\foreach\x

in a,…,z \foreach\xin A,…,Z \foreach\xin A,…,Z \foreach\xin A,…,Z

Enhancing Feature-Specific Data Protection via
Bayesian Coordinate Differential Privacy ^†^†thanks: The authors are listed in alphabetical order.

Maryam Aliakbarpour Department of Computer Science & Ken Kennedy Institute, Rice University Syomantak Chaudhuri Department of Electrical Engineering and Computer Sciences, University of California, Berkeley Thomas A. Courtade

{}^{\text{\textdaggerdbl}}

Alireza Fallah

{}^{\text{\textdaggerdbl}}

Michael I. Jordan Department of Electrical Engineering and Computer Sciences & Department of Statistics, University of California, Berkeley; INRIA, Paris

(October 23, 2024)

Abstract

Local Differential Privacy (LDP) offers strong privacy guarantees without requiring users to trust external parties. However, LDP applies uniform protection to all data features, including less sensitive ones, which degrades performance of downstream tasks. To overcome this limitation, we propose a Bayesian framework, Bayesian Coordinate Differential Privacy (BCDP), that enables feature-specific privacy quantification. This more nuanced approach complements LDP by adjusting privacy protection according to the sensitivity of each feature, enabling improved performance of downstream tasks without compromising privacy. We characterize the properties of BCDP and articulate its connections with standard non-Bayesian privacy frameworks. We further apply our BCDP framework to the problems of private mean estimation and ordinary least-squares regression. The BCDP-based approach obtains improved accuracy compared to a purely LDP-based approach, without compromising on privacy.

1 Introduction

The rapid expansion of machine learning applications across various sectors has fueled an unprecedented demand for data collection. With the increase in data accumulation, user privacy concerns also intensify. Differential privacy (DP) has emerged as a prominent framework that enables algorithms to utilize data while preserving the privacy of individuals who provide it Warner (1965); Evfimievski et al. (2003); Dwork et al. (2006, 2014); Vadhan (2017); Desfontaines (2020). A variant of DP, local differential privacy (LDP), suitable for distributed settings where users do not trust any central authority has been extensively studied (Warner, 1965; Evfimievski et al., 2003; Beimel et al., 2008; Kasiviswanathan et al., 2011; Chan et al., 2012). In this framework, each user shares an obfuscated version of their datapoint, meaningful in aggregate to the central server yet concealing individual details. Leading companies, including Google (Erlingsson et al., 2014), Microsoft (Ding et al., 2017), and Apple (Differential Privacy Team, Apple, 2017; Thakurta et al., 2017), have employed this approach for data collection.

In the LDP framework, a privacy parameter must be set—typically by the data collector—that determines the level of protection for user information. This decision is particularly challenging in high-dimensional settings, where user data includes multiple attributes such as name, date of birth, and social security number, each with differing levels of sensitivity. One common strategy is to allow the most sensitive data feature to dictate the level of privacy, providing the highest level of protection. Alternatively, separate private mechanisms can be applied to each feature according to its required privacy level. However, this approach fails when there is correlation between features. For instance, setting a lower level of privacy for a feature that is consistently aligned with a more sensitive one risks compromising the privacy of the sensitive feature.

This complexity raises a compelling question: Can we tailor privacy protection to specific data features if the correlation among data coordinates is controlled, without defaulting to the privacy level of the most sensitive coordinate? In other words, can we leverage users’ lower sensitivity preferences for certain features to reduce the error in our inference algorithms, provided the correlation with sensitive coordinates is weak?

Our contributions:

Our main contribution is addressing the challenge of feature-specific data protection from a Bayesian perspective. We present a novel Bayesian privacy framework, which we refer to as Bayesian Coordinate Differential Privacy (BCDP). BCDP complements LDP and allows a tailored privacy demand per feature. In essence, BCDP ensures that the odds of inferring a specific feature (also referred to as a coordinate) remain nearly unchanged before and after observing the outcome of the private mechanism. The framework’s parameters control the extent to which the odds remain unchanged, enabling varying levels of privacy per feature. As part of developing this new framework, we explore its formal relationship with other related DP notions and examine standard DP properties, such as post-processing and composition.

To demonstrate the efficacy of our framework, we study two fundamental problems in machine learning under a baseline level of LDP privacy, coupled with more stringent per-coordinate BCDP constraints. First, we address multivariate mean estimation. Our proposed algorithm satisfies BCDP constraints while outperforming a standard LDP algorithm, where the privacy level is determined by the most sensitive coordinate. Our experimental results confirm this advantage. Second, we present an algorithm for ordinary least squares regression under both LDP and BCDP constraints.

A key technical component of our algorithm for these two problems is a mechanism that builds on any off-the-shelf LDP mechanism and can be applied to various problems. Our algorithm involves making parallel queries to the LDP mechanism with a series of carefully selected privacy parameters where the $i$ -th query omits the $i-1$ most sensitive coordinates. The outputs are then aggregated to produce the most accurate estimator for each coordinate.

Bayesian Feature-Specific Protection:

We now give a high-level discussion of privacy in the Bayesian framework to motivate our approach. Formal definitions are in Section 2. Consider a set of users, each possessing a high-dimensional data point $\vecx$ with varying privacy protection needs across different features. For instance, $\vecx$ may contain genetic markers for diseases, and the $i$ -th coordinate $x_{i}$ could reveal Alzheimer’s markers that the user wishes to keep strictly confidential. In a local privacy setting, users apply a locally private mechanism $M$ to obtain obfuscated data $M(\vecx)$ , for public aggregation and analysis. Our focus is on understanding what can be inferred about $\vecx$ , especially the sensitive feature $x_{i}$ , from the obfuscated data.

Now, imagine an adversary placing a bet on a probabilistic event related to $\vecx$ . Without extra information, their chances of guessing correctly are based on prior knowledge of the population. However, access to $M(\vecx)$ could prove advantageous for inference. Privacy in the Bayesian model is measured by how much $M(\vecx)$ improves the adversary’s chances. In other words, the privacy parameter limits how much their odds can shift.

The standard Bayesian interpretation of LDP ensures uniform privacy across all data features. In contrast, our framework BCDP enhances LDP by enabling feature-specific privacy controls. That is, BCDP restricts adversarial inference of events concerning individual coordinates. For example, BCDP ensures that the advantage an adversary gains from observing $M(\vecx)$ when betting on whether a person has the Alzheimer’s trait (i.e., $x_{i}=1$ ) is smaller than what would be achieved under a less stringent LDP constraint.

We remark that BCDP does not replace LDP, since it lacks global data protection. Also, correlation plays a crucial role in BCDP’s effectiveness: if a sensitive feature is highly correlated with less sensitive features, increasing protection for the sensitive feature imposes stricter protection for other features as well. As the correlation between features increases, BCDP’s guarantees converge to the uniform guarantees of LDP.

Related Work:

Statistical inference with LDP guarantees has been extensively studied. For comprehensive surveys see Xiong et al. (2020); Yang et al. (2023). Below, we discuss the results that are most relevant to our setup.

Several papers consider the uneven protection of privacy across features. For instance, Ghazi et al. (2022) and Acharya et al. (2020) focus on settings where the privacy parameters vary across different neighboring datasets. Other models arise from altering the concept of neighboring datasets (Kifer and Machanavajjhala, 2014; He et al., 2014), or they emphasize indistinguishability guarantees within a redefined metric space for the datasets or data points Chatzikokolakis et al. (2013); Alvim et al. (2018); Imola et al. (2022); Andrés et al. (2013). Another relevant notion for classification tasks is Label-DP which considers labels of training data as sensitive, but not the features themselves (Chaudhuri and Hsu, 2011; Beimel et al., 2013; Wang and Xu, 2019; Ghazi et al., 2021). A recent generalization of Label-DP, proposed by Mahloujifar et al. (2023), is Feature-DP, which allows specific features of the data to be disclosed by the algorithm while ensuring the privacy of the remaining information. A line of work, e.g., Kifer and Machanavajjhala (2011); Kenthapadi et al. (2013), studies attribute DP, which limits changes in the output distribution of the privacy mechanism when a single coordinate of the data is modified.

A common shortcoming in the aforementioned approaches is that the heterogeneous privacy protection across features, without accounting for their correlations, can lead to unaddressed privacy leakage—an issue our framework is specifically designed to mitigate. Another key distinction of our work is the integration of the BCDP framework with the LDP framework, enabling simultaneous protection at both the feature level and the global level.

A Bayesian approach to Central-DP is considered in Triastcyn and Faltings (2020) where the notation of neighboring dataset are taken over pairs that are drawn from the same distribution. This is similar in spirit to our framework but we operate in the Local-DP regime so we work with a prior instead. Xiao and Devadas (2023) consider a Bayesian approach to privacy where the goal is to prevent an observer from being able to nearly guess the input to a mechanism under a given notion of distance and error probability. Another Bayesian interpretation of DP is presented in Kasiviswanathan and Smith (2014) and show that DP ensures that the posterior distribution after observing the output of a DP algorithm is close to the prior in Total-Variation distance. None of these results explicitly focus on varying privacy features across coordinates.

