Online differentially private inference in stochastic gradient descent

Jinhan Xie¹, Enze Shi²¹¹footnotemark: 1, Bei Jiang², Linglong Kong², Xuming He³ The first two authors contributed equally to this work.Corresponding author

Abstract

We propose a general privacy-preserving optimization-based framework for real-time environments without requiring trusted data curators. In particular, we introduce a noisy stochastic gradient descent algorithm for online statistical inference with streaming data under local differential privacy constraints. Unlike existing methods that either disregard privacy protection or require full access to the entire dataset, our proposed algorithm provides rigorous local privacy guarantees for individual-level data. It operates as a one-pass algorithm without re-accessing the historical data, thereby significantly reducing both time and space complexity. We also introduce online private statistical inference by conducting two construction procedures of valid private confidence intervals. We formally establish the convergence rates for the proposed estimators and present a functional central limit theorem to show the averaged solution path of these estimators weakly converges to a rescaled Brownian motion, providing a theoretical foundation for our online inference tool. Numerical simulation experiments demonstrate the finite-sample performance of our proposed procedure, underscoring its efficacy and reliability. Furthermore, we illustrate our method with an analysis of two datasets: the ride-sharing data and the US insurance data, showcasing its practical utility.

¹Yunnan Key Laboratory of Statistical Modeling and Data Analysis, Yunnan University

²Department of Mathematical and Statistical Sciences, University of Alberta

³Department of Statistics and Data Science, Washington University in St. Louis

Keywords: Confidence interval; Local differential privacy; Privacy budget; Stochastic gradient descent.

1 Introduction

Online learning involves methods and algorithms designed for making timely inferences and predictions in a real-time environment, where data are collected sequentially rather than being static as in traditional batch learning. By not requiring the simultaneous use of the entire sample pool, online learning alleviates both storage and computation pressures. To date, various statistical methods and algorithms for online estimation and inference have been proposed, including aggregated estimating equations (Lin and Xi, 2011), cumulative estimating equation (Schifano et al., 2016), renewable estimator (Luo and Song, 2020), and stochastic gradient descent (SGD) (Robbins and Monro, 1951; Polyak and Juditsky, 1992; Chen et al., 2020). Alongside online learning, another crucial consideration is the preservation of privacy, especially with the growing availability of streaming data. For example, financial institutions, such as banks and credit card companies, often leverage customer-level data for fraud detection and personalized service offerings, which need to continuously update and refine their models in real-time as new transaction data are collected. This aids not only in monitoring transactions to detect unusual activities but also in designing targeted financial products and promotions (e.g., offering personalized loan rates or credit card rewards based on individual spending patterns); see Maniar et al. (2021); Davidow et al. (2023). However, individual customer data are usually sensitive and irreplaceable, and it is of great importance to prevent the leak of personal information to maintain customer trust and confidence, as well as to help businesses avoid financial losses and reputational damage (Hu et al., 2022; Fainmesser et al., 2023).

In response to the increasing demand for data privacy protection, differential privacy (DP) has emerged as a widely adopted concept (Dwork et al., 2006). It has been successfully applied in numerous fields, including healthcare, financial services, retail, and e-commerce (Dankar and El Emam, 2013; Zhong, 2019; Wang and Tsai, 2022). DP procedures ensure that an adversary cannot determine whether a particular subject is included in the dataset with high probability, thereby providing robust protection for personal information. In the literature, two main models have emerged for DP: the central model, where a trusted third party collects and analyzes data before releasing privatized results, and the local model, where data is randomized before sharing. Several works have focused on designing private algorithms to guarantee DP under the trusted central server setting across various applications, including, but not limited to, machine learning, synthetic data generation, and transfer learning; see Karwa and Slavković (2016); Ponomareva et al. (2023); Li et al. (2024). A significant limitation of the standard central model is the assumption of a trusted data curator with access to the entire dataset. However, in scenarios such as smartphone usage, users may not fully trust the server and prefer not to have their personal information directly stored or updated on any remote central server. In contrast to the central DP, user-level local differential privacy (LDP) does not rely on a trusted data collector, placing the privacy barrier closer to the users, which has seen adoption in practice by several companies that analyze sensitive user data, including Apple (Tang et al., 2017), Google (Erlingsson et al., 2014), and Microsoft (Ding et al., 2017). Recently, there has been growing interest in studying LDP from a statistical perspective, including density estimation (Sart, 2023), mean and median estimation (Duchi et al., 2018), nonparametric estimation problems (Rohde and Steinberger, 2020), and change-point detection (Berrett and Yu, 2021).

The aforementioned methods mainly address the inherent trade-off between privacy protection and efficient statistical inference, focusing on identifying what optimal privacy-preserving mechanisms may look like. The literature on private inference, particularly in quantifying the uncertainty of private estimators, is relatively limited even in offline settings and has recently gained attention in computer science (Karwa and Vadhan, 2018; Wang et al., 2019; Chadha et al., 2021). This issue has also been studied in the statistical literature. Sheffet (2017) provided finite-sample analyses of conservative inference for confidence intervals regarding the coefficients from the least-squares regression. Barrientos et al. (2019) presented algorithms for comparing the sign and significance level of privately computed regression coefficients that satisfy DP. Avella-Medina (2021) introduced the M-estimator approach to conduct DP statistical inference using smooth sensitivity. Alabi and Vadhan (2023) proposed DP hypothesis tests for the multivariate linear regression model. Avella-Medina et al. (2023) investigated optimization-based approaches for Gaussian differentially private M-estimators. Zhao et al. (2024) extended this to objective functions without local strong convexity and smoothness assumptions. Zhang et al. (2024) considered estimation and inference problems in the federated learning setting under DP. Despite these efforts, a significant gap remains in developing a statistically sound approach for conducting statistical inference, such as constructing confidence intervals based on private estimators, particularly in the online setting, where theoretical results for statistical inference are largely lacking. Recently, Liu et al. (2023) proposed a self-normalizing approach to obtain confidence intervals for population quantiles with privacy concerns. However, this method is specifically tailored to population quantiles.

In this paper, we introduce a rigorous LDP framework for online estimation and inference in optimization-based regression problems with streaming data, addressing the challenge of constructing valid confidence intervals for online private inference. Specifically, we propose a fully online, locally private framework for real-time estimation and inference without requiring trusted data collectors. To the best of our knowledge, this is the first time in the literature on online inference problems where the issue of privacy is systematically investigated. The main contributions of this paper are summarized as follows:

1.

To eliminate the need for trusted data collectors, we design a local differential privacy stochastic gradient descent algorithm (LDP-SGD) for streaming data that requires only one pass over the data. Unlike prior works, our algorithm provides rigorous individual-level data privacy protection in an online manner. Meanwhile, we propose two online private statistical inference procedures. One is to conduct a private plug-in estimator of the asymptotic covariance matrix. The other is the random scaling procedure, bypasses direct estimation of the asymptotic variance by constructing an asymptotically pivotal statistic for valid private inference in real time.
2.

From a theoretical standpoint, we establish the convergence rates of the proposed online private estimators. In addition, we prove a functional central limit theorem to capture the asymptotic behavior of the whole LDP-SGD path, thereby providing an asymptotically pivotal statistic for valid private inference. These results lay a solid foundation for real-time private decision-making, supported by theoretical guarantees.
3.

We conduct numerical experiments with simulated data to evaluate the performance of the proposed procedure in various settings, including varying cumulative sample size, different privacy budgets, and various models. Our findings indicate that the proposed procedure is computationally efficient, provides robust privacy guarantees, and significantly reduces data storage costs, all while maintaining high accuracy in estimation and inference. In addition, we apply the proposed method to the the ride-sharing data and the US insurance data to demonstrate how the method can be useful in practice.

The rest of this paper is organized as follows. In Section 2.1, we introduce the key properties of DP. Section 2.2 outlines the problem formulation. In Section 3, we propose our LDP-SGD algorithm and provide its convergence rates. In Section 4, we establish a functional central limit theorem and introduce two online private inference methods: the private plug-in estimator and the random scaling method to construct asymptotically valid private confidence intervals. We evaluate the performance of the proposed procedure through simulation studies in Section 5. In Section 6, we apply the proposed method on two real-world datasets: the Ride-Sharing Data and the US Insurance Data. Ride-sharing data provides fare-related information over time, enabling analysis of market pricing dynamics in the ride-sharing industry. The US Insurance Data includes detailed personal and family information for one million clients, along with their associated insurance fees, offering valuable insights into insurance fee prediction. Discussions are provided in Section 7. Some basic concepts of DP, the detailed description of private batch-means estimator, additional numerical results, and technical details are included in the Supplementary Material.

2 Preliminaries

In this section, we provide some preliminaries. To facilitate understanding, we first introduce the notations used throughout this paper. Let $\stackrel{{\scriptstyle D}}{{\rightarrow}}$ denote convergence in distribution. For a $p$ -vector $\bm{a}=(a_{1},\ldots,a_{p})^{\top}\in\mathbb{R}^{p}$ , $\|{\mbox{\boldmath${a}$}}\|_{r}=(\sum_{j=1}^{p}|a_{j}|^{r})^{1/r}$ for $r\geq 1$ . Define $\Lambda_{1}(\bm{A}),\ldots,\Lambda_{p}(\bm{A})$ as the eigenvalues of a matrix $\bm{A}\in\mathbb{R}^{p\times p}$ . Specifically, the largest and smallest eigenvalues are denoted by $\Lambda_{\max}(\bm{A})$ and $\Lambda_{\min}(\bm{A})$ , respectively. We use $\|\bm{A}\|$ to denote the matrix operator norm of $\bm{A}$ and $\|\bm{A}\|_{\infty}$ to represent the element-wise $\ell_{\infty}$ -norm of $\bm{A}$ . For a square positive semi-definite matrix $\bm{D}$ , we denote its trace by ${\rm tr}(\bm{D})$ . For any two symmetric matrices $\bm{A}$ and $\bm{B}$ of the same dimension, $\bm{A}\preceq\bm{B}$ means that $\bm{B}-\bm{A}$ is a positive semi-definite matrix, while $\bm{A}\succeq\bm{B}$ means that $\bm{A}-\bm{B}$ is a positive semi-definite matrix. Let $\{a_{n}\}$ and $\{b_{n}\}$ be two sequences of positive numbers. Denote $a_{n}\lesssim b_{n}$ if there exists a positive constant $c_{0}$ such that $a_{j}/b_{j}\leq c_{0}$ for all $j\in\mathbb{N}^{+}$ , and $a_{n}\asymp b_{n}$ if there exist positive constants $c_{1}$ , $c_{2}$ such that $c_{1}\leq a_{j}/b_{j}\leq c_{2}$ for all $j\in\mathbb{N}^{+}$ .

