}(S)$	$\displaystyle=\sum_{y\in S}\left[p_{Y\|n}(y)-e^{\varepsilon}p_{Y\|n+1}(y)\right]$
		$\displaystyle\leq\sum_{y\in S\cap\text{supp}(p_{Y\|n})}\left[p_{Y\|n}(y)-e^{\varepsilon}p_{Y\|n+1}(y)\right]$
		$\displaystyle\leq\|S\cap\text{supp}(p_{Y\|n})\|\max_{y\in[N+D]}\left[p_{Y\|n}(y)-e^{\varepsilon}p_{Y\|n+1}(y)\right]$
		$\displaystyle\leq(2D+1)\max_{y\in[N+D]}\left[p_{Y\|n}(y)-e^{\varepsilon}p_{Y\|n+1}(y)\right]$
		$\displaystyle\leq(2D+1)\delta^{*},$

where $\text{supp}(p_{Y|n})$ denotes the set of $y\in[N+D]$ with $p_{Y|n}(y)>0$ and a closed-form expression for $\delta^{*}$ was given in Theorem 3. The same argument shows that $p_{Y|n}(S)-e^{\varepsilon}p_{Y|n-1}(S)\leq(2D+1)\delta^{*}$ . This observation indicates that the mechanism (16) is $({\varepsilon},\min\{1,(2D+1)\delta^{*}\})$ -DP when $\{\alpha_{i}\}$ is chosen according to Definition 2.

IV Numerical Results

We begin this section by numerically computing the DP parameters ${\varepsilon}$ and $(2D+1)\delta^{*}$ of our mechanism according to Theorem 3.⁶⁶6We mostly consider practical parameter ranges resulting in $(2D+1)\delta^{*}\ll 1$ . We thus write $(2D+1)\delta^{*}$ instead of $\min\{1,(2D+1)\delta^{*}\}$ . In Fig. 2, we assume $\eta=0.5$ and plot the $(2D+1)\delta^{*}$ in terms of ${\varepsilon}$ for different values of $D$ . It is clear that $(2D+1)\delta^{*}$ is no greater than $0.001$ for $D=8$ and ${\varepsilon}>1.1$ . It is worth noting that while we reveal the true count with probability $0.5$ , from Definition 2, the mechanism’s output lies in an acceptable range of $[n-3:n+3]$ with a much higher probability $\eta+\bar{\eta}(\alpha_{1}^{*}+\alpha_{2}^{*}+\alpha_{3}^{*})=0.9945$ for ${\varepsilon}=1.5$ .

In Fig. 3, we illustrate the relationship between the DP parameter $(2D+1)\delta^{*}$ and $\eta$ for different values of ${\varepsilon}$ and $D$ . Quite predictably, for given $D$ and ${\varepsilon}$ , there exists a threshold for $\eta$ above which $(2D+1)\delta^{*}$ grows fast to one; thus indicating a trade-off between utility (reliability) and privacy. To strike a good balance between the reliability and privacy, one may choose the the largest value of $\eta$ just before the ‘knee’ phenomenon occurs. For instance, assuming $D=8$ , our mechanism provides $(1.1,10^{-3})$ -DP and $(2.2,5\times 10^{-7})$ -DP guarantee while presenting $\eta=0.5$ and $\eta=0.8$ , respectively. We remark that ${\varepsilon}=1.1$ and ${\varepsilon}=2.2$ were numerically chosen such that the knee phenomenon occurs slightly after $\eta=0.5$ and $\eta=0.8$ , respectively.

Next, we compare our mechanism with the recently proposed discrete Gaussian mechanism [12] in terms of the utility-privacy performance. There may be different ways for conducting such comparison. To have a fair comparison, we take the following steps:

1.

Given fixed values of $\eta\in(0,1)$ , $D\in\mathbb{N}$ , and ${\varepsilon}\geq 0$ , we compute the optimal coefficient $\{\alpha^{*}_{i}\}$ (according to Definition 2) and the corresponding DP parameter $(2D+1)\delta^{*}$ (according to Theorem 3 and Remark 2). We then compute $\sigma^{2}(\eta,D,{\varepsilon})$ the noise variance given by

$\sigma^{2}(\eta,D,{\varepsilon})\doteq\bar{\eta}\sum_{i=1}^{D}\alpha_{i}^{*}i^{2}.$
2.

