Offline Reinforcement Learning with Differential Privacy

Offline Reinforcement Learning (or batch RL) aims to learn a near-optimal policy in an unknown environment¹¹1The environment is usually characterized by a Markov Decision Process (MDP) in this paper. through a static dataset gathered from some behavior policy $\mu$. Since offline RL does not require access to the environment, it can be applied to problems where interaction with environment is infeasible, e.g., when collecting new data is costly (trade or finance (Zhang et al., 2020)), risky (autonomous driving (Sallab et al., 2017)) or illegal / unethical (healthcare (Raghu et al., 2017)). In such practical applications, the data used by an RL agent usually contains sensitive information. Take medical history for instance, for each patient, at each time step, the patient reports her health condition (age, disease, etc.), then the doctor decides the treatment (which medicine to use, the dosage of medicine, etc.), finally there is treatment outcome (whether the patient feels good, etc.) and the patient transitions to another health condition. Here, (health condition, treatment, treatment outcome) corresponds to (state, action, reward) and the dataset can be considered as $n$ (number of patients) trajectories sampled from a MDP with horizon $H$ (number of treatment steps), see Table 1 for an instance. However, learning agents are known to implicitly memorize details of individual training data points verbatim (Carlini et al., 2019), even if they are irrelevant for learning (Brown et al., 2021), which makes offline RL models vulnerable to various privacy attacks.

Differential privacy (DP) (Dwork et al., 2006) is a well-established definition of privacy with many desirable properties. A differentially private offline RL algorithm will return a decision policy that is indistinguishable from a policy trained in an alternative universe any individual user is replaced, thereby preventing the aforementioned privacy risks. There is a surge of recent interest in developing RL algorithms with DP guarantees, but they focus mostly on the online setting (Vietri et al., 2020; Garcelon et al., 2021; Liao et al., 2021; Chowdhury and Zhou, 2021; Luyo et al., 2021).

Offline RL is arguably more practically relevant than online RL in the applications with sensitive data. For example, in the healthcare domain, online RL requires actively running new exploratory policies (clinical trials) with every new patient, which often involves complex ethical / legal clearances, whereas offline RL uses only historical patient records that are often accessible for research purposes. Clear communication of the adopted privacy enhancing techniques (e.g., DP) to patients was reported to further improve data access (Kim et al., 2017).

There is a larger body of work on private RL in the online setting, where the goal is to minimize regret while satisfying either joint differential privacy (Vietri et al., 2020; Chowdhury and Zhou, 2021; Ngo et al., 2022; Luyo et al., 2021) or local differential privacy (Garcelon et al., 2021; Liao et al., 2021; Luyo et al., 2021; Chowdhury and Zhou, 2021). The offline setting introduces new challenges in DP as we cannot algorithmically enforce good “exploration”, but have to work with a static dataset and privately estimate the uncertainty in addition to the value functions. A private online RL algorithm can sometimes be adapted for private offline RL too, but those from existing work yield suboptimal and non-adaptive bounds. We give a more detailed technical comparison in Appendix B.

Among non-private offline RL works, we build directly upon non-private offline RL methods known as Adaptive Pessimistic Value Iteration (APVI, for tabular MDPs) (Yin and Wang, 2021b) and Variance-Aware Pessimistic Value Iteration (VAPVI, for linear MDPs) (Yin et al., 2022), as they give the strongest theoretical guarantees to date. We refer readers to Appendix B for a more extensive review of the offline RL literature. Introducing DP to APVI and VAPVI while retaining the same sample complexity (modulo lower order terms) require nontrivial modifications to the algorithms.