2.1 Some basic properties of differential privacy

In this subsection, we only focus on some useful properties of DP, LDP, and Gaussian differential privacy (GDP), while more details about GDP-related concepts are provided in the Supplementary Material. Notice that a variety of basic algorithms can be made private by simply adding a properly scaled noise in the output. The scale of noise is characterized by the sensitivity of the algorithm. The formal definition is presented as follows:

Definition 1 (Global sensitivity).

For any (non-private) statistics $h(\bm{X})\in\mathbb{R}^{p}$ of the data set $\bm{X}$ , the global sensitivity of $h$ is the (possibly infinite) number

\displaystyle{\rm{sens}}(h)=\sup\limits_{\bm{X},\bm{X}^{\prime}}\|h(\bm{X})-h(\bm{X}^{\prime})\|_{2},

where the supremum is taken over all pairs of data sets $\bm{X}$ and $\bm{X}^{\prime}$ that differ by one entry or datum.

We then introduce the following mechanism to construct GDP estimators. Although only the univariate case was stated in Theorem 1 of Dong et al. (2022), its extension to general case can be obtained in the following proposition.

Proposition 1 (Gaussian mechanism, Dong et al. (2022)).

Define the Gaussian mechanism that operates on a statistic $h$ as $\tilde{h}(\bm{X})=h(\bm{X})+{\rm{sens}}(h)\bm{Z}/\mu$ , where $\bm{Z}$ is a standard normal $p$ -dimensional random vector and $\mu>0$ . Then, $\tilde{h}$ is $\mu$ -GDP.

The post-processing and parallel composition properties are key aspects of DP, enabling the design of complex DP algorithms by combining simpler ones. Such properties are crucial in the algorithmic designs presented in later sections.

Proposition 2 (Post-processing property, Dong et al. (2022)).

Let $\mathcal{A}$ be an $\mu$ -GDP algorithm, and $h$ be an arbitrary randomized algorithm which takes $\mathcal{A}(\bm{X})$ as input, then $h(\mathcal{A}(\bm{X}))$ is also $\mu$ -GDP.

Proposition 3 (Parallel composition, Smith et al. (2022)).

Let a sequence of $k$ mechanisms $\mathcal{A}_{l}$ each be $\mu_{l}$ -GDP, $l=1,\ldots,k$ . Let $\{\bm{X}_{l}\}_{l=1}^{k}$ be $k$ disjoint subsets of data. Define $\mathcal{O}_{1}=\mathcal{A}_{1}(\bm{X}_{1})$ as the output of the mechanism $\mathcal{A}_{1}$ , and the sequential output of the mechanism $\mathcal{A}_{j}$ is defined as $\mathcal{O}_{j}=\mathcal{A}_{j}(\bm{X}_{j},\mathcal{O}_{j-1})$ for $j=2,\ldots,k$ . Then the output of the last mechanism $\mathcal{O}_{k}$ is $\max\{\mu_{1},\mu_{2},\ldots,\mu_{k}\}$ -GDP.

Since we will use a noisy version of the matrix to construct an asymptotic covariance matrix in a later section, we introduce the Matrix Gaussian mechanism. An intuitive approach to generating a differentially private matrix is to add independent and identically distributed (i.i.d.) noise to each individual component, as described below.

Proposition 4 (Matrix Gaussian mechanism, Avella-Medina et al. (2023)).

Let $\bm{G}\in\mathbb{R}^{n\times m}$ be a data matrix such that each row vector $\bm{g}_{i}$ satisfies $\|\bm{g}_{i}\|_{2}\leq 1$ . Define the matrix Gaussian mechanism that operates on a statistic $h$ as $\tilde{h}(\bm{G})=h(\bm{G})+\bm{W}$ , where $h(\bm{G})=\bm{G}^{\top}\bm{G}/n$ and $\bm{W}$ is a symmetric random matrix whose upper-triangular elements, including the diagonal, are i.i.d. draws from $(2/(\mu n))\mathcal{N}(0,1)$ . Then, $\tilde{h}$ is $\mu$ -GDP.

2.2 Problem formulation

Consider $n\geq 2$ , where $n$ observations, denoted by $\{\bm{z}_{i}\}_{i=1}^{n}$ with ${\mbox{\boldmath${z}$}}_{i}=(\bm{x}_{i}^{\top},y_{i})^{\top}$ arrive sequentially. We assume these $n$ pairs of observations as i.i.d. copies of $(\bm{X},Y)$ with $\bm{X}\in\mathbb{R}^{p}$ and $Y\in\mathbb{R}$ from a common cumulative distribution $F$ . Our goal is to estimate a population parameter of interest $\bm{\theta}_{0}\in\Theta\subseteq\mathbb{R}^{p}$ , which can be formulated as the solution to the following optimization problem:

\displaystyle{}\bm{\theta}_{0}=\operatorname{argmin}\left(L(\bm{\theta}):={E}_{\mathcal{P}_{{\mbox{\boldmath${z}$}}}}[\rho(\bm{\theta},\bm{z})]=\int\rho(\bm{\theta},\bm{z})\mathrm{d}\mathcal{P}_{{\mbox{\boldmath${z}$}}}\right),

(2.1)

where $\rho(\bm{\theta},{\mbox{\boldmath${z}$}})$ is some convex loss function with respect to $\bm{\theta}$ , ${z}$ is a random variable from the distribution $P_{{\mbox{\boldmath${z}$}}}$ , and $L(\bm{\theta})$ is the population loss function.

In the offline setting, where the entire dataset is readily accessible, traditional deterministic optimization methods are commonly used to estimate the parameter $\bm{\theta}_{0}$ under the empirical distribution induced by the observed data. However, for applications involving online data, where each sample arrives sequentially, storing all the data can be costly and inefficient. To address these challenges, the SGD algorithm (Robbins and Monro, 1951) is often used, especially for online learning, as it requires only one pass over the data. Starting from an initial point $\tilde{\bm{\theta}}_{0}$ , the SGD algorithm recursively updates the estimate upon the arrival of each data point $\bm{z}_{n}$ , $n\geq 1$ , with the following update rule:

\displaystyle{}\tilde{\bm{\theta}}_{n}=\tilde{\bm{\theta}}_{n-1}-\gamma_{n}\Psi(\tilde{\bm{\theta}}_{n-1},\bm{z}_{n}),

(2.2)

where $\Psi({\bm{\theta}},\bm{z})$ denotes the stochastic gradient of $\rho({\bm{\theta}},\bm{z})$ with respect to the first argument ${\bm{\theta}}$ , i.e., $\Psi({\bm{\theta}},\bm{z})=\nabla\rho({\bm{\theta}},\bm{z})$ and $\gamma_{n}$ is the step size at the $n$ th step. As suggested by Ruppert (1988) and Polyak and Juditsky (1992), we note that under some conditions, the averaging estimate $\tilde{{\bm{\theta}}}^{\ast}_{n}=\sum_{i=1}^{n}\tilde{{\bm{\theta}}}_{i}/n$ has the asymptotic normality

\displaystyle\sqrt{n}(\tilde{{\bm{\theta}}}^{\ast}_{n}-{\bm{\theta}}_{0})\stackrel{{\scriptstyle D}}{{\rightarrow}}\mathcal{N}(\bm{0},\bm{\Sigma}),

where $\bm{\Sigma}={\mbox{\boldmath${A}$}}^{-1}{\mbox{\boldmath${S}$}}{\mbox{\boldmath${A}$}}^{-1}$ , ${\mbox{\boldmath${A}$}}=\nabla^{2}L({\bm{\theta}}_{0})$ is the Hessian matrix of $L({\bm{\theta}})$ at ${\bm{\theta}}={\bm{\theta}}_{0}$ , and ${S}$ is the covariance matrix of $\nabla\rho({\bm{\theta}}_{0},{\mbox{\boldmath${z}$}})$ , given by ${\mbox{\boldmath${S}$}}={E}\{\nabla\rho({\bm{\theta}}_{0},{\mbox{\boldmath${z}$}})\nabla\rho({\bm{\theta}}_{0},{\mbox{\boldmath${z}$}})^{\top}\}$ .

A significant limitation of traditional SGD is its vulnerability to privacy breaches, arising from the extensive data and gradient queries made at each iteration. In this paper, our work focuses primarily on settings where trusted data collectors are not required under the constraints of LDP. In such settings, each individual is required to locally apply a DP mechanism to their data before transmitting the perturbed data to the server. In particular, we introduce an LDP-SGD algorithm designed to fit the model in (2.1) and accommodate timely online private statistical inference for $\bm{\theta}_{0}$ , thereby providing rigorous individual-level data privacy protection while reducing both time and space complexity.

3 Methodology

In this subsection, we introduce an LDP estimator using noisy SGD algorithms within the framework of streaming data. The heightened risk of privacy leakage arises from the numerous data and gradient queries inherent in the SGD algorithm. To facilitate our work, we impose a restriction on the class of estimators and enforce the following uniform boundedness condition.

Condition 1.

The gradient of the loss function $\rho$ satisfies

\displaystyle\sup\limits_{\bm{\theta}\in\Theta,{\mbox{\boldmath${z}$}}\in\mathcal{Z}}\|\Psi(\bm{\theta},{\mbox{\boldmath${z}$}})\|_{2}\leq B_{0}

for some positive constant $B_{0}$ .

Refer to caption — Figure 1: Boxplots comparing estimators from Mallow’s weights and gradient clipping for logistic regression with dimension $p=3$ . The red line indicates the true parameter value, $\theta^{*}=1$ , while the boxplots represent the distribution of estimators across 50 replications. The four colors correspond to four different parameters. Clipping results in a positive bias for logistic regression, which does not arise using Mallow’s weights.