Private mean estimation and private least-squares regression are well studied problems in literature in both central (Biswas et al., 2020; Karwa and Vadhan, 2017; Kifer et al., 2012; Vu and Slavkovic, 2009) and local (Asi et al., 2022; Feldman and Talwar, 2021; Zheng et al., 2017) DP regimes. We depart from these works as we consider a BCDP constraint in addition to an LDP constraint.

Organization:

We present a formal treatment of our framework in Section 2. Some key properties of the framework are presented in Section 3. We consider the problem of mean estimation in Section 4 and ordinary least-squares regression in Section 5.

2 Problem Formulation

Let $\cX$ denote the data domain represented as the Cartesian product $\cX:=\bigtimes_{j=1}^{d}\cX_{j}$ . One can consider this as a general decomposition where each of $d$ canonical data coordinates can be categorical or a real value, or a combination of both, as the setting dictates. For a vector $\vecx\in\cX$ , we let $x_{i}$ denote the $i$ -th coordinate, and $\vecx_{-i}$ the vector with $(d-1)$ coordinates obtained by removing the $i$ -th coordinate $x_{i}$ from $\vecx$ . A private mechanism $M$ is a randomized algorithm that maps $\vecx$ to $M(\vecx)$ in an output space $\cY$ .

Let $(\cX,\cF_{\cX})$ and $(\cY,\cF_{\cY})$ be measurable spaces. Let each coordinate space $\cX_{i}$ be equipped with $\sigma$ -algebra $\cF_{\cX_{i}}$ , and take $\cF_{\cX}$ equal to the product $\sigma$ -algebra $\bigtimes_{i=1}^{d}\cF_{\cX_{i}}$ . A randomized mechanism $M$ from $\cX$ to $\cY$ can be represented by a Markov kernel $\mu:(\cX,\cF_{\cX})\to(\cY,\cF_{\cY})$ where for an input $\vecx\in\cX$ , the output $M(\vecx)$ is a $\cY$ -valued random variable with law $\mu_{\vecx}(\cdot)$ .

Local differential privacy

We first revisit the definition of Local Differential Privacy (LDP).

Definition 1 (Local DP (Kasiviswanathan et al., 2011)).

A mechanism $M$ is $\varepsilon$ -LDP if, for all $R\in\cF_{\cY}$ and all $\vecx,\vecx’\in\cX$ , we have:

\mu_{\vecx}(R)\leq e^{\varepsilon}\mu_{\vecx^{\prime}}(R).

(1)

With the understanding that $M(\vecx)\sim\mu_{\vecx}(\cdot)$ , Definition 1 can be rewritten in the more familiar form $\text{Pr}\{M(\vecx)\in R\}\leq e^{\varepsilon}\text{Pr}\{M(\vecx^{\prime})\in R\}\ \forall\vecx,\vecx^{\prime}\in\cX,R\in\cF_{\cY}$ .

Next, we focus on a Bayesian interpretation of this setting. Suppose we have an underlying data distribution $\pi$ . That is, we equip $(\cX,\cF_{\cX})$ with the probability measure $\pi$ which we call the prior. This induces a probability space $(\cX\times\cY,\cF_{\cX}\times\cF_{\cY},P)$ where the measure $P$ is characterized via

P(S\times R)=\int_{S}\mu_{\vecx}(R)d\pi(\vecx),\ S\in\cF_{\cX},R\in\cF_{\cY}.

(2)

Note that the mechanism $M$ defining $\mu$ is precisely represented on this space by the random variable $M:(\vecx,y)\in\cX\times\cY\mapsto y$ . By a slight abuse of notation, we continue to denote the (randomized) output of the mechanism by $M(\vecx)$ . We first define the sets on $\cX$ which have positive probability under $\pi$

\displaystyle\cF_{\cX}^{+}

\displaystyle=\{S\in\cF_{\cX}|\pi(S)>0\}.

(3)

For $S\in\cF_{\cX}^{+}$ and $R\in\cF_{\cY}$ , note that

\displaystyle P\{M(\vecx)\in R|\vecx\in S\}

\displaystyle=\frac{P(S\times R)}{\pi(S)}.

(4)

Bayesian differential privacy:

We now introduce a Bayesian formulation of the LDP definition which involves both the mechanism $M$ and the prior $\pi$ . This can be seen as the local version of the definitions proposed in earlier works, e.g., Kifer and Machanavajjhala (2014); Triastcyn and Faltings (2020).

Definition 2 (Bayesian DP).

The pair $(\pi,M)$ is $\varepsilon$ -BDP if for all $R\in\cF_{\cY}$ and all $S,S^{\prime}\in\cF_{\cX}^{+}$ , we have:

\displaystyle P\{M(\vecx)\in R|\vecx\in S\}\leq e^{\varepsilon}P\{M(\vecx)\in R|\vecx\in S^{\prime}\}.

(5)

We show in Proposition 1 that $\varepsilon$ -LDP and $\varepsilon$ -BDP can be viewed as equivalent, modulo some technicalities.

Proposition 1.

If $M$ is $\varepsilon$ -LDP then $(\pi,M)$ is $\varepsilon$ -BDP. Conversely, if $(\pi,M)$ is $\varepsilon$ -BDP, then (assuming $\cY$ is a Polish space) there exists a mechanism $M^{\prime}$ which is $\varepsilon$ -LDP such that $P\{M(\vecx)=M^{\prime}(\vecx)\}=1$ .

The reverse direction of the equivalence above relies on $\cY$ being a Polish space, which should capture all settings of practical interest. The proof can be found in Appendix A.1.

As discussed in Kifer and Machanavajjhala (2014), we can interpret the BDP definition in terms of odds ratios. The prior odds of two disjoint events $S$ and $S^{\prime}$ is given by $\pi(S)/\pi(S^{\prime})$ . Now, for a set $R\in\mathcal{F}_{\mathcal{Y}}$ with positive measure, the posterior odds, after observing mechanism output $M(\vecx)\in R$ , is equal to

\frac{P\{\vecx\in S|M(\vecx)\in R\}}{P\{\vecx\in S^{\prime}|M(\vecx)\in R\}}.

(6)

One can easily verify that the BDP definition implies that the ratio of posterior and prior odds, also known as the odds ratio, is in the interval $[e^{-\varepsilon},e^{\varepsilon}]$ . In other words, the BDP definition limits how much the output of the mechanism changes the odds, which in turn limits our ability to distinguish whether the data $\vecx$ was in $S$ or $S^{\prime}$ .

Coordinate differential privacy:

We wish to measure the privacy loss of each coordinate incurred by a mechanism $M$ . Initially, one might hypothesize that by altering the definition of LDP to reflect changes in specific coordinates, we could achieve privacy protection for certain features of the user’s data. More precisely, consider the following definition of Coordinate DP (CDP)¹¹1The acronym CDP is not to be confused with Concentrated DP, which is not considered in this work. where $\bm{c}$ represents a vector of the desired levels of privacy for each coordinate.

Definition 3 (Coordinate DP).

Let $\bm{c}\in\bbR_{\geq 0}^{d}$ . A mechanism $M$ is $\bm{c}$ -CDP if, for all $R\in\cF_{\cY}$ and all $\vecx,\vecx^{\prime}\in\cX$ , we have the implication:

\vecx_{-i}=\vecx^{\prime}_{-i}~{}\Rightarrow~{}\mu_{\vecx}(R)\leq e^{c_{i}}\mu_{\vecx^{\prime}}(R).

(7)

A special case of CDP, where all $c_{i}$ ’s are equal, is referred to as attribute DP in the literature Kifer and Machanavajjhala (2011); Kenthapadi et al. (2013); Ghazi et al. (2022). Additionally, CDP itself can be viewed as a special case of Partial DP, introduced in Ghazi et al. (2022).

The drawback of this definition is that it does not account for potential correlation among the data coordinates and, therefore, does not provide the type of guarantee we hope for regarding sensitive parts of the data. In other words, in $\bm{c}$ -CDP, stating that the privacy level of coordinate $i$ is $c_{i}$ could be misleading. For instance, having $c_{i}=0$ does not necessarily ensure that no information is leaked about $x_{i}$ , as the other (potentially less-well protected) coordinates $\vecx_{-i}$ may be correlated with it.

Our formulation: Bayesian coordinate differential privacy:

In order to capture the correlation among the data coordinates, we adopt a Bayesian interpretation of differential privacy. As seen in Proposition 1, BDP and LDP are closely related and this serves as the main motivation for our definition.

For $i\in[d]$ , define

\cF_{\cX_{i}}^{+}=\{S_{i}\in\cF_{\cX_{i}}|\pi\{x_{i}\in S_{i}\}>0\}.

(8)

For $S_{i}\in\cF_{\cX_{i}}^{+}$ , we have

P\{M(\vecx)\in R|x_{i}\in S_{i}\}=\frac{P((S_{i}\times\cX_{-i})\times R)}{\pi(S_{i}\times\cX_{-i})},

(9)

where $\cX_{-i}=\bigtimes_{j\in[d],j\neq i}\cX_{j}$ . Thus, similar to Definition 2, we have a natural version of privacy for each coordinate which we shall refer to as Bayesian Coordinate DP (BCDP).

Definition 4 (Bayesian Coordinate DP).