Markov Decision Process. A finite-horizon Markov Decision Process (MDP) is denoted by a tuple $M=(\mathcal{S},\mathcal{A},P,r,H,d_{1})$ (Sutton and Barto, 2018), where $\mathcal{S}$ is state space and $\mathcal{A}$ is action space. A non-stationary transition kernel $P_{h}:\mathcal{S}\times\mathcal{A}\times\mathcal{S}\mapsto[0,1]$ maps each state action $(s_{h},a_{h})$ to a probability distribution $P_{h}(\cdot|s_{h},a_{h})$ and $P_{h}$ can be different across time. Besides, $r_{h}:\mathcal{S}\times{A}\mapsto\mathbb{R}$ is the expected immediate reward satisfying $0\leq r_{h}\leq 1$, $d_{1}$ is the initial state distribution and $H$ is the horizon. A policy $\pi=(\pi_{1},\cdots,\pi_{H})$ assigns each state $s_{h}\in\mathcal{S}$ a probability distribution over actions according to the map $s_{h}\mapsto\pi_{h}(\cdot|s_{h})$, $\forall\,h\in[H]$. A random trajectory $s_{1},a_{1},r_{1},\cdots,s_{H},a_{H},r_{H},s_{H+1}$ is generated according to $s_{1}\sim d_{1},a_{h}\sim\pi_{h}(\cdot|s_{h}),r_{h}\sim r_{h}(s_{h},a_{h}),s_{h+1}\sim P_{h}(\cdot|s_{h},a_{h}),\forall\,h\in[H]$.

For tabular MDP, we have $\mathcal{S}\times\mathcal{A}$ is the discrete state-action space and $S:=|\mathcal{S}|,A:=|\mathcal{A}|$ are finite. In this work, we assume that $r$ is known³³3This is due to the fact that the uncertainty of reward function is dominated by that of transition kernel in RL.. In addition, we denote the per-step marginal state-action occupancy $d^{\pi}_{h}(s,a)$ as: $d^{\pi}_{h}(s,a):=\mathbb{P}[s_{h}=s|s_{1}\sim d_{1},\pi]\cdot\pi_{h}(a|s),$ which is the marginal state-action probability at time $h$.

Value function, Bellman (optimality) equations. The value function $V^{\pi}_{h}(\cdot)$ and Q-value function $Q^{\pi}_{h}(\cdot,\cdot)$ for any policy $\pi$ is defined as: $V^{\pi}_{h}(s)=\mathbb{E}_{\pi}[\sum_{t=h}^{H}r_{t}|s_{h}=s],\;\;Q^{\pi}_{h}(s,a)=\mathbb{E}_{\pi}[\sum_{t=h}^{H}r_{t}|s_{h},a_{h}=s,a],\;\forall\,h,s,a\in[H]\times\mathcal{S}\times\mathcal{A}.$ The performance is defined as $v^{\pi}:=\mathbb{E}_{d_{1}}\left[V^{\pi}_{1}\right]=\mathbb{E}_{\pi,d_{1}}\left[\sum_{t=1}^{H}r_{t}\right]$. The Bellman (optimality) equations follow $\forall\,h\in[H]$: $Q^{\pi}_{h}=r_{h}+P_{h}V^{\pi}_{h+1},\;\;V^{\pi}_{h}=\mathbb{E}_{a\sim\pi_{h}}[Q^{\pi}_{h}],\;\;\;Q^{\star}_{h}=r_{h}+P_{h}V^{\star}_{h+1},\;V^{\star}_{h}=\max_{a}Q^{\star}_{h}(\cdot,a).$

Linear MDP (Jin et al., 2020b). An episodic MDP $(\mathcal{S},\mathcal{A},H,P,r)$ is called a linear MDP with known feature map $\phi:\mathcal{S}\times\mathcal{A}\rightarrow\mathbb{R}^{d}$ if there exist $H$ unknown signed measures $\nu_{h}\in\mathbb{R}^{d}$ over $\mathcal{S}$ and $H$ unknown reward vectors $\theta_{h}\in\mathbb{R}^{d}$ such that

Without loss of generality, we assume $\|\phi(s,a)\|_{2}\leq 1$ and $\max(\|\nu_{h}(\mathcal{S})\|_{2},\|\theta_{h}\|_{2})\leq\sqrt{d}$ for all $h,s,a\in[H]\times\mathcal{S}\times\mathcal{A}$. An important property of linear MDP is that the value functions are linear in the feature map, which is summarized in Lemma E.14.

Offline setting and the goal. The offline RL requires the agent to find a policy $\pi$ in order to maximize the performance $v^{\pi}$, given only the episodic data $\mathcal{D}=\left\{\left(s_{h}^{\tau},a_{h}^{\tau},r_{h}^{\tau},s_{h+1}^{\tau}\right)\right\}_{\tau\in[n]}^{h\in[H]}$⁴⁴4For clarity we use $n$ for tabular MDP and $K$ for linear MDP when referring to the sample complexity. rolled out from some fixed and possibly unknown behavior policy $\mu$, which means we cannot change $\mu$ and in particular we do not assume the functional knowledge of $\mu$. In conclusion, based on the batch data $\mathcal{D}$ and a targeted accuracy $\epsilon>0$, the agent seeks to find a policy $\pi_{\text{alg}}$ such that $v^{\star}-v^{\pi_{\text{alg}}}\leq\epsilon$.