Condition 1 is satisfied by using either Mallow’s weights (as discussed in Examples 1-3) or gradient clipping. However, as demonstrated in Song et al. (2021); Avella-Medina et al. (2023), gradient clipping is not ideal from a statistical standpoint, as it may result in inconsistent estimators. In Figure 1, we compare the performance of gradient clipping and Mallow’s weights using simulated logistic regression data. The results show that the parameter estimates from gradient clipping exhibit bias that does not shrink toward zero with the sample size, further underscoring our preference for Mallow’s weights, alongside the assumption of a bounded gradient. Meanwhile, Condition 1 implies that the loss function $\rho$ has a known bound on the gradient $\Psi(\bm{\theta},{\mbox{\boldmath${z}$}})$ , which ensures that $2B_{0}$ is an upper bound for the global sensitivity of $\Psi(\bm{\theta},{\mbox{\boldmath${z}$}})$ . At the $n$ th iteration with observed data point ${\mbox{\boldmath${z}$}}_{n}$ , $n\geq 1$ , we consider the following locally private SGD estimator with the noisy version of the iterates (2.2)

\displaystyle{}\hat{\bm{\theta}}_{n}=\hat{\bm{\theta}}_{n-1}-\gamma_{n}\left\{\Psi(\hat{\bm{\theta}}_{n-1},{\mbox{\boldmath${z}$}}_{n})+\frac{2B_{0}}{\mu_{n}}\bm{\xi}_{n}\right\},

(2.3)

where the final estimate is the averaging estimate denoted by $\bar{{\bm{\theta}}}_{n}=\sum_{i=1}^{n}\hat{\bm{\theta}}_{i}/n$ and $\{\bm{\xi}_{n}\}_{n\geq 1}$ is a sequence of i.i.d. standard $p$ -dimensional Gaussian random vectors. Unlike the standard SGD algorithm, the locally private SGD algorithm introduces calibrated noise to the gradient computations at each step of the model parameter update process, ensuring rigorous privacy protection. In particular, taking $B_{0}=0$ in the iterates (2.3) recovers the standard SGD algorithm in (2.2). We call the proposed iterates in (2.3) as the LDP-SGD algorithm. The following proposition shows that our proposed LDP-SGD algorithm is $\max\{\mu_{1},\ldots,\mu_{n}\}$ -GDP.

Proposition 5.

Given an initial estimate $\hat{\bm{\theta}}_{0}\in\mathbb{R}^{p}$ , consider the iterates $\{\hat{\bm{\theta}}_{n}\}_{n\geq 1}$ defined in (2.3). Then the final output $\bar{\bm{\theta}}_{n}$ is $\max\{\mu_{1},\ldots,\mu_{n}\}$ -GDP.

From (2.3), each individual has different privacy budgets $\mu_{n}$ , $n\geq 1.$ A special case arises when the proposed estimator reduces to $\mu$ -GDP with $\mu=\mu_{1}=\cdots=\mu_{n}$ , thereby not considering different privacy budgets for each individual. The techniques needed to handle the cases of varing $\mu_{n}$ are the same as for the case of the common $\mu$ . For simplicity, we assume that $\mu=\mu_{1}=\cdots=\mu_{n}$ for each individual.

Condition 2.

Assume that the objective function $L({\bm{\theta}})$ is differentiable, $\zeta$ -smooth, and $\lambda$ -strongly convex, in the sense

	$\displaystyle L({\bm{\theta}}_{1})-L({\bm{\theta}}_{2})\leq\langle\nabla L({\bm{\theta}}_{2}),{\bm{\theta}}_{1}-{\bm{\theta}}_{2}\rangle+\frac{\zeta}{2}\\|{\bm{\theta}}_{1}-{\bm{\theta}}_{2}\\|^{2},\quad\forall{\bm{\theta}}_{1},{\bm{\theta}}_{2}\in{\Theta}\subseteq\mathbb{R}^{p},$
	$\displaystyle L({\bm{\theta}}_{1})-L({\bm{\theta}}_{2})\geq\langle\nabla L({\bm{\theta}}_{2}),{\bm{\theta}}_{1}-{\bm{\theta}}_{2}\rangle+\frac{\lambda}{2}\\|{\bm{\theta}}_{1}-{\bm{\theta}}_{2}\\|^{2},\quad\forall{\bm{\theta}}_{1},{\bm{\theta}}_{2}\in{\Theta}\subseteq\mathbb{R}^{p}.$

Strong convexity and smoothness are standard conditions for the convergence analysis of (stochastic) gradient optimization methods. Similar conditions can be found in Vaswani et al. (2022); Zhu et al. (2023). Due to space limitations, several useful properties of strongly convex and smooth functions are provided in Lemma S1 of the Supplementary Material. As stated in Lemma S1, the strong convexity and smoothness of $L({\bm{\theta}})$ imply that $\Lambda_{\min}\{\nabla^{2}L({\bm{\theta}})\}\geq\lambda$ and $\Lambda_{\max}\{\nabla^{2}L({\bm{\theta}})\}\leq\zeta$ , respectively.

Condition 3.

Let ${\mbox{\boldmath${\eta}$}}_{i}=\nabla L(\hat{\bm{\theta}}_{i-1})-\Psi(\hat{\bm{\theta}}_{i-1},{\mbox{\boldmath${z}$}}_{i})$ denote the gradient noise. There exists some positive constant $C_{1}$ such that the conditional covariance of ${\mbox{\boldmath${\eta}$}}_{n}$ has an expansion around ${S}$ , satisfies

	$\displaystyle\\|E({\mbox{\boldmath${\eta}$}}_{n}{\mbox{\boldmath${\eta}$}}^{\top}_{n}\|\mathcal{F}_{n-1})-{\mbox{\boldmath${S}$}}\\|\leq C_{1}(\\|\hat{\bm{\delta}}_{n-1}\\|_{2}+\\|\hat{\bm{\delta}}_{n-1}\\|_{2}^{2}),$
	$\displaystyle\|{\rm tr}\{E({\mbox{\boldmath${\eta}$}}_{n}{\mbox{\boldmath${\eta}$}}^{\top}_{n}\|\mathcal{F}_{n-1})-{\mbox{\boldmath${S}$}}\}\|\leq C_{1}(\\|\hat{\bm{\delta}}_{n-1}\\|_{2}+\\|\hat{\bm{\delta}}_{n-1}\\|_{2}^{2}),$

where $\mathcal{F}_{n-1}$ is the $\sigma$ -algebra generated by $\{{\mbox{\boldmath${z}$}}_{1},\ldots,{\mbox{\boldmath${z}$}}_{n-1}\}$ and $\hat{{\mbox{\boldmath${\delta}$}}}_{n}=\hat{{\mbox{\boldmath${\theta}$}}}_{n}-{\bm{\theta}}_{0}$ is the error sequence. In addition, the fourth conditional moment of ${\mbox{\boldmath${\eta}$}}_{n}$ is bounded by

\displaystyle E(\|{\mbox{\boldmath${\eta}$}}_{n}\|_{2}^{4}|\mathcal{F}_{n-1})\leq C_{2}(1+\|\hat{\bm{\delta}}_{n-1}\|_{2}^{4})

for some positive constant $C_{2}.$

Condition 3 is a mild requirement on the loss function. As shown in Lemma 3.1 of Chen et al. (2020), Condition 3 holds if the Hessian matrix of $\rho({\bm{\theta}},{\mbox{\boldmath${z}$}})$ is bounded by some random function $H({\mbox{\boldmath${z}$}})$ with a bounded fourth moment. Examples that satisfy this condition include the robust estimation methods for commonly used linear and logistic regressions. With the aforementioned assumptions, we now present the following error bounds on the private SGD iterates.

Theorem 1.

Under Conditions 1-3, there exist some positive constants $n_{0}\in\mathbb{N}$ and $c_{p}$ that depends on the dimension $p$ , such that for $n\geq n_{0}$ , $\hat{\bm{\delta}}_{n}=\hat{\bm{\theta}}_{n}-{{\mbox{\boldmath${\theta}$}}}_{0}$ satisfies the following

\displaystyle E(\|\hat{\bm{\delta}}_{n}\|_{2}^{m})\lesssim n^{-m\alpha/2}\{(\gamma c_{p}B_{0}^{2}/\mu^{2})^{m/2}/\lambda+\|\hat{\bm{\delta}}_{0}\|_{2}^{m}\},\quad m=1,2,4,

when the step-size is chosen to be $\gamma_{i}=\gamma i^{-\alpha}$ with $\gamma>0$ and $1/2<\alpha<1$ .

Theorem 1 provides simplified bounds on the conditional moments of $\hat{\delta}_{n}$ , including the first, second, and fourth moments. These results characterize the convergence rate of the last-step estimator $\hat{\bm{\theta}}_{n}$ . To illustrate the applicability of our proposed algorithm, we provide several examples below. Our framework, as it turns out, accommodates a wide range of important statistical models.

Example 1 (Linear Regression).

Let $\bm{z}_{n}=(\bm{x}^{\top}_{n},y_{n})^{\top}$ , $n=1,2,\ldots,$ be a sequence of i.i.d. copies from $({\mbox{\boldmath${X}$}}^{\top},Y)^{\top}$ with $Y\in\mathbb{R}$ and ${\mbox{\boldmath${X}$}}\in\mathbb{R}^{p}$ , satisfying $y_{n}=\bm{x}_{n}^{\top}\bm{\theta}_{0}+\varepsilon_{n}$ , where $\varepsilon_{n}\in\mathbb{R}$ is the random noise. The loss function can be chosen as $\rho(\bm{\theta},\bm{z})=h_{c}(y-{\mbox{\boldmath${x}$}}^{\top}{\bm{\theta}})\omega({\mbox{\boldmath${x}$}})$ , where $h_{c}(\cdot)$ is the Huber loss with truncated parameter $c$ and $\omega({\mbox{\boldmath${x}$}})=\min(1,2/\|{\mbox{\boldmath${x}$}}\|_{2}^{2})$ downweights outlying covariates. With this construction, it is straightforward to verify that the global sensitivity of $\Psi(\bm{\theta},\bm{z})$ is $2\sqrt{2}c$ . Letting $B_{0}=\sqrt{2}c$ , our proposed LDP-SGD updates for ${\bm{\theta}}_{0}$ , as defined in (2.3) is given by:

\displaystyle\hat{\bm{\theta}}_{n}=\hat{\bm{\theta}}_{n-1}+\gamma_{n}\{I(|y_{n}-{\mbox{\boldmath${x}$}}_{n}^{\top}{\hat{\bm{\theta}}_{n-1}}|<c){\mbox{\boldmath${x}$}}_{n}(y_{n}-{\mbox{\boldmath${x}$}}_{n}^{\top}{\hat{\bm{\theta}}_{n-1}})\omega({\mbox{\boldmath${x}$}}_{n})\}+\frac{2\sqrt{2}c\gamma_{n}}{\mu_{n}}\bm{\xi}_{n},~{}~{}n\geq 1,

where $I(\cdot)$ is the indicator function.