We generate a discrete Gaussian probability mass function (pmf) according to Equation (1) in [12] with the variance $\sigma^{2}(\eta,D,{\varepsilon})$ . This dictates that the discrete Gaussian mechanism has the same utility as our mechanism. We refer to the resulting distribution as $p_{\text{G},Z}$ .

Let ${\varepsilon}_{\text{G}}$ and $\delta_{\text{G}}$ be the DP parameters of the discrete Gaussian mechanism. It is proved in [12, Theorem 7] that

\displaystyle\delta_{\text{G}}=p_{\text{G},Z}\left(Z>{\varepsilon}_{\text{G}}\sigma^{2}-0.5\right)-e^{{\varepsilon}_{\text{G}}}p_{\text{G},Z}\left(Z>{\varepsilon}_{\text{G}}\sigma^{2}+0.5\right),

(45)

where $\sigma^{2}$ is the variance of the discrete Gaussian noise added to the true count. By replacing $\sigma^{2}$ by $\sigma^{2}(\eta,D,{\varepsilon})$ , we make use of this expression to compare the discrete Gaussian mechanism with our mechanism in terms of privacy parameters.

As depicted in Fig 4, the $({\varepsilon},\delta)$ -DP performance of our proposed scheme is superior to that of the discrete Gaussian mechanism with the same variance for a wide range of privacy parameters (both mechanisms perform rather poorly for ${\varepsilon}<1.1$ , resulting in quite high $\delta$ ). Many other experiments were conducted and they all showed trends similar to what is shown in Fig. 4.

V Conclusion

In this work, we explicitly constructed a privacy-preserving mechanism for responding to integer-valued queries to a dataset containing sensitive attributes. This mechanism is noise-additive but, unlike many other noise-additive private mechanisms, it adds an integer-valued noise to the true count. The noise distribution is parameterized by $\eta\in(0,1)$ which specifies the allowable probability of error in responding the true count, thereby balancing the privacy-utility trade-off. We proved that this mechanism is $({\varepsilon},\delta)$ -differentially private where both ${\varepsilon}$ and $\delta$ depend on noise support size and $\eta$ . This mechanism is contrasted with the recently proposed discrete Gaussian mechanism [12] which adds discretized Gaussian noise (with infinite support) to the true count. Our numerical findings indicate that the resulting ${\varepsilon}$ and $\delta$ are tighter than those obtained in discrete Gaussian mechanism for many practical range of $\eta$ .

We conclude this work with a note on future direction. In this work, we assume that there is a single query to a dataset. However, in many practical scenarios there are several queries to a single dataset, each of which might depend on the previous ones. Provided that each query is responded by a our private mechanism, it is essential to determine how privacy degrades as the number of queries increases. We believe that the new technique propose in [15] might be helpful for this purpose.