For reinforcement learning, the tabular MDP setting is the most well-studied setting and our first result applies to this regime. We begin with the construction of private counts.

Private Model-based Components. Given data $\mathcal{D}=\left\{\left(s_{h}^{\tau},a_{h}^{\tau},r_{h}^{\tau},s_{h+1}^{\tau}\right)\right\}_{\tau\in[n]}^{h\in[H]}$, we denote $n_{s_{h},a_{h}}:=\sum_{\tau=1}^{n}\mathds{1}[s_{h}^{\tau},a_{h}^{\tau}=s_{h},a_{h}]$ be the total counts that visit $(s_{h},a_{h})$ pair at time $h$ and $n_{s_{h},a_{h},s_{h+1}}:=\sum_{\tau=1}^{n}\mathds{1}[s_{h}^{\tau},a_{h}^{\tau},s_{h+1}^{\tau}=s_{h},a_{h},s_{h+1}]$ be the total counts that visit $(s_{h},a_{h},s_{h+1})$ pair at time $h$, then given the budget $\rho$ for zCDP, we add independent Gaussian noises to all the counts:

However, after adding noise, the noisy counts $n^{\prime}$ may not satisfy $n^{\prime}_{s_{h},a_{h}}=\sum_{s_{h+1}\in\mathcal{S}}n^{\prime}_{s_{h},a_{h},s_{h+1}}$. To address this problem, we choose the private counts of visiting numbers as the solution to the following optimization problem (here $E_{\rho}=4\sqrt{\frac{H\log{\frac{4HS^{2}A}{\delta}}}{\rho}}$ is chosen as a high probability uniform bound of the noises we add):

The private estimation of the transition kernel is defined as:

if $\widetilde{n}_{s_{h},a_{h}}>E_{\rho}$ and $\widetilde{P}_{h}(s^{\prime}|s_{h},a_{h})=\frac{1}{S}$ otherwise.

Algorithmic design. Our algorithmic design originates from the idea of pessimism, which holds conservative view towards the locations with high uncertainty and prefers the locations we have more confidence about. Based on the Bernstein type pessimism in APVI (Yin and Wang, 2021b), we design a similar pessimistic algorithm with private counts to ensure differential privacy. If we replace $\widetilde{n}$ and $\widetilde{P}$ with $n$ and $\widehat{P}$⁶⁶6The non-private empirical estimate, defined as (15) in Appendix C., then our DP-APVI (Algorithm 1) will degenerate to APVI. Compared to the pessimism defined in APVI, our pessimistic penalty has an additional term $\widetilde{O}\left(\frac{SHE_{\rho}}{\widetilde{n}_{s_{h},a_{h}}}\right)$, which accounts for the additional pessimism due to our application of private statistics.

We state our main theorem about DP-APVI below, the proof sketch is deferred to Appendix C.1 and detailed proof is deferred to Appendix C due to space limit.

Comparison to non-private counterpart APVI (Yin and Wang, 2021b). According to Theorem 4.1 in (Yin and Wang, 2021b), the sub-optimality bound of APVI is for large enough $n$, with high probability, the output $\widehat{\pi}$ satisfies:

Compared to our Theorem 3.4, the additional sub-optimality bound due to differential privacy is $\widetilde{O}\left(\frac{SH^{2}E_{\rho}}{n\cdot\bar{d}_{m}}\right)=\widetilde{O}\left(\frac{SH^{\frac{5}{2}}}{n\cdot\bar{d}_{m}\sqrt{\rho}}\right)=\widetilde{O}\left(\frac{SH^{\frac{5}{2}}}{n\cdot\bar{d}_{m}\epsilon}\right)$.⁷⁷7Here we apply the second part of Lemma 2.7 to achieve $(\epsilon,\delta)$-DP, the notation $\widetilde{O}$ also absorbs $\log\frac{1}{\delta}$ (only here $\delta$ denotes the privacy budget instead of failure probability). In the most popular regime where the privacy budget $\rho$ or $\epsilon$ is a constant, the additional term due to differential privacy appears as a lower order term, hence becomes negligible as the sample complexity $n$ becomes large.