Example 2 (Logistic Regression).

An important data science problem is logistic regression for binary classification problems. Specifically, let $\bm{z}_{n}=({\mbox{\boldmath${x}$}}_{n}^{\top},y_{n})^{\top}$ , $n=1,2,\ldots,$ be a sequence of i.i.d. copies from $({\mbox{\boldmath${X}$}}^{\top},Y)^{\top}$ with $Y\in\{-1,1\}$ and ${\mbox{\boldmath${X}$}}\in\mathbb{R}^{p}$ , satisfying $y_{n}\sim{\rm Bernoulli}(\{1+\exp(-\bm{x}_{n}^{\top}\bm{\theta}_{0})\}^{-1})$ . Taking Mallow’s weighted version of the usual cross-entropy loss as $\rho(\bm{\theta},\bm{z})=\{-y\log(1/\{1+\exp(\bm{x}^{\top}\bm{\theta})\})+(1-y)\log(\exp(\bm{x}^{\top}\bm{\theta})/\{1+\exp(\bm{x}^{\top}\bm{\theta})\})\}\omega({\mbox{\boldmath${x}$}})$ , where $\omega({\mbox{\boldmath${x}$}})$ is defined in the previous example. By this construction, we can easily verify that the global sensitivity of $\Psi(\bm{\theta},\bm{z})$ is $2\sqrt{2}$ . Setting $B_{0}=\sqrt{2}$ , our proposed LDP-SGD updates for ${\bm{\theta}}_{0}$ , as defined in (2.3) is given by:

\displaystyle\hat{\bm{\theta}}_{n}=\hat{\bm{\theta}}_{n-1}+\gamma_{n}{\mbox{\boldmath${x}$}}_{n}(y_{n}-\{1+\exp(-{\mbox{\boldmath${x}$}}_{n}^{\top}{\hat{\bm{\theta}}_{n-1}})\}^{-1})\omega({\mbox{\boldmath${x}$}}_{n})+\frac{2\sqrt{2}\gamma_{n}}{\mu_{n}}\bm{\xi}_{n},~{}~{}n\geq 1.

Example 3 (Robust Expectile Regression).

As an important extension of linear regression, robust expectile regression allows the regression coefficients $\bm{\theta}_{0}(\tau)$ to vary across different values of location parameter $\tau$ , and thereby offers insights into the entire conditional distribution of $Y$ given ${X}$ ; see Man et al. (2024). Specifically, given a location parameter $\tau\in(0,1)$ , let $\bm{z}_{n}=({\mbox{\boldmath${x}$}}_{n}^{\top},y_{n})^{\top}$ , $n=1,2,\ldots,$ be a sequence of i.i.d. copies from $({\mbox{\boldmath${X}$}}^{\top},Y)^{\top}$ , satisfying $y_{n}=\bm{x}_{n}^{\top}\bm{\theta}_{0}(\tau)+\varepsilon_{n}(\tau)$ . The loss function can be chosen as $\rho(\bm{\theta},\bm{z})=|\tau-I(y-\bm{x}^{\top}\bm{\theta})|\cdot h_{c}(y-\bm{x}^{\top}\bm{\theta})\omega({\mbox{\boldmath${x}$}})/2$ , where $h_{c}(\cdot)$ is the Huber loss with truncated parameter $c$ . With this construction, it is straightforward to verify that the global sensitivity of $\Psi(\bm{\theta},\bm{z})$ is $2\sqrt{2}c\max(\tau,1-\tau)$ . Taking $B_{0}=\sqrt{2}c\max(\tau,1-\tau)$ , our proposed LDP-SGD updates for ${\bm{\theta}}_{0}$ , as defined in (2.3) is given by:

	$\displaystyle\hat{\bm{\theta}}_{n}$	$\displaystyle=\hat{\bm{\theta}}_{n-1}+\gamma_{n}\|\tau-I(y_{n}-\bm{x}^{\top}_{n}\hat{\bm{\theta}}_{n-1})\|\cdot I(\|y_{n}-{\mbox{\boldmath${x}$}}_{n}^{\top}{\hat{\bm{\theta}}_{n-1}}\|<c){\mbox{\boldmath${x}$}}_{n}(y_{n}-{\mbox{\boldmath${x}$}}_{n}^{\top}{\hat{\bm{\theta}}_{n-1}})\omega({\mbox{\boldmath${x}$}}_{n})$
		$\displaystyle\quad+\frac{2\sqrt{2}c\max(\tau,1-\tau)\gamma_{n}}{\mu_{n}}\bm{\xi}_{n},~{}~{}n\geq 1.$

4 Online private inference

In this subsection, we introduce two online inference methods, distinguished by the availability of second-order information from the loss function. One is the online private plug-in approach that directly uses the Hessian information and the other is the random scaling that utilizes only the information from the path of our proposed LDP-SGD iteration in (2.3). In addition to these two methods, we also consider a private batch-means estimator that utilizes the iterations generated by the LDP-SGD algorithm to estimate the asymptotic covariance. The detailed construction of this estimator, along with a comparative discussion of its theoretical properties relative to the above two methods, is provided in the Supplementary Material.

To elucidate these methods, we first examine the asymptotic behavior of the entire LDP-SGD path rather than its simple average $\bar{\bm{\theta}}_{n}$ . Specifically, we present the functional central limit theorem, which shows that the standardized partial-sum process converges in distribution to a rescaled Brownian motion.

Theorem 2 (Functional CLT).

Consider LDP-SGD iterates in (2.3) with step-size $\gamma_{i}=\gamma i^{-\alpha}$ for some constant $\gamma>0$ and $1/2<\alpha<1$ . Then, under Conditions 1-3, the following random function weakly converges to a scaled Brownian motion, i.e.,

\displaystyle\phi_{n}(r):=\frac{1}{\sqrt{n}}\sum\limits_{i=1}^{\lfloor nr\rfloor}(\hat{\bm{\theta}}_{i}-\bm{\theta}_{0})\Rightarrow\bm{A}^{-1}\{\bm{S}+(4B^{2}_{0}/\mu^{2})\bm{I}\}^{1/2}\mathcal{W}_{p}(r)~{}~{}{\rm{for}}~{}~{}r\in(0,1]

as $n\rightarrow\infty$ , where ${\mbox{\boldmath${A}$}}=\nabla^{2}L({\bm{\theta}}_{0})$ , ${\mbox{\boldmath${S}$}}={E}\{\nabla\rho({\bm{\theta}}_{0},{\mbox{\boldmath${z}$}})\nabla\rho({\bm{\theta}}_{0},{\mbox{\boldmath${z}$}})^{\top}\}$ , $\mathcal{W}_{p}$ is the $p$ -dimensional vector of the independent standard Wiener processes on $[0,1]$ , and the symbol $\Rightarrow$ stands for the weak convergence.

The result derived from this theorem is stronger than the asymptotic normality of the proposed private estimator $\bar{\bm{\theta}}_{n}$ under the stated assumptions. In particular, by applying the continuous mapping theorem to Theorem 2, we are able to directly establish the following corollary.

Corollary 1.

Under the conditions of Theorem 2, the averaging estimator $\bar{\bm{\theta}}_{n}=\sum_{i=1}^{n}\hat{\bm{\theta}}_{i}/n$ satisfies $\sqrt{n}(\bar{\bm{\theta}}_{n}-{\bm{\theta}}_{0})\stackrel{{\scriptstyle D}}{{\rightarrow}}\mathcal{N}(\bm{0},\widetilde{\bm{\Sigma}})$ , where $\widetilde{\bm{\Sigma}}={{\mbox{\boldmath${A}$}}}^{-1}\tilde{\bm{S}}{\mbox{\boldmath${A}$}}^{-1}$ , and $\tilde{\bm{S}}={\mbox{\boldmath${S}$}}+(4B_{0}^{2}/\mu^{2}){\mbox{\boldmath${I}$}}$ .

In contrast to the covariance matrix of the non-private estimator in (2.2), the additional term $(4B_{0}^{2}/\mu^{2}){{\mbox{\boldmath${I}$}}}$ in the covariance matrix of Corollary 1 represents the “cost of privacy” for our proposed LDP-SGD algorithm.

4.1 Private plug-in estimator

In the previous subsection, we present the asymptotic distribution of the proposed LDP-SGD estimator in Corollary 1. For the purpose of conducting statistical inference of $\bm{\theta}_{0}$ , a consist estimator of the limiting covariance matrix $\widetilde{\bm{\Sigma}}$ from Corollary 1 is required. An intuitive way to constructing confidence intervals for $\bm{\theta}_{0}$ is to estimate each component of the sandwich formula $\widetilde{\bm{\Sigma}}$ separately. Without privacy constraints, the estimators for ${A}$ and $\tilde{\bm{S}}$ are given by:

\displaystyle{\mbox{\boldmath${A}$}}_{n}=\frac{1}{n}\sum\limits_{i=1}^{n}\dot{\Psi}(\hat{\bm{\theta}}_{i-1},{\mbox{\boldmath${z}$}}_{i})\quad{\rm{and}}\quad\tilde{\bm{S}}_{n}=\frac{1}{n}\sum\limits_{i=1}^{n}\Psi(\hat{\bm{\theta}}_{i-1},{\mbox{\boldmath${z}$}}_{i})\Psi(\hat{\bm{\theta}}_{i-1},{\mbox{\boldmath${z}$}}_{i})^{\top}+\frac{4B_{0}^{2}}{\mu^{2}}{\mbox{\boldmath${I}$}}

as long as the information of $\dot{\Psi}(\hat{\bm{\theta}}_{i-1},{\mbox{\boldmath${z}$}}_{i})$ is available. Notice that each summand in both ${\mbox{\boldmath${A}$}}_{n}$ and $\tilde{\bm{S}}_{n}$ involves different $\hat{\bm{\theta}}_{i}$ . This allows computations to be carried out in an online manner without the need to store the entire dataset. The consistency of the corresponding non-private plug-in estimator is also established and provided in the Lemma S8 of the Supplementary Material.

However, in the DP setting, direct application of this plug-in construction is not feasible, as neither ${\bm{A}}_{n}$ nor $\tilde{\bm{S}}_{n}$ is differentially private. To overcome this limitation, we propose constructing DP versions of these matrices using the Matrix Gaussian mechanism, as outlined in Proposition 4. This requires the Hessian to have a specific factorization structure that facilitates the effective application of Proposition 4. Moreover, we assume that the spectral norm of the Hessian is uniformly bounded, as stated below.