References

[1] US Bureau of the Census, 2020 Census. [Online]. Available: https://www.census.gov
[2] Australian Bureau of Statistics, 2021 Census. [Online]. Available: https://www.abs.gov.au
[3] Changes to the Census Could Make Small Towns Disappear. [Online]. Available: https://www.nytimes.com/interactive/2020/02/06/opinion/census-algorithm-privacy.html
[4] C. Dwork, “Differential Privacy,” in Automata ,Languages and Programming, 2006.
[5] US Bureau of the Census, Disclosure Avoidance and the 2020 Census. [Online]. Available: https://www.census.gov/about/policies/privacy/statistical_safeguards/disclosure-avoidance-2020-census.html
[6] J. Bailie and C.-H. Chien, “ABS Perturbation Methodology Through the Lens of Differential Privacy,” 2019. [Online]. Available: http://www.unece.org/fileadmin/DAM/stats/documents/ece/ces/ge.46/2019/mtg1/SDC2019_S2_ABS_Bailie_D.pdf
[7] A. Ghosh, T. Roughgarden, and M. Sundararajan, “Universally utility- maximizing privacy mechanisms,” in STOC, 2009. [Online]. Available: Available:http://doi.acm.org/10.1145/1536414.1536464
[8] M. Gupte and M. Sundararajan, “Universally optimal privacy mechanisms for minimax agents,” in Proceedings of the Twenty-Ninth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, ser. PODS ’10. New York, NY, USA: Association for Computing Machinery, 2010, p. 135–146. [Online]. Available: https://doi.org/10.1145/1807085.1807105
[9] Q. Geng and P. Viswanath, “The optimal noise-adding mechanism in differential privacy,” IEEE Transactions on Information Theory, vol. 62, no. 2, pp. 925–951, 2016.
[10] V. Balcer and S. Vadhan. (2019) Differential privacy on finite computers. [Online]. Available: https://arxiv.org/abs/1709.05396
[11] G. Cormode, T. Kulkarni, and D. Srivastava. (2017) Constrained Differential Privacy for Count Data. [Online]. Available: https://arxiv.org/abs/1710.00608
[12] C. Canonne, G. Kamath, and T. Steinke. (2020) The Discrete Gaussian for Differential Privacy. [Online]. Available: https://arxiv.org/abs/2004.00010v2
[13] C. Dwork and A. Roth, The Algorithmic Foundations of Differential Privacy. Foundations and Trends in Theoretical Computer Science. Now, 2014.
[14] C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating noise to sensitivity in private data analysis,” in Proceedings of the Third Conference on Theory of Cryptography, ser. TCC’06. Berlin, Heidelberg: Springer-Verlag, 2006, pp. 265–284.
[15] S. Asoodeh, J. Liao, F. P. Calmon, O. Kosut, and L. Sankar, “A better bound gives a hundred rounds: Enhanced privacy guarantees via $f$ -divergences,” 2020. [Online]. Available: https://arxiv.org/abs/2001.05990

	$\displaystyle p_{Y\|n}(S)-e^{\varepsilon}p_{Y\|n+1}(S)$	$\displaystyle=\sum_{y\in S}\left[p_{Y\|n}(y)-e^{\varepsilon}p_{Y\|n+1}(y)\right]$
		$\displaystyle\leq\sum_{y\in S\cap\text{supp}(p_{Y\|n})}\left[p_{Y\|n}(y)-e^{\varepsilon}p_{Y\|n+1}(y)\right]$
		$\displaystyle\leq\|S\cap\text{supp}(p_{Y\|n})\|\max_{y\in[N+D]}\left[p_{Y\|n}(y)-e^{\varepsilon}p_{Y\|n+1}(y)\right]$
		$\displaystyle\leq(2D+1)\max_{y\in[N+D]}\left[p_{Y\|n}(y)-e^{\varepsilon}p_{Y\|n+1}(y)\right]$
		$\displaystyle\leq(2D+1)\delta^{*},$

Differentially Private Mechanisms for Count Queries∗111∗This is a working paper. Comments to improve this work are welcome.

Abstract

I Introduction

II Problem Formulation

Proposition 1.

Example 1.

II-A Incorporating (ε,δ)({\varepsilon},\delta)-DP Conditions

Definition 1.

Remark 1.

Proposition 2.

III Explicit Solutions for n≥Dn\geq D

Proposition 3.

III-A Lower bounds on δ∗\delta^{*}

Proposition 4.

Lemma 1.

Proof.

Lemma 2.

Proof.

Theorem 1.

Lemma 3.

Proof.

Lemma 4.

Proof.

Theorem 2.

Proof.

III-B Achievability of Lower Bounds

Definition 2 (Optimal α\alpha’s).

Theorem 3.

Proof.

Remark 2.

IV Numerical Results

V Conclusion

References

Differentially Private Mechanisms for Count Queries^∗¹¹1^∗This is a working paper. Comments to improve this work are welcome.

II-A Incorporating $({\varepsilon},\delta)$ -DP Conditions

III Explicit Solutions for $n\geq D$

III-A Lower bounds on $\delta^{*}$

Definition 2 (Optimal $\alpha$ ’s).