Comparison to Hoeffding type pessimism. We can simply revise our algorithm by using Hoeffding type pessimism, which replaces the pessimism in line 5 with $C_{1}H\cdot\sqrt{\frac{\iota}{\widetilde{n}_{s_{h},a_{h}}-E_{\rho}}}+\frac{C_{2}SHE_{\rho}\cdot\iota}{\widetilde{n}_{s_{h},a_{h}}}$. Then with a similar proof schedule, we can arrive at a sub-optimality bound that with high probability,

Compared to our Theorem 3.4, our bound is tighter because we express the dominate term by the system quantities instead of explicit dependence on $H$ (and $\mathrm{Var}_{P_{h}(\cdot|s_{h},a_{h})}(V^{\star}_{h+1}(\cdot))\leq H^{2}$). In addition, we highlight that according to Theorem G.1 in (Yin and Wang, 2021b), our main term nearly matches the non-private minimax lower bound. For more detailed discussions about our main term and how it subsumes other optimal learning bounds, we refer readers to (Yin and Wang, 2021b).

Apply Laplace Mechanism to achieve pure DP. To achieve Pure DP instead of $\rho$-zCDP, we can simply replace Gaussian Mechanism with Laplace Mechanism (defined as Definition E.19). Given privacy budget for Pure DP $\epsilon$, since the $\ell_{1}$ sensitivity of $\{n_{s_{h},a_{h}}\}\cup\{n_{s_{h},a_{h},s_{h+1}}\}$ is $\Delta_{1}=4H$, we can add independent Laplace noises $\mathrm{Lap}(\frac{4H}{\epsilon})$ to each count to achieve $\epsilon$-DP due to Lemma E.20. Then by using $E_{\epsilon}=\widetilde{O}\left(\frac{H}{\epsilon}\right)$ instead of $E_{\rho}$ and keeping everything else ((3), (5) and Algorithm 1) the same, we can reach a similar result to Theorem 3.4 with the same proof schedule. The only difference is that here the additional learning bound is $\widetilde{O}\left(\frac{SH^{3}}{n\cdot\bar{d}_{m}\epsilon}\right)$, which still appears as a lower order term.

In large MDPs, to address the computational issues, the technique of function approximation is widely applied, and linear MDP is a concrete model to study linear function approximations. Our second result applies to the linear MDP setting. Generally speaking, function approximation reduces the dimensionality of private releases comparing to the tabular MDPs. We begin with private counts.

Private Model-based Components. Given the two datasets $\mathcal{D}$ and $\mathcal{D}^{\prime}$ (both from $\mu$) as in Algorithm 2, we can apply variance-aware pessimistic value iteration to learn a near optimal policy as in VAPVI (Yin et al., 2022). To ensure differential privacy, we add independent Gaussian noises to the $5H$ statistics as in DP-VAPVI (Algorithm 2) below. Since there are $5H$ statistics, by the adaptive composition of zCDP (Lemma E.17), it suffices to keep each count $\rho_{0}$-zCDP, where $\rho_{0}=\frac{\rho}{5H}$. In DP-VAPVI, we use $\phi_{1},\phi_{2},\phi_{3},K_{1},K_{2}$⁸⁸8We need to add noise to each of the $5H$ counts, therefore for $\phi_{1}$, we actually sample $H$ i.i.d samples $\phi_{1,h}$, $h=1,\cdots,H$ from the distribution of $\phi_{1}$. Then we add $\phi_{1,h}$ to $\sum_{\tau=1}^{K}\phi(\bar{s}_{h}^{\tau},\bar{a}_{h}^{\tau})\cdot\widetilde{V}_{h+1}(\bar{s}_{h+1}^{\tau})^{2}$, $\forall\,h\in[H]$. For simplicity, we use $\phi_{1}$ to represent all the $\phi_{1,h}$. The procedure applied to the other $4H$ statistics are similar. to denote the noises we add. For all $\phi_{i}$, we directly apply Gaussian Mechanism. For $K_{i}$, in addition to the noise matrix $\frac{1}{\sqrt{2}}(Z+Z^{\top})$, we also add $\frac{E}{2}I_{d}$ to ensure that all $K_{i}$ are positive definite with high probability (The detailed definition of $E,L$ can be found in Appendix A).