Condition 4.

The Hessian $\nabla^{2}{\rho}(\bm{\theta},\bm{z})$ is positive definite for all $\bm{\theta}\in\mathbb{R}^{p}$ with the form $\nabla^{2}{\rho}(\bm{\theta},\bm{z})=m(\bm{\theta},\bm{z})m(\bm{\theta},\bm{z})^{\top}$ , where $m:\Theta\times\mathcal{Z}\rightarrow\mathbb{R}^{p}$ and $\sup_{\bm{\theta},\bm{z}}\|m(\bm{\theta},\bm{z})\|_{2}^{2}\leq B_{1}<\infty$ .

We are now ready to present our DP counterparts of $\bm{A}_{n}$ and $\tilde{\bm{S}}_{n}$ , which appear in the plug-in estimator. Consider the following private estimators:

	$\displaystyle\hat{\bm{A}}_{n}=\frac{1}{n}\sum\limits_{i=1}^{n}\dot{\Psi}(\hat{\bm{\theta}}_{i-1},\bm{z}_{i})+\frac{2B_{1}}{n\mu}\bm{M}_{1i}=\bm{A}_{n}+\frac{2B_{1}}{n\mu}\bm{M}_{1},$
	$\displaystyle\hat{\bm{S}}_{n}=\frac{1}{n}\sum\limits_{i=1}^{n}\Psi(\hat{\bm{\theta}}_{i-1},\bm{z}_{i})\Psi(\hat{\bm{\theta}}_{i-1},\bm{z}_{i})^{\top}+\frac{4B_{0}^{2}}{\mu^{2}}\bm{I}+\frac{2B_{0}^{2}}{n\mu}\bm{M}_{2i}=\tilde{\bm{S}}_{n}+\frac{2B_{0}^{2}}{n\mu}\bm{M}_{2},$

where $\bm{M}_{1}$ and $\bm{M}_{2}$ are i.i.d. symmetric random matrices whose upper-triangular elements, including the diagonals, are i.i.d. standard normal. However, the DP matrices $\hat{\bm{A}}_{n}$ and $\hat{\bm{S}}_{n}$ can potentially be negative definite. To address this concern, we apply a truncation procedure to the eigenvalues of the matrices. Specifically, we first perform spectral decompositions: $\hat{\bm{A}}_{n}=\bm{\Gamma}_{A}\bm{D}_{A}\bm{\Gamma}_{A}^{\top}$ and $\hat{\bm{S}}_{n}=\bm{\Gamma}_{S}\bm{D}_{S}\bm{\Gamma}_{S}^{\top}$ , where $\bm{\Gamma}_{A}$ and $\bm{\Gamma}_{S}$ are orthogonal matrices. Given fixed threshold parameters $\kappa_{1}$ and $\kappa_{2}$ , we define the truncated estimators as $\hat{\bm{A}}^{\ast}_{n}=\bm{\Gamma}_{A}\hat{\bm{D}}_{A}\bm{\Gamma}_{A}^{\top}$ and $\hat{\bm{S}}^{\ast}_{n}=\bm{\Gamma}_{S}\hat{\bm{D}}_{S}\bm{\Gamma}_{S}^{\top}$ , where the diagonal elements are thresholded as $(\hat{\bm{D}}_{A})_{i,i}=\max\{\kappa_{1},(\bm{D}_{A})_{i,i}\}$ and $(\hat{\bm{D}}_{S})_{i,i}=\max\{\kappa_{2},(\bm{D}_{S})_{i,i}\}$ for $i=1,\ldots,p$ . In other words, eigenvalues smaller than $\kappa_{1}$ or $\kappa_{2}$ are truncated to ensure numerical stability and positive semi-definiteness. The DP sandwich estimator can then be constructed as follows:

\displaystyle{}\widehat{\bm{\Sigma}}_{n}=\hat{\bm{A}}^{\ast-1}_{n}\hat{\bm{S}}^{\ast}_{n}\hat{\bm{A}}^{\ast-1}_{n}.

(2.4)

To establish consistency of our proposed private plug-in estimator $\widehat{\bm{\Sigma}}_{n}$ , we need the following additional smoothness assumption regarding the Hessian, similar to those found in the literature (Chen et al., 2020, 2024).

Condition 5.

Assume that for all $\bm{\theta}\in\mathbb{R}^{p}$ , the following holds:

	$\displaystyle E\\|\nabla^{2}{\rho}({\bm{\theta}},{\mbox{\boldmath${z}$}})-\nabla^{2}{\rho}({\bm{\theta}}_{0},{\mbox{\boldmath${z}$}})\\|\leq K\\|{\bm{\theta}}-{\bm{\theta}}_{0}\\|_{2},$
	$\displaystyle\\|E\{\nabla^{2}{\rho}({\bm{\theta}}_{0},z)\}^{2}-{\mbox{\boldmath${A}$}}^{2}\\|\leq C_{3},$

where $K$ and $C_{3}$ are some postive constants. Furthermore, assume that $\Lambda_{\min}({\mbox{\boldmath${A}$}})>\delta.$

Theorem 3 (Error rate of the private plug-in estimator).

Under the conditions of Corollary 1, and Conditions 4-5, then $\widehat{\bm{\Sigma}}_{n}$ is $\sqrt{3}\mu$ -GDP and converges to the asymptotic covariance matrix that satisfies the following

\displaystyle E\|\widehat{\bm{\Sigma}}_{n}-\bm{A}^{-1}\tilde{\bm{S}}\bm{A}^{-1}\|\lesssim\|\bm{S}\|\frac{\sqrt{\gamma c_{p}}B^{2}_{0}K}{\mu}\left(1+\Lambda_{\min}(\bm{S})+\frac{4B_{0}^{2}}{\mu^{2}}\right)\left(n^{-\alpha/2}+\frac{\sqrt{\gamma c_{p}}K}{\mu}n^{-\alpha}\right),

when the step-size is chosen to be $\gamma_{i}=\gamma i^{-\alpha}$ with $\gamma>0$ and $\alpha\in(1/2,1).$

Theorem 3 establishes the consistency of the proposed private plug-in estimator $\widehat{\bm{\Sigma}}_{n}$ . Consequently, we can consider the following $\sqrt{3}\mu$ -GDP $(1-\alpha_{0})$ -confidence interval for $\theta_{0,j}$ , $j=1,\ldots,p$ :

\displaystyle{\rm{CI}}_{1-\alpha_{0}}^{\rm{plug}}(\theta_{0,j})=\left[\bar{\theta}_{n,j}-\hat{\sigma}_{n,j}^{P}z_{1-\alpha_{0}/2}/\sqrt{n},\bar{\theta}_{n,j}+\hat{\sigma}_{n,j}^{P}z_{1-\alpha_{0}/2}/\sqrt{n}\right],

where $\hat{\sigma}_{n,j}^{P}=(\widehat{\bm{\Sigma}}_{n})^{1/2}_{j,j}$ and $z_{1-\alpha_{0}/2}$ is the ( $1-\alpha_{0}/2$ )-quantile of the standard normal distribution. In particular, we have the following corollary, which demonstrates that ${\rm{CI}}_{1-\alpha_{0}}^{\rm{plug}}(\theta_{0,j})$ is an asymptotically exact confidence interval.

Corollary 2.

Under the conditions of Theorem 3, when $p$ is fixed and $n\rightarrow\infty$ , we have

\displaystyle{\rm{Pr}}\left(\bar{\theta}_{n,j}-z_{1-\alpha_{0}/2}\hat{\sigma}_{n,j}^{P}/\sqrt{n}\leq\theta_{0,j}\leq\bar{\theta}_{n,j}+z_{1-\alpha_{0}/2}\hat{\sigma}_{n,j}^{P}/\sqrt{n}\right)\rightarrow 1-\alpha_{0}.

4.2 Random scaling

Despite the simplicity of the private plug-in approach, the proposed estimator $\widehat{\bm{\Sigma}}_{n}$ incurs additional computational and storage cost, primarily because it requires extra function-value queries to construct $\hat{\bm{A}}^{\ast}_{n}$ . To mitigate this issue, we propose the random scaling inference procedure, which avoids the direct estimation of the asymptotic variance. Instead, the procedure studentizes $\bar{\bm{\theta}}_{n}$ using a matrix derived from iterations along the LDP-SGD path. Specifically, with Theorem 2, we observe that $\phi_{n}(1)=\sum_{i=1}^{n}(\hat{\bm{\theta}}_{i}-\bm{\theta}_{0})/\sqrt{n}=\sqrt{n}(\bar{\bm{\theta}}_{n}-\bm{\theta}_{0})$ . Consequently, $\phi_{n}(r)-\lfloor nr\rfloor\phi_{n}(1)/{n}=\sum_{i=1}^{\lfloor nr\rfloor}(\hat{\bm{\theta}}_{i}-\bar{\bm{\theta}}_{n})/\sqrt{n}$ eliminates the dependence on $\bm{\theta}_{0}$ . To remove the dependence on the unknown scale $\bm{A}^{-1}\{\bm{S}+(4B^{2}_{0}/\mu^{2})\bm{I}\}^{1/2}$ , we studentize $\phi_{n}(1)$ via

	$\displaystyle\hat{\bm{V}}_{n}=$	$\displaystyle\frac{1}{n}\sum\limits_{b=1}^{n}\left\{\phi_{n}(b/n)-\frac{b}{n}\phi_{n}(1)\right\}\left\{\phi_{n}(b/n)-\frac{b}{n}\phi_{n}(1)\right\}^{\top}$
	$\displaystyle=$	$\displaystyle\frac{1}{n}\sum\limits_{b=1}^{n}\left\{\frac{1}{\sqrt{n}}\sum\limits_{i=1}^{b}(\hat{\bm{\theta}}_{i}-\bar{\bm{\theta}}_{n})\right\}\left\{\frac{1}{\sqrt{n}}\sum\limits_{i=1}^{b}(\hat{\bm{\theta}}_{i}-\bar{\bm{\theta}}_{n})\right\}^{\top}.$

This results in the statistic $\phi^{\top}_{n}(1)\hat{\bm{V}}_{n}^{-1}\phi_{n}(1)$ being asymptotically pivotal, with a distribution that is free of any unknown nuisance parameters. This conclusion is supported by the following corollary, which directly follows from Theorem 2 and the continuous mapping theorem. Thus, the proof of this corollary is omitted.