Let $\bm{\delta}\in\bbR_{\geq 0}^{d}$ . A pair $(\pi,M)$ is $\bm{\delta}$ -BCDP if, for each $i\in[d]$ , and for all $R\in\cF_{\cY}$ , $S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+}$ , we have:

P\{M(\vecx)\in R|x_{i}\in S_{i}\}\leq e^{\delta_{i}}P\{M(\vecx)\in R|x_{i}\in S_{i}^{\prime}\}.

(10)

Unlike the Coordinate-DP definition, this definition accounts for potential correlation between coordinates through incorporation of the prior $\pi$ .

It is worth noting that, similar to the BDP definition, we can interpret the BCDP definition in terms of the odds ratio, with the difference that we consider the two events $\{x_{i}\in S_{i}\}$ and $\{x_{i}\in S_{i}’\}$ . In other words, having a small $\delta_{i}$ guarantees that the mechanism’s output does not provide much useful information for discriminating between the possibilities that the underlying data has coordinate $x_{i}$ in $S_{i}$ or $S_{i}’$ . This aligns with our goal of proposing a new formulation that characterizes how much information is revealed about each particular coordinate. We further discuss this interpretation in the next section.

3 Properties of BCDP

In this section, we discuss a number of properties following from the BCDP definition. Figure 1 compiles some of the results from Section 2 and Section 3 on how the different notions of Local DP (LDP), Coordinate-DP (CDP), Bayesian DP (BDP), and Bayesian Coordinate-DP (BCDP) are interrelated.

3.1 BCDP through the Lens of Hypothesis Testing

In this subsection, we present an interpretation of what the privacy vector $\bm{\delta}$ quantifies in $\bm{\delta}$ -BCDP. We begin by revisiting the connection between hypothesis testing and the definition of differential privacy, and demonstrate how this connection extends to the $\bm{\delta}$ -BCDP definition. For an $\varepsilon$ -LDP mechanism $M$ represented by Markov kernel $\mu$ , suppose an adversary observes a realization of the output $Y$ and is tasked with determining whether the input was $\vecx$ or $\vecx’$ . This scenario can be formulated as the following binary hypothesis problem:

	$\displaystyle H_{0}$	$\displaystyle:Y\sim\mu_{\vecx}(\cdot),$
	$\displaystyle H_{1}$	$\displaystyle:Y\sim\mu_{\vecx^{\prime}}(\cdot).$

Let the rejection region be $R\subseteq\cY$ . Denote the type I error (false alarm) rate as $\alpha(R,M,\vecx,\vecx^{\prime})$ and the type II error (missed detection) rate as $\beta(R,M,\vecx,\vecx^{\prime})$ . We restate a known result below (Kairouz et al., 2015; Wasserman and Zhou, 2010).

Proposition 2.

A mechanism $M(\cdot)$ is $\varepsilon$ -LDP iff the following condition holds for any $\vecx,\vecx^{\prime}\in\cX$ and any $R\in\cF_{\cY}$ :

\displaystyle e^{\varepsilon}\alpha(R,M,\vecx,\vecx^{\prime})+\beta(R,M,\vecx,\vecx^{\prime})

\displaystyle\geq 1.

(11)

We note that the criterion (11) can be equivalently replaced by the criterion

\alpha(R,M,\vecx,\vecx^{\prime})+e^{\varepsilon}\beta(R,M,\vecx,\vecx^{\prime})\geq 1.

As noted in Kairouz et al. (2015), this operational perspective shows that it is impossible to force type I and type II error rates to simultaneously vanish for a DP algorithm, and the reverse implication also holds.

For BCDP:

Now, consider a $\bm{\delta}$ -BCDP mechanism $M$ . Suppose an adversary has knowledge of the prior $\pi$ and again observes the algorithm’s output $Y$ . For any $i\in[d]$ , the adversary aims to distinguish whether the output was generated from data where the $i$ -th coordinate belongs to the set $S_{i}$ or $S_{i}’$ . In other words, we consider the following binary hypothesis testing problem:

	$\displaystyle H_{0}^{i}$	$\displaystyle:Y\sim P\{\,\cdot\,\|x_{i}\in S_{i}\},$
	$\displaystyle H_{1}^{i}$	$\displaystyle:Y\sim P\{\,\cdot\,\|x_{i}\in S_{i}^{\prime}\}.$

Let the rejection region for the $i$ -th hypothesis test be $R_{i}\in\cF_{\cY}$ . For the $i$ -th test, denote the type I and type II error rates as $\alpha(R_{i},M,S_{i},S_{i}^{\prime})$ and $\beta(R_{i},M,S_{i},S_{i}^{\prime})$ . Then, the following result holds:

Theorem 1.

A pair $(\pi,M)$ is $\bm{\delta}$ -BCDP iff the following condition holds for every coordinate $i\in[d]$ :

\displaystyle e^{\delta_{i}}\alpha(R_{i},M,S_{i},S_{i}^{\prime})+\beta(R_{i},M,S_{i},S_{i}^{\prime})

\displaystyle\geq 1,

(12)

for any $S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+}$ and $R_{i}\in\cF_{\cY}$ .

We note that the criteria (12) can be equivalently replaced by the criteria

\alpha(R_{i},M,S_{i},S_{i}^{\prime})+e^{\delta_{i}}\beta(R_{i},M,S_{i},S_{i}^{\prime})\geq 1.

The proof of Theorem 1 is presented in Section A.2. Thus, the theorem shows that the vector $\bm{\delta}$ in the $\bm{\delta}$ -BCDP formulation captures the privacy loss for each of the coordinates in the same way $\varepsilon$ in $\varepsilon$ -DP captures the privacy loss of the entire data. In contrast, the vector $\vecc$ in $\vecc$ -CDP does not have such an interpretation of privacy loss across the coordinates.

Figure 1: General relation of LDP (Definition 1), BDP (Definition 2), CDP (Definition 3) and BCDP (Definition 4). The condition

\veca\preceq\vecb

is to be read as

a_{i}\leq b_{i}\ \forall i

. The implication arrows and the described transformation of the parameters are to be interpreted as sufficient condition. For example, an

\varepsilon_{L}

-DP mechanism is guaranteed to be

\vecc

-CDP for

\vecc\preceq\varepsilon_{L}\bm{1}

. The function that translates

\vecc

-CDP under the prior

\pi

to BCDP is presented in the Proposition 4.

3.2 BCDP can be achieved via LDP

We begin by a simple result that follows directly from $\varepsilon$ -BDP definition. If a mechanism is $\varepsilon$ -LDP, then it is also $\varepsilon$ -BDP. Noticing that $\varepsilon$ -BDP ensures a ratio of $e^{\varepsilon}$ for each coordinate as well in (10), we see that each coordinate has a privacy level of $\varepsilon$ as well. Proposition 3 formalizes this observation and the proof can be found in Section A.3.

Proposition 3.

(LDP to BCDP) An $\varepsilon$ -LDP mechanism satisfies $\varepsilon\bm{1}$ -BCDP.

Thus, a baseline approach to implement $\bm{\delta}$ -BCDP is to use a $(\min_{i}\delta_{i})$ -LDP mechanism. Nevertheless, this would mean that we provide the most conservative privacy guarantee required for one coordinate to all coordinates. However, as we will show, we can maintain an $\varepsilon>\min\bm{\delta}$ for the overall privacy guarantee while providing the $\bm{\delta}$ -BCDP guarantee, therefore achieving lower error for downstream tasks.

3.3 BCDP does not imply LDP

It should be noted that BCDP does not ensure LDP, BDP, or CDP. Example 1 below demonstrates a mechanism that is BCDP, but not LDP.

Example 1.

Consider data $\vecx=(x_{1},x_{2})$ where $x_{1},x_{2}$ are i.i.d. Bern $(\frac{1}{2})$ , and let $\mathcal{Y}=\{0,1\}$ . Let $M$ be defined by the table below, with parameters $a,b,c\in(0,1]$ . Mechanism $M$ is not LDP (and hence, neither BDP nor CDP). However, for BCDP, the terms $P\{M(\vecx)=y|x_{i}=0\}$ and $P\{M(\vecx)=y|x_{i}=1\}$ have a finite multiplicative ranges in $y=0,1$ , for both $i=1,2$ . For instance, if $a=b=c=1/2$ , the resulting $M$ is $(\log(2),\log(2))$ -BCDP.

$P\{M(\vecx)=1\|\vecx\}$		$x_{1}$
$P\{M(\vecx)=1\|\vecx\}$		0	1
$x_{2}$	0	$a$	$b$
$x_{2}$	1	$0$	$c$

The takeaway from the above example is that there can be priors and mechanisms such that the prior-mechanism pair is $\bm{\delta}$ -BCDP but not $\varepsilon$ -DP for any value of $\varepsilon<\infty$ . Intuitively, BCDP quantifies privacy loss for each coordinate. In Example 1, one cannot distinguish much about any particular coordinate when the output is observed due to the BCDP guarantee. However, one may still be able to make conclusions over the coordinates jointly. For instance, if the mechanism output in Example 1 is $1$ , then the input could not have been $\vecx=(0,1)$ .