Below we will show the algorithmic design of DP-VAPVI (Algorithm 2). For the offline dataset, we divide it into two independent parts with equal length: $\mathcal{D}=\{(s_{h}^{\tau},a_{h}^{\tau},r_{h}^{\tau},s_{h+1}^{\tau})\}^{h\in[H]}_{\tau\in[K]}$ and $\mathcal{D}^{\prime}=\{(\bar{s}_{h}^{\tau},\bar{a}_{h}^{\tau},\bar{r}_{h}^{\tau},\bar{s}_{h+1}^{\tau})\}^{h\in[H]}_{\tau\in[K]}$. One for estimating variance and the other for calculating $Q$-values.

Estimating conditional variance. The first part (line 4 to line 8) aims to estimate the conditional variance of $\widetilde{V}_{h+1}$ via the definition of variance: $[\mathrm{Var}_{h}\widetilde{V}_{h+1}](s,a)=[P_{h}(\widetilde{V}_{h+1})^{2}](s,a)-([P_{h}\widetilde{V}_{h+1}](s,a))^{2}$. For the first term, by the definition of linear MDP, it holds that $\left[{P}_{h}\widetilde{V}_{h+1}^{2}\right](s,a)={\phi}(s,a)^{\top}\int_{\mathcal{S}}\widetilde{V}_{h+1}^{2}\left(s^{\prime}\right)\mathrm{~{}d}{\nu}_{h}\left(s^{\prime}\right)=\langle\phi,\int_{\mathcal{S}}\widetilde{V}_{h+1}^{2}\left(s^{\prime}\right)\mathrm{~{}d}{\nu}_{h}\left(s^{\prime}\right)\rangle$. We can estimate $\beta_{h}=\int_{\mathcal{S}}\widetilde{V}_{h+1}^{2}\left(s^{\prime}\right)\mathrm{~{}d}{\nu}_{h}\left(s^{\prime}\right)$ by applying ridge regression. Below is the output of ridge regression with raw statistics without noise:

where definition of $\bar{\Sigma}_{h}$ can be found in Appendix A. Instead of using the raw statistics, we replace them with private ones with Gaussian noises as in line 5. The second term is estimated similarly in line 6. The final estimator is defined as in line 8: $\widetilde{\sigma}_{h}(\cdot,\cdot)^{2}=\max\{1,\widetilde{\mathrm{Var}}_{h}\widetilde{V}_{h+1}(\cdot,\cdot)\}$.⁹⁹9The $\max\{1,\cdot\}$ operator here is for technical reason only: we want a lower bound for each variance estimate.

Variance-weighted LSVI. Instead of directly applying LSVI (Jin et al., 2021), we can solve the variance-weighted LSVI (line 10). The result of variance-weighted LSVI with non-private statistics is shown below:

where definition of $\widehat{\Lambda}_{h}$ can be found in Appendix A. For the sake of differential privacy, we use private statistics instead and derive the $\widetilde{w}_{h}$ as in line 10.

Our private pessimism. Notice that if we remove all the Gaussian noises we add, our DP-VAPVI (Algorithm 2) will degenerate to VAPVI (Yin et al., 2022). We design a similar pessimistic penalty using private statistics (line 11), with additional $\frac{D}{K}$ accounting for the extra pessimism due to DP.

Main theorem. We state our main theorem about DP-VAPVI below, the proof sketch is deferred to Appendix D.1 and detailed proof is deferred to Appendix D due to space limit. Note that quantities $\mathcal{M}_{i},L,E$ can be found in Appendix A and briefly, $L=\widetilde{O}(\sqrt{H^{3}d/\rho})$, $E=\widetilde{O}(\sqrt{Hd/\rho})$. For the sample complexity lower bound, within the practical regime where the privacy budget is not very small, $\max\{\mathcal{M}_{i}\}$ is dominated by $\max\{\widetilde{O}(H^{12}d^{3}/\kappa^{5}),\widetilde{O}(H^{14}d/\kappa^{5})\}$, which also appears in the sample complexity lower bound of VAPVI (Yin et al., 2022). The $\sigma_{V}^{2}(s,a)$ in Theorem 4.1 is defined as $\max\{1,\mathrm{Var}_{P_{h}}(V)(s,a)\}$ for any $V$.