Corollary 3.

Under the conditions of Theorem 2, we have

\displaystyle\phi^{\top}_{n}(1)\hat{\bm{V}}_{n}^{-1}\phi_{n}(1)\stackrel{{\scriptstyle D}}{{\rightarrow}}\mathcal{W}_{p}(1)^{\top}\left\{\int_{0}^{1}\bar{\mathcal{W}}(r)\bar{\mathcal{W}}(r)^{\top}{\rm d}r\right\}^{-1}\mathcal{W}_{p}(1),

where $\bar{\mathcal{W}}(r)=\mathcal{W}_{p}(r)-r\mathcal{W}_{p}(1)$ .

This corollary implies that $\phi^{\top}_{n}(1)\hat{\bm{V}}_{n}^{-1}\phi_{n}(1)$ can be used to construct valid asymptotic confidence intervals. From Corollary 3, we know that the $t$ -statistic $\sqrt{n}(\bar{\theta}_{n,j}-\theta_{0,j})$ , $j=1,\ldots,p$ , is asymptotically pivotal and converges to the following pivotal limiting distribution

\displaystyle{}\frac{\sqrt{n}(\bar{\theta}_{n,j}-\theta_{0,j})}{\sigma^{R}_{n,j}}\stackrel{{\scriptstyle D}}{{\rightarrow}}\frac{\mathcal{W}_{1}(1)}{[\int_{0}^{1}\{\mathcal{W}_{1}(r)-r\mathcal{W}_{1}(1)\}^{2}{\rm d}r]^{1/2}},

(2.5)

where $\sigma^{R}_{n,j}=({\hat{\bm{V}}_{n}})_{j,j}^{1/2}$ . Notice that the random matrix $\hat{\bm{V}}_{n}$ can be updated in an online fashion, thereby enabling the construction of confidence intervals. Specifically,

	$\displaystyle\hat{\bm{V}}_{n}=$	$\displaystyle\frac{1}{n}\sum\limits_{b=1}^{n}\left\{\frac{1}{\sqrt{n}}\sum\limits_{i=1}^{b}(\hat{\bm{\theta}}_{i}-\bar{\bm{\theta}}_{n})\right\}\left\{\frac{1}{\sqrt{n}}\sum\limits_{i=1}^{b}(\hat{\bm{\theta}}_{i}-\bar{\bm{\theta}}_{n})\right\}^{\top}$
	$\displaystyle=$	$\displaystyle\frac{1}{n^{2}}\left(\bm{U}_{n}-\bar{\bm{\theta}}_{n}\bm{v}_{n}^{\top}-\bm{v}_{n}\bar{\bm{\theta}}^{\top}_{n}+\bar{\bm{\theta}}_{n}\bar{\bm{\theta}}_{n}^{\top}\sum\limits_{b=1}^{n}b^{2}\right),$

where $\bm{U}_{n}=\sum_{b=1}^{n}\sum_{i=1}^{b}\hat{\bm{\theta}}_{i}\sum_{i=1}^{b}\hat{\bm{\theta}}_{i}^{\top}=\bm{U}_{n-1}+n^{2}\bar{\bm{\theta}}_{n}\bar{\bm{\theta}}_{n}^{\top}$ and $\bm{v}_{n}=\sum_{b=1}^{n}b\sum_{i=1}^{b}\hat{\bm{\theta}}_{i}=\bm{v}_{n-1}+n^{2}\bar{\bm{\theta}}_{n}$ can both be updated recursively. Once $\bar{\bm{\theta}}_{n}$ and $\hat{\bm{V}}_{n}$ are obtained, the $1-\alpha_{0}$ asymptotic confidence interval for the $j$ th element $\theta_{0,j}$ of $\bm{\theta}_{0}$ can be constructed as follows:

Corollary 4.

Under the conditions of Corollary 3, when $p$ is fixed and $n\rightarrow\infty$ , we have

\displaystyle{\rm{Pr}}\left(\bar{\theta}_{n,j}-z^{R}_{1-\alpha_{0}/2}\hat{\sigma}^{R}_{n,j}/\sqrt{n}\leq\theta_{0,j}\leq\bar{\theta}_{n,j}+z^{R}_{1-\alpha_{0}/2}\hat{\sigma}^{R}_{n,j}/\sqrt{n}\right)\rightarrow 1-\alpha_{0},

where $z^{R}_{1-\alpha_{0}/2}$ is ( $1-\alpha_{0}/2$ )-quantile of ${\mathcal{W}_{1}(1)}/{[\int_{0}^{1}\{\mathcal{W}_{1}(r)-r\mathcal{W}_{1}(1)\}^{2}{\rm d}r]^{1/2}}$ .

The limiting distribution in (2.5) is mixed normal and symmetric around zero. In practice, the critical value $z^{R}_{1-\alpha_{0}/2}$ in Corollary 4 can be computed through Monte Carlo simulation, as detailed in Table I in Abadir and Paruolo (1997).

5 Simulation studies

In this section, we perform simulations to examine the finite-sample performance of the proposed algorithms, focusing on the coverage probabilities and lengths of confidence intervals. The methods under evaluation include the private plug-in (PPI), private batch-means (PBM), and private random scaling (PRS). As a benchmark, we also compute the non-private counterpart with plug-in (PI), batch-means (BM), and random scaling (RS). Due to space limitations, we only present the empirical performance of proposed algorithms under linear regression in our main manuscript. The results for logistic and robust expectile regressions are provided in the Supplementary Material.

In this simulation, we randomly generate a sequence of $n$ samples $\{(\bm{x}_{n}^{\top},y_{n})^{\top}\}_{n=1,2,\ldots}$ from the linear regression: $y_{n}=\bm{x}_{n}^{\top}\bm{\theta}_{0}+\varepsilon_{n}$ , where the random noise $\varepsilon_{n}$ is i.i.d. from $\mathcal{N}\left(0,0.5^{2}\right)$ and $\bm{x}_{n}=(1,\bm{s}^{\top}_{n})^{\top}$ denotes the covariates, with $\bm{s}_{n}$ following a multivariate normal distribution $\mathcal{N}\left(\bm{0},\bm{\Sigma}\right)$ with two types of $\bm{\Sigma}$ structure, identity covariance $\bm{\Sigma}=\bm{I}_{p}$ and correlated covariance $\bm{\Sigma}=\{0.5^{|j-k|}\}_{j,k=1,\ldots,p}$ . We consider a total sample size of $200,000$ arriving sequentially. For this model, the true coefficient $\bm{\theta}_{0}=({\theta}_{00},\theta_{01},\ldots,\theta_{0p})^{\top}=\bm{1}_{p+1}$ is a ( $p+1$ )-dimensional vector that includes the intercept term $\theta_{00}$ . The corresponding loss function and its gradient sensitivity are outlined in Example 1 with a step size decay rate of $\alpha=0.51$ . For the identity covariance matrix, we vary the parameter dimensions $p=3,5,10$ across different privacy budgets $\mu=1,2$ . A smaller privacy budget corresponds to stronger privacy protection. In addition, we set the truncation parameter $c=1.345$ as used in the Huber loss and choose $M\asymp n^{0.25}$ for the batch-means estimators, as suggested by Chen et al. (2020). This choice aligns with the optimal order $M\asymp n^{(1-\alpha)/2}$ when $\alpha=1/2$ . Specifically, we set $M=20$ in our implementation. Owing to space constraints, this section reports only the results for $p=3$ . The corresponding results for $p=5$ and $p=10$ are available in the Supplementary Material. For the correlated covariance matrix, we only present results for $p=3$ , as similar patterns are observed in higher dimensions, as with the identity covariance matrix case.

The performance of each method is assessed using two criteria: the average empirical coverage probability of the 95% confidence interval (CP), and the average length of the 95% confidence interval (AL). Specifically. let CI_j denote a two-side 95% confidence interval for $\theta_{0j}$ , $j=1,\ldots,p$ . We then calculate these two criteria across $p$ coefficients as below:

\displaystyle\text{CP}=p^{-1}\sum_{j=1}^{p}\widehat{\rm{Pr}}\left(\theta_{0j}\in\mathrm{CI}_{j}\right),\quad\text{AL}=p^{-1}\sum_{j=1}^{p}\text{Length}\left(\mathrm{CI}_{j}\right),

where $\widehat{\rm{Pr}}(\cdot)$ and $\text{Length}(\cdot)$ represent the empirical rate and the average length of the confidence intervals over all replications, respectively. All simulation results are based on 200 replications, with both the averages and standard errors recorded.

Figure 2 displays the trajectories of each component of the proposed LDP-SGD estimator $\bar{\bm{\theta}}_{n}$ with $\mu=1$ and $p=3$ along with three private confidence intervals for linear regression. As expected, the length of the confidence intervals decreases as $n$ increases. In the early iterations, both the estimators and confidence intervals are unstable, with noticeable fluctuations. The PRS method produces wider confidence intervals compared to PPI and PBM, indicating that PRS is more conservative than the other two methods. Additionally, the confidence interval widths for PPI and PBM are approximately equal. This observation aligns with findings from previous studies, such as those by Li et al. (2022) and Lee et al. (2022).

We also present the empirical performance of our proposed methods under varying total sample sizes, as detailed in Table 1. A key observation is that the performance of the proposed methods aligns more closely with their non-private counterparts as the privacy budget $\mu$ increases. The coverage probabilities for all three methods approach the desired $95\%$ level as the cumulative sample size or privacy budget increases, while the lengths of the confidence intervals decrease. Among these, the PRS method exhibits more robust performance across various settings and privacy budgets, albeit with slightly wider confidence intervals than the other two. Such a wider average length could potentially account for the improvement in the average coverage rates. In contrast, the PBM method exhibits relatively lower coverage compared to the PPI and PRS methods, consistent with theoretical results indicating that PBM converges more slowly than PPI. Under privacy-preserving conditions, all three methods result in lower coverage probabilities and wider confidence intervals compared to non-private version. This effect becomes more pronounced with smaller privacy budgets, illustrating the trade-off between maintaining privacy and achieving statistical accuracy. The corresponding results for $p=5$ and $p=10$ are provided in the Supplementary Material, demonstrating similar patterns.