As this result suggests, just ensuring BCDP is not sufficient to guarantee overall privacy. In other words, the right way to think of BCDP is that it is a tool that allows us to quantify the privacy offered by an algorithm for each coordinate. The user can demand overall $\varepsilon$ -LDP along with $\bm{\delta}$ -BCDP where the value $\delta_{i}$ could be significantly smaller than $\varepsilon$ for those coordinates that the user feels more concerned about their privacy.

3.4 Achieving BCDP via CDP

As we discussed earlier, CDP does not imply the BCDP, as it does not take into account the correlation among the features. Therefore, a natural question arises: could CDP, along with some bound on the dependence among the features, lead to a bound with respect to the BCDP definition? The next result provides an answer to this question. We denote the total variation distance between two distributions $P$ and $Q$ as $\mathsf{TV}(P,Q)$ .

Proposition 4.

(CDP to BCDP) Suppose mechanism $M$ is $\bm{c}$ -CDP and there exists $q_{1},\ldots,q_{d}$ such that

\mathsf{TV}(\pi_{\vecx_{-i}|x_{i}\in S_{i}},\pi_{\vecx_{-i}|x_{i}\in S_{i}^{\prime}})\leq q_{i}\ \forall\ S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+}.

(13)

Then:

1.

The mechanism is $\sum_{i=1}^{n}c_{i}$ -LDP and $\bm{\delta}$ -BCDP with $\delta_{i}=c_{i}+\log(1+q_{i}e^{\sum_{j\neq i}c_{j}}-q_{i})$ .
2.

In case that the mechanism is $\varepsilon$ -LDP for some $\varepsilon\geq 0$ , then it is $\bm{\delta}^{\prime}$ -BCDP with $\delta^{\prime}_{i}=\min\{c_{i}+\log(1+q_{i}e^{\varepsilon}-q_{i}),\varepsilon\}$ .

For the proof, see Appendix A.4. To better highlight this result, consider a simple example in which that the input’s $d$ coordinates are redundant copies of the same value and we have access to a $\vecc$ -CDP mechanism $M$ . Then, as Proposition 4 suggests, and given that we have $q_{i}=1$ here, this mechanism is $\bm{\delta}$ -BCDP with $\delta_{i}=\sum_{j}c_{j}$ . This is, of course, intuitive, as all coordinates reveal information about the same value. It also reinforces that the BCDP is sensitive to correlations, unlike CDP. The first part of Proposition 4 provides an immediate method for constructing a BCDP mechanism using mechanisms that offer CDP guarantees, such as applying off-the-shelf LDP mechanisms per coordinate. This can also be done without requiring full knowledge of the prior. The second part of Proposition 4 suggests that in cases where we design an algorithm that has a tighter LDP guarantee than just $\sum_{i=1}^{n}c_{i}$ , we can further improve the BCDP bound. One example of such a construction is provided in our private mean estimation algorithm in Section 4. One challenge with this approach is translating the constraint $\bm{\delta}$ to a vector $\bm{c}$ . In Section A.5, we provide a tractable approach to do so by imposing a linear constraint on $\vecc$ .

3.5 Do Composition and Post-Prossesing Hold for BCDP?

Composition is a widely used and well-known property of LDP. Nonetheless, as the following example highlights, the composition, as traditionally applied in differential privacy settings, does not hold in the BCDP setting.

Example 2.

Let $\vecx\in\mathbb{R}^{3}$ be a Bernoulli vector where coordinates’ distributions are independent and each one is $\text{Ber}(1/2)$ . Consider the mechanism

M(\vecx)=\begin{cases}[x_{1}\oplus x_{2},x_{3}]^{\top}&\text{ with probability }\frac{1}{2}\\ [x_{2},x_{1}\oplus x_{3}]^{\top}&\text{ with probability }\frac{1}{2},\end{cases}

(14)

where $\oplus$ denotes the sum in $\mathbb{Z}_{2}$ . It is straightforward to verify that $M(\cdot)$ is in fact $\delta_{1}=0$ -BCDP with respect to the first coordinate. However, having two independent copies of $M(\cdot)$ is not BCDP with respect to the first coordinate. To see this, consider the case where $x_{1}=1$ and, in two copies of $M(\vecx)$ , one adds $x_{1}$ to $x_{2}$ and the other adds it to $x_{3}$ . By observing the two copies, we can determine $x_{1}=1$ .

On the other hand, the post-processing property holds for BCDP (see Appendix A.6 for the proof).

Proposition 5.

(Post processing for BCDP) Let $M(\cdot)$ be a $\bm{\delta}$ -BCDP mechanism and $K:\mathcal{Y}\to\mathcal{Z}$ be a measurable function. Then, $K\circ M$ is also $\bm{\delta}$ -BCDP.

4 Private Mean Estimation

Mechanism 1 Proposed locally private mechanism

M_{\mathsf{mean}}(\vecx,\vecc)

Input: user data

\vecx\in[-1,1]^{d}

and non-decreasing vector

\vecc

c_{0}\leftarrow 0

For

k\in[d]

, set

w_{k}=\frac{(c_{k}-c_{k-1})^{2}}{(d-k+1)}

for

k\in[d]

\vecY^{k}\leftarrow M_{\mathsf{LDP}}(\vecx_{k:d},c_{k}-c_{k-1},\sqrt{d-k+1})\in\bbR^{d-k+1}

end for

\hat{\nu}_{i}\leftarrow(\sum_{k=1}^{i}Y_{i+1-k}^{k}w_{k})/(\sum_{k=1}^{i}w_{k})

for

i\in[d]

Return

\hat{\bm{\nu}}

Figure 2: The figure illustrates how the mechanism

M_{\mathsf{mean}}

in Mechanism 1 obtains the estimate

\bm{\hat{}}{\nu}

. For example, the vector

Y^{k}

is obtained by taking the vector

(x_{k},x_{k+1},\ldots,x_{d})

and using the LDP channel

M_{\mathsf{LDP}}

with privacy parameter

c_{k}-c_{k-1}

\hat{\nu}_{i}

is obtained by taking a linear combination of the component of

\{Y^{k}\}_{k\in[d]}

corresponding to

x_{i}

, i.e., directly below

x_{i}

in the figure.

Mechanism 2 Local DP channel for data in

\cB_{2}(r)

proposed by Duchi et al. (2013a)

Input: user data

\vecv

, Local-DP level

\alpha\geq 0

, and bound

r

such that

\vecv\in\cB_{2}(r)

d\leftarrow

dimension(

\vecv

)

B\leftarrow\sqrt{\pi}dr\frac{e^{\alpha}+1}{e^{\alpha}-1}\frac{\Gamma(\frac{d+1}{2})}{\Gamma(\frac{d}{2}+1)}

K\sim

Bern

(\frac{e^{\alpha}}{e^{\alpha}+1})

S\sim

Bern

(\frac{1}{2}+\frac{\|\vecv\|_{2}}{2r})

\tilde{\vecv}\leftarrow(2S-1)\frac{r\vecv}{\|\vecv\|_{2}}

Return

Z\sim

Uniform

(\vecz\in\bbR^{d}:(2K-1)\vecz^{T}\tilde{\vecv}>0,\|\vecz\|_{2}=B)

To demonstrate the practical use of the BCDP framework, we consider the private mean estimation problem.

Problem Setup:

Let there be $n$ users submitting their data to a central server via Local DP mechanisms. Let user $j$ ’s data be $\vecx^{(j)}\in[-1,1]^{d}$ , where $\vecx^{(j)}$ is drawn from prior $\pi^{(j)}$ on $[-1,1]^{d}$ ; the server and users are not assumed to know the priors (which may be different for each individual user). Our goal is to estimate the empirical mean $\bar{\vecx}=\sum_{j=1}^{n}\frac{\vecx^{(j)}}{n}\in[-1,1]^{d}$ under $\varepsilon$ -LDP and $\bm{\delta}$ -BCDP. We consider $l_{2}$ -norm as our error metric. Without loss of generality, we assume that $\bm{\delta}$ is in non-decreasing order. We make the following assumption regarding the priors.

Assumption 1.

For every $i\in[d-1]$ and every $j\in[n]$ , we have

\mathsf{TV}(\pi^{(j)}_{x_{-i}|x_{i}\in S_{i}},\pi^{(j)}_{x_{-i}|x_{i}\in S_{i}^{\prime}})\leq q\quad\forall S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+}.

(15)

Here $q$ can be interpreted as a measure of how much different coordinates are interdependent. For instance, in the case where coordinates are independent we have $q=0$ , and in the case where they are fully equal, we have $q=1$ . Note that we do not need (15) to hold for the last coordinate ( $i=d$ ). While this slight relaxation does not play a role in this section, it will be useful when we move to the private optimization application.

It is also worth emphasizing that our analysis extends to cases where we have heterogeneous bounds across different coordinates (similar to $\eqref{eq:tv-bound}$ ) and different across users. However, we opt for a universal bound for the sake of simplifying the presentation of results. We assume that the upper bound $q$ is known to the designer of the local channels, which can be either the end user themselves or the central server.

Our proposed privacy mechanism $M_{\mathsf{mean}}$ (Mechanism 1) builds upon any LDP mechanism $M_{\mathsf{LDP}}$ , capable of handling different dimensional inputs, that can be used for mean estimation as a black-box tool. While Algorithm 1 satisfies the privacy constraints for any black-box LDP mechanism $M_{\mathsf{LDP}}$ , we shall focus on the mechanism presented by Duchi et al. (2013a) for proving error bounds. The mechanism of Duchi et al. (2013a), which is known to be minimax optimal for mean estimation, is outlined in Mechanism 2 for completeness. A figure explaining $M_{\mathsf{mean}}$ is presented in Figure 2.

Theorem 2 shows that our proposed mechanism satisfies the desired privacy constraints and provides a bound on the mean-squared error (MSE). The notation $a\wedge b$ refers to $\min\{a,b\}$ . later in this section we present a refined result with a more interpretable MSE bound in Corollary 1.

Theorem 2.

Suppose 1 holds and let $\tilde{\delta}_{i}:=\min\{\delta_{i},\varepsilon\}$ for any $i\in[d]$ . Then, $M_{\mathsf{mean}}$ , i.e., Mechanism 1, with parameters

c_{d}=\min\left\{\log(\frac{e^{\zeta\tilde{\delta}_{1}}+q-1}{q}),\tilde{\delta}_{d}\right\},\,c_{0}=0,

(16)

\forall i<d,\ c_{i}=\begin{cases}c_{d}&\text{if }c_{d}\leq\tilde{\delta}_{i},\\ \tilde{\delta}_{i}-\log(1+qe^{c_{d}}-q)&\text{otherwise},\end{cases}

where $\zeta\in(0,1]$ is a free parameter, is $\bm{\delta}$ -BCDP and $\varepsilon$ -LDP. Moreover, using Mechanism 2 as $M_{\mathsf{LDP}}$ , we obtain the following mean-squared error bound

\bbE\left[\bigg{\|}\bar{\vecx}-\Pi\bigg{(}\frac{1}{n}\sum_{j=1}^{n}M_{\mathsf{mean}}(\vecx^{(j)},\vecc)\bigg{)}\bigg{\|}_{2}^{2}\bigg{|}\vecx^{(1)},\ldots,\vecx^{(n)}\right]\lesssim\frac{1}{n}\sum_{i=1}^{d}\left(\frac{1}{\sum_{k=1}^{i}\frac{(c_{k}-c_{k-1})^{2}}{d-k+1}}\right)\wedge d,

(17)

where $\Pi(\cdot)$ denotes projection into $[-1,1]^{d}$ and the expectation is taken over the randomness in $M_{\mathsf{mean}}(\cdot)$ .

The proof is presented in Appendix B.2. Here, we provide a proof sketch for the privacy guarantee. We first establish that $M_{\mathsf{mean}}$ is $\vecc$ -CDP and $c_{d}$ -LDP. The latter implies that $M_{\mathsf{mean}}$ also satisfies $c_{d}\bm{1}$ -BCDP. Thus, if $\tilde{\delta}_{i}\geq c_{d}$ , we have already shown that $M_{\mathsf{mean}}$ is $\delta_{i}$ -BCDP with respect to the $i$ -th coordinate. For the case where $c_{d}>\tilde{\delta}_{i}$ , we use Proposition 4, which essentially implies that $M_{\mathsf{mean}}$ is $c_{i}+\log(1+qe^{c_{d}}-q)$ -BCDP with respect to the $i$ -th coordinate. Substituting the value of $c_{i}$ from the statement of Theorem 2 gives us the desired $\delta_{i}$ -BCDP guarantee for coordinate $i$ . Finally, the choice of $c_{d}$ in (16) ensures that the proposed $c_{i}$ ’s are all non-negative and valid.

We next make a few remarks regarding this result. First, note that while this bound applies to empirical mean estimation, when the data points $\{\vecx^{(j)}\}_{j=1}^{n}$ are independent and identically distributed, the result can also be used to derive an out-of-sample error bound for the statistical private mean estimation problem. In this case, an additional $\frac{d}{n}$ term would be added to the error bound. Secondly, note that in the special case where there is no coordinate-level privacy requirement (i.e., $\delta_{i}=\infty$ ), setting $\zeta=1$ implies $c_{1}=\ldots=c_{d}=\varepsilon$ , which yields the error bound $\mathcal{O}({d^{2}}/(n\varepsilon^{2}))$ . This matches the $\varepsilon$ -LDP lower bound provided in Duchi et al. (2013a). Lastly, we would like to discuss the role of parameter $\zeta$ . Note that when the correlation parameter $q$ is sufficiently high or the most sensitive privacy requirement $\delta_{1}$ is low enough such that $c_{d}$ is determined by the first term, $\log((e^{\zeta\tilde{\delta}_{1}}+q-1)/{q})$ , in (16), one can verify that $c_{1}=(1-\zeta)\delta_{1}$ . As $\zeta$ increases, $c_{1}$ decreases, leading to a worse estimate for the first coordinate. However, $c_{d}$ increases, indicating that, for the less-sensitive coordinates, we are increasing the privacy parameter, potentially resulting in lower estimation error for those coordinates. In other words, the parameter $\zeta$ allows us to control how we allocate the privacy budget of the most sensitive coordinate, $\delta_{1}$ , between the estimation of the first coordinate and the privacy cost imposed by its correlation with other coordinates.

We next present a corollary that studies a special case where the coordinates are divided into more sensitive and less sensitive groups. In this case, users requests a general $\varepsilon$ -LDP guarantee for all coordinates and a $\delta$ -BCDP guarantee specifically for the more sensitive coordinates. Under this scenario, we further simplify the error bound which allows us to better highlight implications of Theorem 2.

Corollary 1.

Suppose we are under the premise of Theorem 2, with $\delta_{i}=\delta$ for $1\leq i\leq k$ and $\delta_{i}=\varepsilon>2\delta$ for $d\geq i>k$ . Then, by choosing $\zeta=0.5$ , the mean-squared error upper bound in (17) simplifies to

\displaystyle\mathcal{O}(1)\frac{1}{n}\cdot\left(\frac{dk}{\delta^{2}}+\frac{(d-k)^{2}}{\varepsilon^{2}}\right),

(18)

for the case $q\leq\frac{e^{\delta/2}-1}{e^{\varepsilon}-1}$ , and to

\displaystyle\mathcal{O}(1)\frac{1}{n}\cdot\left(\frac{dk}{\delta^{2}}+\frac{(d-k)^{2}}{\frac{d-k}{d}\delta^{2}+(c_{d}-\delta/2)^{2}}\right),

(19)

otherwise, with $c_{d}=\log(\frac{e^{\delta/2}+q-1}{q})$ decreasing from $\varepsilon$ to $\delta/2$ as $q$ increases from $(e^{\delta/2}-1)/(e^{\varepsilon}-1)$ to 1.

Under the special structure of $\bm{\delta}$ and $\varepsilon$ in Corollary 1, the MSE can be thought of as sum of MSE of the more sensitive and the less sensitive coordinates. For low levels of correlation, the MSE of less private coordinates behave like the MSE of an $\varepsilon$ -LDP mechanism on $d-k$ dimensional vector but the MSE of the more sensitive part depends on the dimension $d$ of the whole vector, not just the sensitive part, showing how the more sensitive part of the data affects the whole vector. As the correlation increases $q\to 1$ , we have $c_{d}\to\delta/2$ and the MSE matches that of a $\min\bm{\delta}$ -LDP mechanism. A supporting experiment is deferred to Appendix B.1.

5 Private Least-Squares Regression

We focus on how the BCDP framework can be employed on least-squares problems. Consider a setting in which $n$ datapoints are distributed among $n$ users, where $\vecx^{(i)}=[{\vecz^{(i)}}^{\top}\ l^{(i)}]^{\top}\in\mathbb{R}^{d}$ represents the data of user $i$ , with $\vecz^{(i)}$ as the feature vector for the $i$ -th data point and $l^{(i)}$ as its label. Our goal is to solve the following empirical risk minimization problem privately over the data of $n$ users:

\min_{\bm{\theta}\in\Theta}f(\bm{\theta}):=\frac{1}{n}\sum_{i=1}^{n}\ell(\bm{\theta},\vecx^{(i)}),

(20)

where $\ell(\bm{\theta},\vecx^{(i)}):=\frac{1}{2}(\bm{\theta}^{\top}\vecz^{(i)}-l^{(i)})^{2}$ and $\Theta\subset\mathbb{R}^{d-1}$ is a compact convex set. We denote the solution of (20) by $f^{*}$ , achieved at some point $\bm{\theta}^{*}$ .

The customary approach in private convex optimization is to use a gradient-based method, perturbing the gradient at each iteration to satisfy the privacy requirements. However, this approach is not suitable for cases in which coordinate-based privacy guarantees are needed. The difficulty is that each coordinate of the gradient is typically influenced by all coordinates of the data. As a result, and it becomes challenging to distinguish the level of privacy offered to different coordinates of the data. Instead, we first perturb the users’ data locally and then compute the gradient at the perturbed point to update the model at the server.