Table 1: Linear regression: Summary of averages and standard errors (brackets) of the coverage probabilities (

\%

) and length of the 95% confidence interval (

\times 10^{-2}

) across various scenarios with

p=3

. CP: the coverage probability; AL: the average length of the 95% confidence interval.

Non-private
	$n=40000$	$n=80000$	$n=120000$	$n=160000$	$n=200000$
PI: CP	93.75 (3.66)	92.50 (4.83)	93.50 (3.54)	92.75 (3.97)	94.13 (3.09)
PI: AL	1.08 (0.20)	0.76 (0.14)	0.62 (0.11)	0.54 (0.10)	0.48 (0.09)
BM: CP	88.88 (2.01)	90.75 (1.55)	93.25 (2.50)	93.13 (1.55)	92.75 (1.26)
BM: AL	1.01 (0.02)	0.74 (0.01)	0.62 (0.01)	0.54 (0.01)	0.48 (0.01)
RS: CP	95.13 (1.38)	94.00 (1.47)	95.75 (0.50)	95.13 (0.75)	95.50 (1.22)
RS: AL	1.47 (0.02)	1.03 (0.02)	0.84 (0.02)	0.73 (0.03)	0.64 (0.02)
$\mu=1$
PPI: CP	91.38 (3.82)	93.50 (4.30)	92.13 (5.34)	93.75 (3.18)	93.25 (4.50)
PPI: AL	11.49 (0.38)	7.68 (0.19)	6.10 (0.13)	5.19 (0.10)	4.60 (0.07)
PBM: CP	85.38 (1.60)	92.00 (1.41)	91.63 (2.93)	93.25 (2.02)	92.88 (2.93)
PBM: AL	11.09 (2.28)	7.83 (1.57)	6.49 (1.29)	5.49 (1.05)	4.77 (0.90)
PRS: CP	94.38 (1.93)	95.75 (0.29)	94.88 (1.44)	95.38 (2.32)	95.50 (1.08)
PRS: AL	16.01 (3.31)	10.96 (2.21)	8.64 (1.78)	7.21 (1.28)	6.50 (1.15)
$\mu=2$
PPI: CP	90.75 (6.25)	90.50 (4.88)	91.25 (4.29)	92.63 (3.42)	92.13 (4.27)
PPI: AL	4.99 (0.07)	3.45 (0.08)	2.81 (0.10)	2.42 (0.10)	2.16 (0.10)
PBM: CP	84.63 (2.78)	87.88 (2.63)	89.75 (1.31)	90.25 (1.00)	90.88 (2.10)
PBM: AL	4.70 (0.08)	3.42 (0.06)	2.87 (0.05)	2.47 (0.04)	2.15 (0.04)
PRS: CP	92.75 (3.50)	92.50 (1.78)	93.50 (1.58)	94.00 (1.62)	94.88 (1.61)
PRS: AL	6.77 (0.11)	4.82 (0.09)	3.94 (0.08)	3.30 (0.06)	2.93 (0.05)

To further evaluate the coverage properties of PPI and PRS, we vary the significance level $\alpha_{0}$ and compute the corresponding $1-\alpha_{0}$ asymptotic confidence intervals, alongside the empirical coverage probabilities. Specifically, $\alpha_{0}$ is varied from $0.01$ to $0.1$ in increments of $0.01$ . The analysis is carried out for a linear regression model with dimension $p=5$ and sample size $n=200000$ , under two different privacy budgets $\mu=1,2$ . The results are presented in Figure 3. For $\mu=1$ , the PRS method exhibits a more conservative coverage probability, slightly surpassing the oracle coverage level, indicating minor over-coverage. In contrast, PPI tends to under-cover with its narrower confidence intervals. As the privacy budget increases to $\mu=2$ , both PRS and PPI coverage probabilities shift closer to the oracle curve.

6 Applications

In this section, we illustrate the effectiveness of the proposed method by analyzing two real-world datasets: the Ride-sharing data and the US insurance data.

6.1 Ride-sharing Data

In this subsection, we apply the proposed LDP-SGD algorithm to the Ride-sharing dataset, which contains synthetic data from a ride-sharing platform. The dataset spans from January 2024 to October 2024 and includes detailed records of rides, users, drivers, vehicles, and ratings. It offers valuable insights into driver performance and fare prediction over time. The dataset is publicly available at https://www.kaggle.com/datasets/adnananam/ride-sharing-platform-data, comprising 50,000 ride records and 3,000 profiles of drivers and vehicles. For preprocessing, we concatenate driver and vehicle information with each corresponding ride. We then select the following features as potential predictors for fare estimation: ride distance, driver rating, total number of rides completed by the driver, vehicle production year, vehicle capacity, and ride duration. After concatenation, the dataset is standardized by subtracting the mean and dividing by the standard deviation for each column. The resulting data is then used as input to the LDP-SGD algorithm with weighted Huber loss defined in Example 1, which is run with a privacy budget of $\mu=1$ and a step size decay rate of $\alpha=0.501$ .

The results of this analysis are presented in Figure 4. As the sample size increases, the coefficients gradually stabilize. Specifically, the coefficients for ’distance’ and ’time cost’ converge to positive values, with both the PPI and PRS confidence intervals entirely above zero. This suggests a significant positive impact of these factors on fare amount, aligning with intuitive expectations, as longer distances and extended journey times are naturally associated with higher costs. In contrast, the coefficients for ’rating’ and ’total rides’ converge toward values near zero, with their confidence intervals including zero, indicating that driver-related attributes do not meaningfully affect fare pricing. Similarly, the coefficients for ’year’ and ’capacity’ also converge to values close to zero, with their confidence intervals encompassing zero, suggesting that vehicle-related factors have no significant influence on the fare amount. Overall, the analysis shows that only distance and time cost significantly impact fare pricing, while driver and vehicle characteristics have negligible effects. This is likely because ride fares are primarily driven by distance, duration, and demand fluctuations, which outweigh the influence of individual driver and vehicle attributes.

6.2 US insurance Data

In this subsection, we conduct a analysis on the Insurance dataset, which aims to predict health insurance premiums in the United States. The dataset, based on synthetic data, captures a variety of factors that influence medical costs and premiums. It includes the following variables on the insurance customers: age, gender, body mass index (BMI), number of children, smoking status, region, medical history, exercise frequency, occupation, and type of insurance plan. The full list of variables is presented in Table 2. This dataset was generated using a script that randomly sampled 1,000,000 records, ensuring a comprehensive representation of the insured population in the US. Publicly available at https://www.kaggle.com/datasets/sridharstreaks/insurance-data-for-machine-learning/data, it provides valuable insights into the factors affecting health insurance premiums.

Variable Name	Type	Range / Categories
age	Numerical	$[18,65]$
gender	Categorical (Binary)	{Female, Male}
bmi	Numerical	$[18,50]$
children	Numerical (Integer)	$\{0,1,2,3,4,5\}$
smoker	Categorical (Binary)	{No, Yes}
medical_history	Categorical (Ordinal)	{None, blood pressure, Diabetes, Heart Disease}
family_medical_history	Categorical (Ordinal)	{None, blood pressure, Diabetes, Heart Disease}
exercise_frequency	Categorical (Ordinal)	{Never, Occasionally, Rarely, Frequently}
occupation	Categorical (Ordinal)	{Student, Unemployed, Blue collar, White collar}
coverage_level	Categorical (Ordinal)	{Basic, Standard, Premium}
charges	Numerical	$[3445.01,32561.56]$

Table 2: Summary of variables for US insurance data with their types and ranges

For the analysis, we first carried out extensive data preprocessing to ensure proper handling of both numerical and categorical variables. Numerical variables, such as age, BMI, and the number of children, were standardized to have a mean of zero and a standard deviation of one, ensuring consistency across features for the modeling process. Categorical variables were encoded with meaningful numeric values to reflect their underlying semantics. Specifically, health-related variables like medical_history and family_medical_history were assigned values based on the severity of conditions: “None” (0), “High blood pressure” (1), “Diabetes” (2), and “Heart disease” (3). The exercise_frequency variable was encoded as “Never” (0), “Occasionally” (1), “Rarely” (2), and “Frequently” (3), reflecting varying levels of activity. For occupation, a hierarchical encoding was used, ranging from “Student” (0) to “White collar” (3), capturing the occupational spectrum. Similarly, the coverage_level variable was encoded as “Basic” (0), “Standard” (1), and “Premium” (2) to reflect the varying levels of insurance coverage. Binary variables such as smoker and gender were encoded as 0 and 1, representing “no”/“yes” or “female”/“male,” respectively. The processed dataset was randomly split into training and testing sets, consisting of 800,000 and 200,000 observations, respectively. The training set is then input into the LDP-SGD algorithm with a weighted Huber loss, using a privacy budget of $\mu=1$ and a step size decay rate of $\alpha=0.501$ . The corresponding results observed during the training process are presented in Figure 5.

The results demonstrate that as the sample size increases, all regression coefficients for predicting health insurance premiums converge to positive values, indicating their significant contributions to premium determination. A positive coefficient implies that higher values of a predictor correspond to higher premiums. For instance, males are charged higher premiums than females, smokers incur substantially higher costs due to increased health risks, and individuals with serious medical conditions or a family history of such conditions (e.g., diabetes, heart disease) face elevated premiums. Likewise, a higher BMI and selecting more comprehensive insurance plans also lead to higher charges, reflecting the associated health risks or benefits. While the coefficients for age and exercise frequency are positive, their magnitudes are relatively small, suggesting a limited linear effect on premium pricing. Its influence may be non-linear and not fully captured by a simple linear term. Overall, the analysis highlights that risk-related factors such as smoking, BMI, and medical history, are the primary drivers of health insurance premiums, while demographic and lifestyle factors exert a lesser influence.

We apply the LDP-SGD estimator to perform linear regression for predicting insurance charges. The mean squared error (MSE) on the test set is 0.0722. For comparison, we also fit an offline ordinary least squares (OLS) estimator without privacy guarantees using the same training data, which achieves an MSE of 0.0607. Table 3 summarizes the comparison between the LDP-SGD and offline OLS estimators in terms of coefficient estimates. The results show that LDP-SGD estimators closely align with OLS estimates, indicating that the proposed algorithm effectively protects privacy while preserving utility and explanatory power.

Setting	age	gender	bmi	children	smoker
OLS	0.0627	0.1131	0.1044	0.0774	0.5659
LDP-SGD	0.0679	0.1298	0.0664	0.0828	0.5483
Setting	medical	family medical	exercise	occupation	coverage level
OLS	0.4052	0.4051	0.1389	0.1516	0.4625
LDP-SGD	0.4009	0.4264	0.1409	0.1767	0.4634

Table 3: Comparison of offline OLS and online LDP-SGD estimations.