However, computing the gradient based on perturbed data introduces its own challenges. In particular, the gradient of $\ell(\bm{\theta},\vecx)$ with $\vecx=[{\vecz}^{\top}l]^{\top}$ , given by

\nabla\ell(\bm{\theta},\vecx)=\vecz\vecz^{\top}\bm{\theta}-l\vecz,

(21)

is not a linear function of the data. As a result, although the privacy mechanism outputs an unbiased estimate of the true data, this non-linearity introduces an error in the gradient with a non-zero mean, preventing the algorithm from converging to the optimal solution. To overcome this challenge, we observe that the aforementioned non-linearity in the data arises from the product terms $\vecz\vecz^{\top}$ and $l\vecz$ . Therefore, if we create two private copies of the data and replace each term of the product with one of the copies, we obtain a stochastic unbiased estimate of the gradient at the server. The catch, of course, is that we need to divide our privacy budget in half.

A summary of the algorithm is presented in Algorithm 3. There, $\text{OPT}(g,\delta)$ refers to any convex optimization algorithm of choice, e.g., gradient descent, that finds the minimizer of the function $g(\cdot)$ over the set $\Theta$ and up to an error of $\delta$ .

Algorithm 3 BCDP and LDP least-squares regression

Input: Users’ data

\{\vecx^{(i)}\}_{i=1}^{n}

and vector

\vecc

for

i\in[n]

//user

i

sends locally perturbed data to the server

\bm{\hat{x}}^{(i,1)}\leftarrow M_{\mathsf{mean}}(\vecx^{(i)},\vecc/2)

\bm{\hat{x}}^{(i,2)}\leftarrow M_{\mathsf{mean}}(\vecx^{(i)},\vecc/2)

end for

//server optimizes with the perturbed data

\hat{f}(\bm{\theta}):=\frac{1}{2n}\sum_{i=1}^{n}\left(\bm{\theta}^{\top}\bm{\hat{z}}^{(i,1)}\bm{\hat{z}}^{{(i,2)}^{\top}}\bm{\theta}-2\bm{\theta}^{\top}\hat{l}^{(i,1)}\bm{\hat{z}}^{(i,2)}\right)

\bm{\hat{\theta}}\leftarrow\text{OPT}(\hat{f},\frac{1}{{n}})

Return

\bm{\hat{\theta}}

We make the assumption that the data is bounded.

Assumption 2.

$\vecx^{(i)}\in[-1,1]^{d}$ for all $i\in[n]$ .

We also need 1, which bounds the dependence of each coordinate on the other coordinates of the data. Recall that the last coordinate is exempt from this assumption, which is why we position the label as the last coordinate of the data. It is not reasonable to assume the feature vector is weakly correlated with the label, as that would violate the premise of regression. We next state the following result on Algorithm 3.

Theorem 3.

Suppose Assumptions 1 and 2 hold. Then, Algorithm 3, with $\vecc$ set similar to Theorem 2, is $\bm{\delta}$ -BCDP and $\varepsilon$ -LDP. Moreover, using Mechanism 2 as $M_{\mathsf{LDP}}$ , we obtain the following error rate

\bbE\left[f(\bm{\hat{\theta}})-f^{*}\bigg{|}\vecx^{(1)},\ldots,\vecx^{(n)}\right]\lesssim\max_{\bm{\theta}\in\Theta}(\|\bm{\theta}\|^{2}+\|\bm{\theta}\|)\left(\frac{\log d}{\sqrt{n}}(r^{2}+rd)\wedge d\right),

(22)

with $r^{2}=\sum_{i=1}^{d}1/(\sum_{k=1}^{i}\frac{(c_{k}-c_{k-1})^{2}}{d-k+1})$ .

The proof of this theorem can be found in Appendix C.1. It is worth noting that $r^{2}$ appears in the mean-squared error bound in Theorem 2. That said, if we consider special cases similar to the setting in Corollary 1, the term $r^{2}$ would simplify in a similar manner.

We conclude this section by noting that, while we focus on linear regression here, our approach can provide an unbiased gradient and guarantee privacy in any setting where the loss function $\ell(\bm{\theta},\vecx)$ has a quadratic (or even low-degree polynomial) dependence on $\vecx$ , such as neural networks with $\ell_{2}$ loss. However, the optimization error in such cases may require further considerations, as non-convex loss functions could arise.

6 Acknowledgements

This work was done in part while M.A. was a research fellow at the Simons Institute for the Theory of Computing. A.F. and M.J. acknowledge support from the European Research Council (ERC-2022-SYG-OCEAN-101071601). Views and opinions expressed are however those of the authors only and do not necessarily reflect those of the European Union or the European Research Council Executive Agency. Neither the European Union nor the granting authority can be held responsible for them. S.C. acknowledges support from AI Policy Hub, U.C. Berkeley; S.C. and T.C. acknowledge support from NSF CCF-1750430 and CCF-2007669.

References

Acharya et al. [2020] J. Acharya, K. Bonawitz, P. Kairouz, D. Ramage, and Z. Sun. Context aware local differential privacy. In Proceedings of the 37th International Conference on Machine Learning, pages 52–62. PMLR, 2020.
Alvim et al. [2018] M. Alvim, K. Chatzikokolakis, C. Palamidessi, and A. Pazii. Invited paper: Local differential privacy on metric spaces: Optimizing the trade-off with utility. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pages 262–267, 2018.
Andrés et al. [2013] M. E. Andrés, N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi. Geo-indistinguishability: Differential privacy for location-based systems. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 901–914, 2013.
Asi et al. [2022] H. Asi, V. Feldman, and K. Talwar. Optimal algorithms for mean estimation under local differential privacy. In International Conference on Machine Learning, pages 1046–1056. PMLR, 2022.
Beimel et al. [2008] A. Beimel, K. Nissim, and E. Omri. Distributed private data analysis: Simultaneously solving how and what. In Advances in Cryptology–CRYPTO 2008: 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008. Proceedings 28, pages 451–468. Springer, 2008.
Beimel et al. [2013] A. Beimel, K. Nissim, and U. Stemmer. Private learning and sanitization: Pure vs. approximate differential privacy. In International Workshop on Approximation Algorithms for Combinatorial Optimization, pages 363–378. Springer, 2013.
Biswas et al. [2020] S. Biswas, Y. Dong, G. Kamath, and J. Ullman. Coinpress: Practical private mean and covariance estimation. Advances in Neural Information Processing Systems, 33:14475–14485, 2020.
Chan et al. [2012] T.-H. H. Chan, E. Shi, and D. Song. Optimal lower bound for differentially private multi-party aggregation. In Proceedings of the 20th Annual European Conference on Algorithms, ESA’12, page 277–288. Springer-Verlag, 2012. ISBN 9783642330896.
Chatzikokolakis et al. [2013] K. Chatzikokolakis, M. E. Andrés, N. E. Bordenabe, and C. Palamidessi. Broadening the scope of differential privacy using metrics. In Privacy Enhancing Technologies: 13th International Symposium, PETS 2013, Bloomington, IN, USA, July 10-12, 2013. Proceedings 13, pages 82–102. Springer, 2013.
Chaudhuri and Hsu [2011] K. Chaudhuri and D. Hsu. Sample complexity bounds for differentially private learning. In Proceedings of the 24th Annual Conference on Learning Theory, pages 155–186. JMLR Workshop and Conference Proceedings, 2011.
Desfontaines [2020] D. Desfontaines. A list of real-world uses of differential privacy. https://desfontain.es/blog/real-world-differential-privacy.html, 2020. Accessed: 2024-05-22.
Differential Privacy Team, Apple [2017] Differential Privacy Team, Apple. Learning with privacy at scale. https://machinelearning.apple.com/research/learning-with-privacy-at-scale, 2017. Accessed: 2024-05-22.
Ding et al. [2017] B. Ding, J. Kulkarni, and S. Yekhanin. Collecting telemetry data privately. Advances in Neural Information Processing Systems, 30, 2017.
Duchi et al. [2013a] J. C. Duchi, M. I. Jordan, and M. J. Wainwright. Local privacy, data processing inequalities, and statistical minimax rates. arXiv preprint arXiv:1302.3203, 2013a.
Duchi et al. [2013b] J. C. Duchi, M. I. Jordan, and M. J. Wainwright. Local privacy and statistical minimax rates. In 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, pages 429–438. IEEE, 2013b.
Dwork et al. [2006] C. Dwork, F. McSherry, K. Nissim, and A. Smith. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006. Proceedings 3, pages 265–284. Springer, 2006.
Dwork et al. [2014] C. Dwork, A. Roth, et al. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science, 9(3–4):211–407, 2014.
Erlingsson et al. [2014] Ú. Erlingsson, V. Pihur, and A. Korolova. Rappor: Randomized aggregatable privacy-preserving ordinal response. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1054–1067, 2014.
Evfimievski et al. [2003] A. Evfimievski, J. Gehrke, and R. Srikant. Limiting privacy breaches in privacy preserving data mining. In Proceedings of the Twenty-second ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, pages 211–222, 2003.
Feldman and Talwar [2021] V. Feldman and K. Talwar. Lossless compression of efficient private local randomizers. In International Conference on Machine Learning, pages 3208–3219. PMLR, 2021.
Ghazi et al. [2021] B. Ghazi, N. Golowich, R. Kumar, P. Manurangsi, and C. Zhang. Deep learning with label differential privacy. Advances in Neural Information Processing Systems, 34:27131–27145, 2021.
Ghazi et al. [2022] B. Ghazi, R. Kumar, P. Manurangsi, and T. Steinke. Algorithms with more granular differential privacy guarantees. arXiv preprint arXiv:2209.04053, 2022.
He et al. [2014] X. He, A. Machanavajjhala, and B. Ding. Blowfish privacy: tuning privacy-utility trade-offs using policies. In Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data, SIGMOD ’14, page 1447–1458. Association for Computing Machinery, 2014. ISBN 9781450323765.
Imola et al. [2022] J. Imola, S. Kasiviswanathan, S. White, A. Aggarwal, and N. Teissier. Balancing utility and scalability in metric differential privacy. In Uncertainty in Artificial Intelligence, pages 885–894. PMLR, 2022.
Kairouz et al. [2015] P. Kairouz, S. Oh, and P. Viswanath. The composition theorem for differential privacy. In F. Bach and D. Blei, editors, Proceedings of the 32nd International Conference on Machine Learning, volume 37 of Proceedings of Machine Learning Research, pages 1376–1385, Lille, France, 07–09 Jul 2015. PMLR.
Karwa and Vadhan [2017] V. Karwa and S. Vadhan. Finite sample differentially private confidence intervals. arXiv preprint arXiv:1711.03908, 2017.
Kasiviswanathan and Smith [2014] S. P. Kasiviswanathan and A. Smith. On the ’semantics’ of differential privacy: A Bayesian formulation. Journal of Privacy and Confidentiality, 6(1), 2014.
Kasiviswanathan et al. [2011] S. P. Kasiviswanathan, H. K. Lee, K. Nissim, S. Raskhodnikova, and A. Smith. What can we learn privately? SIAM Journal on Computing, 40(3):793–826, 2011.
Kenthapadi et al. [2013] K. Kenthapadi, A. Korolova, I. Mironov, and N. Mishra. Privacy via the johnson-lindenstrauss transform. Journal of Privacy and Confidentiality, 5(1), Aug. 2013. doi: 10.29012/jpc.v5i1.625.
Kifer and Machanavajjhala [2011] D. Kifer and A. Machanavajjhala. No free lunch in data privacy. In Proceedings of the 2011 ACM SIGMOD International Conference on Management of data, pages 193–204, 2011.
Kifer and Machanavajjhala [2014] D. Kifer and A. Machanavajjhala. Pufferfish: A framework for mathematical privacy definitions. ACM Transactions on Database Systems (TODS), 39(1):1–36, 2014.
Kifer et al. [2012] D. Kifer, A. Smith, and A. Thakurta. Private convex empirical risk minimization and high-dimensional regression. In S. Mannor, N. Srebro, and R. C. Williamson, editors, Proceedings of the 25th Annual Conference on Learning Theory, volume 23 of Proceedings of Machine Learning Research, pages 25.1–25.40, Edinburgh, Scotland, 25–27 Jun 2012. PMLR. URL https://proceedings.mlr.press/v23/kifer12.html.
Mahloujifar et al. [2023] S. Mahloujifar, C. Guo, G. E. Suh, and K. Chaudhuri. Machine learning with feature differential privacy. In Federated Learning and Analytics in Practice: Algorithms, Systems, Applications, and Opportunities, 2023.
Thakurta et al. [2017] A. G. Thakurta, A. H. Vyrros, U. S. Vaishampayan, G. Kapoor, J. Freudiger, V. R. Sridhar, and D. Davidson. Learning new words, 2017.
Triastcyn and Faltings [2020] A. Triastcyn and B. Faltings. Bayesian differential privacy for machine learning. In International Conference on Machine Learning, pages 9583–9592. PMLR, 2020.
Tropp [2016] J. A. Tropp. The expected norm of a sum of independent random matrices: An elementary approach. In High Dimensional Probability VII: The Cargese Volume, pages 173–202. Springer, 2016.
Vadhan [2017] S. Vadhan. The complexity of differential privacy. Tutorials on the Foundations of Cryptography: Dedicated to Oded Goldreich, pages 347–450, 2017.
Vu and Slavkovic [2009] D. Vu and A. Slavkovic. Differential privacy for clinical trial data: Preliminary evaluations. In 2009 IEEE International Conference on Data Mining Workshops, pages 138–143, 2009. doi: 10.1109/ICDMW.2009.52.
Wang and Xu [2019] D. Wang and J. Xu. On sparse linear regression in the local differential privacy model. In International Conference on Machine Learning, pages 6628–6637. PMLR, 2019.
Warner [1965] S. L. Warner. Randomized response: A survey technique for eliminating evasive answer bias. Journal of the American Statistical Association, 60(309):63–69, 1965.
Wasserman and Zhou [2010] L. Wasserman and S. Zhou. A statistical framework for differential privacy. Journal of the American Statistical Association, 105(489):375–389, 2010.
Xiao and Devadas [2023] H. Xiao and S. Devadas. Pac privacy: Automatic privacy measurement and control of data processing. In Annual International Cryptology Conference, pages 611–644. Springer, 2023.
Xiong et al. [2020] X. Xiong, S. Liu, D. Li, Z. Cai, and X. Niu. A comprehensive survey on local differential privacy. Security and Communication Networks, 2020:1–29, 2020.
Yang et al. [2023] M. Yang, T. Guo, T. Zhu, I. Tjuawinata, J. Zhao, and K.-Y. Lam. Local differential privacy and its applications: A comprehensive survey. Computer Standards & Interfaces, page 103827, 2023.
Zheng et al. [2017] K. Zheng, W. Mou, and L. Wang. Collect at once, use effectively: Making non-interactive locally private learning possible. In International Conference on Machine Learning, pages 4130–4139. PMLR, 2017.

Appendix A Proofs for Section 2 and Section 3

A.1 Proof of Proposition 1

See 1

Proof.

(A) Forward direction:

For any $R\in\cF_{\cY}$ and $S,S^{\prime}\in\cF_{\cX}^{+}$ , we have

$\displaystyle\mu_{\vecx}(R)$	$\displaystyle\leq e^{\varepsilon}\mu_{\vecx^{\prime}}(R)$	(23)
$\displaystyle\implies\int_{\vecx\in S}\mu_{\vecx}(R)d\pi(\vecx)$	$\displaystyle\leq e^{\varepsilon}\int_{\vecx\in S}\mu_{\vecx^{\prime}}(R)d\pi(\vecx)$	(24)
$\displaystyle\implies P\{M(\vecx)\in R,\vecx\in S\}$	$\displaystyle\leq e^{\varepsilon}\pi(S)\mu_{\vecx^{\prime}}(R),$	(25)
$\displaystyle\implies P\{M(\vecx)\in R\|\vecx\in S\}$	$\displaystyle\leq e^{\varepsilon}\mu_{\vecx^{\prime}}(R).$	(26)

Similarly integrate again $\int_{\vecx^{\prime}\in S^{\prime}}\cdot d\pi(\vecx^{\prime})$ to get the desired result.

(B) Converse:

Fix $R\in\cF_{\cY}$ and let

	$\displaystyle U(R)$	$\displaystyle=\mathsf{ess\ sup}_{\vecx\in\cX}\mu_{\vecx}(R),$		(27)
	$\displaystyle L(R)$	$\displaystyle=\mathsf{ess\ inf}_{\vecx\in\cX}\mu_{\vecx}(R),$		(28)

where the essential supremum and infimum are with respect to $(\cX,\cF_{\cX},\pi)$ . Fix any $\delta>0$ and define

S=\{\vecx\in\cX:\mu_{\vecx}(R)>U(R)-\delta\},\ S^{\prime}=\{\vecx\in\cX:\mu_{\vecx}(R)<L(R)+\delta\}.

(29)

By definition of essential supremum and infimum and using the fact that $\mu$ is a Markov kernel, $S,S^{\prime}\in\cF_{\cX}^{+}$ .

Using the $\varepsilon$ -BDP condition, we can obtain

$\displaystyle U(R)-\delta$	$\displaystyle\leq\frac{1}{\pi(S)}\int_{\vecx\in S}\mu_{\vecx}(R)d\pi(\vecx)$	(30)
	$\displaystyle\leq\frac{e^{\varepsilon}}{\pi(S^{\prime})}\int_{\vecx\in S^{\prime}}\mu_{\vecx}(R)d\pi(\vecx)$	(31)
	$\displaystyle\leq e^{\varepsilon}(L(R)+\delta).$	(32)

Since $\delta>0$ is arbitrary, we get $U(R)\leq e^{\varepsilon}L(R)$ $\forall R\in\cF_{\cY}$ .

Now, for $R$ , define

E(R):=\{\vecx\in\cX:\mu_{\vecx}(R)\notin[L(R),U(R)]\},

(33)

and note that $\pi(E(R))=0$ by definition of essential supremum and infimum and using the fact that $\mu$ is a Markov kernel.

We shall now modify $M$ on a judiciously chosen $\pi$ -null set to obtain an $\varepsilon$ -LDP mechanism $M^{\prime}$ . Since $\cY$ is second countable as it is a Polish space, there exists a countable collection of open sets $\cV=\{V_{i}\}_{i\geq 1}\subset\cF_{\cY}$ such that every open set $R\in\cF_{\cY}$ can be written as a disjoint union of some countable subset of $\cV$ .