7 Discussion

This paper investigates online private estimation and inference for optimization-based problems with streaming data under local differential privacy constraints. To eliminate the dependence on trusted data collectors, we propose an LDP-SGD algorithm that processes data in a single pass, making it well-suited for streaming applications and minimizing storage costs. Additionally, we introduce and discuss three asymptotically valid online private inference methods—private plug-in, private batch-means, and random scaling—for constructing private confidence intervals. We establish the consistency and asymptotic normality of the proposed estimators, providing a theoretical foundation for our online private inference approach.

Several directions for future research are worth exploring. First, while this work focuses on low-dimensional settings, extending the methodology to high-dimensional penalized estimators using noisy proximal methods would be valuable. Second, our models are based on parametric assumptions; adapting these to non-parametric models by developing a noisy functional SGD algorithm remains interesting. Finally, this work assumes strong convexity and smoothness of the objective loss function. However, extending the proposed framework to encompass general nonsmooth convex functions, such as ReLU and quantile losses, which are piecewise linear and lack strong convexity, call for future research.

References

Abadir and Paruolo (1997) Abadir, K. M. and P. Paruolo (1997). Two mixed normal densities from cointegration analysis. Econometrica: Journal of the Econometric Society, 671–680.
Alabi and Vadhan (2023) Alabi, D. G. and S. P. Vadhan (2023). Differentially private hypothesis testing for linear regression. Journal of Machine Learning Research 24(361), 1–50.
Avella-Medina (2021) Avella-Medina, M. (2021). Privacy-preserving parametric inference: a case for robust statistics. Journal of the American Statistical Association 116(534), 969–983.
Avella-Medina et al. (2023) Avella-Medina, M., C. Bradshaw, and P.-L. Loh (2023). Differentially private inference via noisy optimization. The Annals of Statistics 51(5), 2067–2092.
Barrientos et al. (2019) Barrientos, A. F., J. P. Reiter, A. Machanavajjhala, and Y. Chen (2019). Differentially private significance tests for regression coefficients. Journal of Computational and Graphical Statistics 28(2), 440–453.
Berrett and Yu (2021) Berrett, T. and Y. Yu (2021). Locally private online change point detection. Advances in Neural Information Processing Systems 34, 3425–3437.
Chadha et al. (2021) Chadha, K., J. Duchi, and R. Kuditipudi (2021). Private confidence sets. In NeurIPS 2021 Workshop Privacy in Machine Learning.
Chen et al. (2024) Chen, X., Z. Lai, H. Li, and Y. Zhang (2024). Online statistical inference for stochastic optimization via kiefer-wolfowitz methods. Journal of the American Statistical Association, 1–24.
Chen et al. (2020) Chen, X., J. D. Lee, X. T. Tong, and Y. Zhang (2020). Statistical inference for model parameters in stochastic gradient descent. The Annals of Statistics 48(1), 251–273.
Dankar and El Emam (2013) Dankar, F. K. and K. El Emam (2013). Practicing differential privacy in health care: A review. Trans. Data Priv. 6(1), 35–67.
Davidow et al. (2023) Davidow, D. M., Y. Manevich, and E. Toch (2023). Privacy-preserving transactions with verifiable local differential privacy. In 5th Conference on Advances in Financial Technologies.
Ding et al. (2017) Ding, B., J. Kulkarni, and S. Yekhanin (2017). Collecting telemetry data privately. Advances in Neural Information Processing Systems 30.
Dong et al. (2022) Dong, J., A. Roth, and W. J. Su (2022). Gaussian differential privacy. Journal of the Royal Statistical Society Series B: Statistical Methodology 84(1), 3–37.
Duchi et al. (2018) Duchi, J. C., M. I. Jordan, and M. J. Wainwright (2018). Minimax optimal procedures for locally private estimation. Journal of the American Statistical Association 113(521), 182–201.
Dwork et al. (2006) Dwork, C., F. McSherry, K. Nissim, and A. Smith (2006). Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006. Proceedings 3, pp. 265–284. Springer.
Erlingsson et al. (2014) Erlingsson, Ú., V. Pihur, and A. Korolova (2014). Rappor: Randomized aggregatable privacy-preserving ordinal response. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security, pp. 1054–1067.
Fainmesser et al. (2023) Fainmesser, I. P., A. Galeotti, and R. Momot (2023). Digital privacy. Management Science 69(6), 3157–3173.
Hu et al. (2022) Hu, M., R. Momot, and J. Wang (2022). Privacy management in service systems. Manufacturing & Service Operations Management 24(5), 2761–2779.
Karwa and Slavković (2016) Karwa, V. and A. Slavković (2016). Inference using noisy degrees: Differentially private $\beta$ -model and synthetic graphs. The Annals of Statistics 44(1), 87–112.
Karwa and Vadhan (2018) Karwa, V. and S. Vadhan (2018). Finite sample differentially private confidence intervals. In 9th Innovations in Theoretical Computer Science Conferenc 94.
Lee et al. (2022) Lee, S., Y. Liao, M. H. Seo, and Y. Shin (2022). Fast and robust online inference with stochastic gradient descent via random scaling. In Proceedings of the AAAI Conference on Artificial Intelligence, Volume 36, pp. 7381–7389.
Li et al. (2024) Li, M., Y. Tian, Y. Feng, and Y. Yu (2024). Federated transfer learning with differential privacy. arXiv preprint arXiv:2403.11343.
Li et al. (2022) Li, X., J. Liang, X. Chang, and Z. Zhang (2022). Statistical estimation and online inference via local sgd. In Conference on Learning Theory, pp. 1613–1661. PMLR.
Lin and Xi (2011) Lin, N. and R. Xi (2011). Aggregated estimating equation estimation. Statistics and its Interface 4(1), 73–83.
Liu et al. (2023) Liu, Y., Q. Hu, L. Ding, and L. Kong (2023). Online local differential private quantile inference via self-normalization. In International Conference on Machine Learning, pp. 21698–21714. PMLR.
Luo and Song (2020) Luo, L. and P. X.-K. Song (2020). Renewable estimation and incremental inference in generalized linear models with streaming data sets. Journal of the Royal Statistical Society Series B: Statistical Methodology 82(1), 69–97.
Man et al. (2024) Man, R., K. M. Tan, Z. Wang, and W.-X. Zhou (2024). Retire: Robust expectile regression in high dimensions. Journal of Econometrics 239(2), 105459.
Maniar et al. (2021) Maniar, T., A. Akkinepally, and A. Sharma (2021). Differential privacy for credit risk model. arXiv preprint arXiv:2106.15343.
Polyak and Juditsky (1992) Polyak, B. T. and A. B. Juditsky (1992). Acceleration of stochastic approximation by averaging. SIAM journal on control and optimization 30(4), 838–855.
Ponomareva et al. (2023) Ponomareva, N., H. Hazimeh, A. Kurakin, Z. Xu, C. Denison, H. B. McMahan, S. Vassilvitskii, S. Chien, and A. G. Thakurta (2023). How to dp-fy ml: A practical guide to machine learning with differential privacy. Journal of Artificial Intelligence Research 77, 1113–1201.
Robbins and Monro (1951) Robbins, H. and S. Monro (1951). A stochastic approximation method. The Annals of Mathematical Statistics, 400–407.
Rohde and Steinberger (2020) Rohde, A. and L. Steinberger (2020). Geometrizing rates of convergence under local differential privacy constraints. The Annals of Statistics 48(5), 2646–2670.
Ruppert (1988) Ruppert, D. (1988). Efficient estimations from a slowly convergent robbins-monro process. Technical report, Cornell University Operations Research and Industrial Engineering.
Sart (2023) Sart, M. (2023). Density estimation under local differential privacy and hellinger loss. Bernoulli 29(3), 2318–2341.
Schifano et al. (2016) Schifano, E. D., J. Wu, C. Wang, J. Yan, and M.-H. Chen (2016). Online updating of statistical inference in the big data setting. Technometrics 58(3), 393–403.
Sheffet (2017) Sheffet, O. (2017). Differentially private ordinary least squares. In International Conference on Machine Learning, pp. 3105–3114. PMLR.
Smith et al. (2022) Smith, J., H. J. Asghar, G. Gioiosa, S. Mrabet, S. Gaspers, and P. Tyler (2022). Making the most of parallel composition in differential privacy. Proceedings on Privacy Enhancing Technologies, 253–273.
Song et al. (2021) Song, S., T. Steinke, O. Thakkar, and A. Thakurta (2021). Evading the curse of dimensionality in unconstrained private glms. In International Conference on Artificial Intelligence and Statistics, pp. 2638–2646. PMLR.
Tang et al. (2017) Tang, J., A. Korolova, X. Bai, X. Wang, and X. Wang (2017). Privacy loss in apple’s implementation of differential privacy on macos 10.12. arXiv preprint arXiv:1709.02753.
Vaswani et al. (2022) Vaswani, S., B. Dubois-Taine, and R. Babanezhad (2022). Towards noise-adaptive, problem-adaptive (accelerated) stochastic gradient descent. In International conference on machine learning, pp. 22015–22059. PMLR.
Wang et al. (2019) Wang, Y., D. Kifer, and J. Lee (2019). Differentially private confidence intervals for empirical risk minimization. Journal of Privacy and Confidentiality 9.
Wang and Tsai (2022) Wang, Y.-R. and Y.-C. Tsai (2022). The protection of data sharing for privacy in financial vision. Applied Sciences 12(15), 7408.
Zhang et al. (2024) Zhang, Z., R. Nakada, and L. Zhang (2024). Differentially private federated learning: Servers trustworthiness, estimation, and statistical inference. arXiv preprint arXiv:2404.16287.
Zhao et al. (2024) Zhao, T., W. Zhou, and L. Wang (2024). Private optimal inventory policy learning for feature-based newsvendor with unknown demand. Management Science, in press.
Zhong (2019) Zhong, G. (2019). E-commerce consumer privacy protection based on differential privacy. In Journal of Physics: Conference Series, Volume 1168, pp. 032084. IOP Publishing.
Zhu et al. (2023) Zhu, W., X. Chen, and W. B. Wu (2023). Online covariance matrix estimation in stochastic gradient descent. Journal of the American Statistical Association 118(541), 393–404.