Define $E=\cup_{i\geq 1}E(V_{i})$ and note that $\pi(E)=0$ by countable sub-additivity. Fix any $\bar{\vecx}\in E^{c}$ and define the modification $M^{\prime}$ of $M$ via

M^{\prime}(\vecx)=\begin{cases}M(\bar{\vecx})&\text{if }\vecx\in E\\ M(\vecx)&\text{otherwise.}\end{cases}

(34)

Equivalently, $M^{\prime}$ is represented by the Markov kernel $\mu^{\prime}:\cX\times\cF_{\cY}\to[0,1]$ defined by

\mu^{\prime}_{\vecx}(R)=\begin{cases}\mu_{\bar{\vecx}}(R)&\text{if }\vecx\in E\\ \mu_{\vecx}(R)&\text{otherwise.}\end{cases}

(35)

Since $\pi(E)=0$ , it is easy to see that $P\{M(\vecx)=M^{\prime}(\vecx)\}=1$ . By construction, since $E=\cup_{i\geq 1}E(V_{i})$ ,

\mu^{\prime}_{\vecx}(V_{i})\leq U(V_{i})\leq e^{\varepsilon}L(V_{i})\leq e^{\varepsilon}\mu^{\prime}_{\vecx^{\prime}}(V_{i})\,\,\forall\vecx,\vecx^{\prime}\in\cX,V_{i}\in\cV.

(36)

By second countability, and $\sigma$ -additivity, we conclude,

\mu^{\prime}_{\vecx}(R)\leq e^{\varepsilon}\mu^{\prime}_{\vecx^{\prime}}(R)\,\,\forall\vecx,\vecx^{\prime}\in\cX,\forall\text{open }R\in\cF_{\cY}.

(37)

Every second countable space is Radon, so by outer regularity of both measures $\mu_{\vecx}$ and $\mu^{\prime}_{\vecx}$ , we finally obtain

\mu^{\prime}_{\vecx}(R)\leq e^{\varepsilon}\mu^{\prime}_{\vecx^{\prime}}(R)\,\,\forall\vecx,\vecx^{\prime}\in\cX,\forall R\in\cF_{\cY}.

(38)

Hence, $M^{\prime}$ is $\varepsilon$ -LDP as desired. ∎

A.2 Proof of Theorem 1

See 1

Proof.

By definition $\alpha(R_{i},M,S_{i},S_{i}^{\prime})=P\{M(\vecx)\in R_{i}|\vecx\in S_{i}\}$ and

\displaystyle P\{M(\vecx)\in T_{i}|x_{i}\in S_{i}\}

\displaystyle\leq e^{\delta_{i}}P\{M(\vecx)\in T_{i}|x_{i}\in S_{i}^{\prime}\}\ \forall S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+},T_{i}\in\cF_{\cY}

(39)

Setting $T_{i}=R_{i}^{C}$ , get $\alpha(R_{i},M,S_{i},S_{i}^{\prime})+e^{\delta_{i}}\beta(R_{i},M,S_{i},S_{i}^{\prime})\geq 1$ . One can also switch $S_{i},S_{i}^{\prime}$ above and set $T_{i}=R_{i}$ to get $e^{\delta_{i}}\alpha(R_{i},M,S_{i},S_{i}^{\prime})+\beta(R_{i},M,S_{i},S_{i}^{\prime})\geq 1$ .

The converse is straightforward as well.

	$\displaystyle e^{\delta_{i}}\alpha(R_{i},M,S_{i},S_{i}^{\prime})+\beta(R_{i},M,S_{i},S_{i}^{\prime})\geq 1\$	$\displaystyle\forall S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+},R_{i}\in\cF_{\cY}$		(40)
	$\displaystyle\Leftrightarrow P\{M(\vecx)\in R_{i}\|x_{i}\in S_{i}^{\prime}\}\leq e^{\delta_{i}}P\{M(\vecx)\in R_{i}\|x_{i}\in S_{i}\}\$	$\displaystyle\forall S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+},R_{i}\in\cF_{\cY}.$		(41)

∎

A.3 Proof of Proposition 3

See 3

Proof.

By Proposition 1, an $\varepsilon$ -DP algorithm is $\varepsilon$ -BDP as well. Recall $P\{M(\vecx)\in R|\vecx\in S\}=\frac{P(S\times R)}{\pi(S)}.$ Thus, $\varepsilon$ -BDP guarntee ensures that $\forall S,S^{\prime}\in\cF_{\cX}^{+}$ ,

\frac{P(S\times R)}{\pi(S)}\leq e^{\varepsilon}\frac{P(S^{\prime}\times R)}{\pi(S^{\prime})}.

Restricting to the sets of form $S=S_{i}\times\cX_{-i}$ and $S^{\prime}=S_{i}^{\prime}\times\cX_{-i}$ for $S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+}$ above yields the desired BCDP result.

∎

A.4 Proof of Proposition 4

See 4

Proof.

Consider the sets $R\in\cF_{\cY}$ such that $P\{M(\vecx)\in R\}=0$ , then for $S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+}$ , we have $P\{M(\vecx)\in R|x_{i}\in S_{i}\}=P\{M(\vecx)\in R|x_{i}\in S_{i}^{\prime}\}=0$ . Thus, to bound the $\bm{\delta}$ in $\bm{\delta}$ -BCDP guarantee, we can restrict to $R$ in the set $\cF_{\cY}^{+}:=\{R\in\cF_{\cY}|P\{M(\vecx)\in R\}>0\}$ .

For $S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+}$ , $R\in\cF_{\cY}^{+}$ ,

\displaystyle\frac{P\{M(\vecx)\in R|x_{i}\in S_{i}\}}{P\{M(\vecx)\in R|x_{i}\in S_{i}^{\prime}\}}

\displaystyle=\frac{P\{M(\vecx)\in R,x_{i}\in S_{i}\}}{\pi\{x_{i}\in S_{i}\}}\frac{\pi\{x_{i}\in S_{i}^{\prime}\}}{P\{M(\vecx)\in R,x_{i}\in S_{i}^{\prime}\}}.

(42)

For the set $R$ under consideration, define

	$\displaystyle l(\vecx_{-i})$	$\displaystyle=\inf_{x_{i}\in\cX_{i}}\mu_{x_{i},\vecx_{-i}}(R),$		(43)
	$\displaystyle u(\vecx_{-i})$	$\displaystyle=\sup_{x_{i}\in\cX_{i}}\mu_{x_{i},\vecx_{-i}}(R).$		(44)

By CDP property, we have $u(\vecx_{-i})\leq e^{c_{i}}l(\vecx_{-i})$ . Now note that

$\displaystyle\frac{P\{M(\vecx)\in R,x_{i}\in S_{i}\}}{\pi\{x_{i}\in S_{i}\}}$	$\displaystyle=\frac{1}{\pi\{x_{i}\in S_{i}\}}\int_{\vecx_{-i}\in\cX_{-i},x_{i}\in S_{i}}\mu_{x_{i},\vecx_{-i}}(R)d\pi(x_{i},\vecx_{-i})$	(45)
	$\displaystyle\leq\frac{1}{\pi\{x_{i}\in S_{i}\}}\int_{\vecx_{-i}\in\cX_{-i},x_{i}\in S_{i}}u(\vecx_{-i})d\pi(x_{i},\vecx_{-i})$	(46)
	$\displaystyle=\int_{\vecx_{-i}\in\cX_{-i}}u(\vecx_{-i})d\pi_{\vecx_{-i}\|x_{i}\in S_{i}}(\vecx_{-i}).$	(47)

Similarly, we have

\frac{P\{M(\vecx)\in R,x_{i}\in S_{i}^{\prime}\}}{P\{x_{i}\in S_{i}^{\prime}\}}\geq\int_{\vecx_{-i}\in\cX_{-i}}l(\vecx_{-i})d\pi_{\vecx_{-i}|x_{i}\in S_{i}^{\prime}}(\vecx_{-i}).

(48)

∎

Using (47) and (48) in (42), we obtain

$\displaystyle\frac{P\{M(\vecx)\in R\|x_{i}\in S_{i}\}}{P\{M(\vecx)\in R\|x_{i}\in S_{i}^{\prime}\}}$	$\displaystyle\leq\frac{\int_{\vecx_{-i}\in\cX_{-i}}u(\vecx_{-i})d\pi_{\vecx_{-i}\|x_{i}\in S_{i}}(\vecx_{-i})}{\int_{\vecx_{-i}\in\cX_{-i}}l(\vecx_{-i})d\pi_{\vecx_{-i}\|x_{i}\in S_{i}^{\prime}}(\vecx_{-i})}$	(49)
	$\displaystyle\leq e^{c_{i}}\frac{\int_{\vecx_{-i}\in\cX_{-i}}l(\vecx_{-i})d\pi_{\vecx_{-i}\|x_{i}\in S_{i}}(\vecx_{-i})}{\int_{\vecx_{-i}\in\cX_{-i}}l(\vecx_{-i})d\pi_{\vecx_{-i}\|x_{i}\in S_{i}^{\prime}}(\vecx_{-i})}$	(50)
	$\displaystyle\leq e^{c_{i}}\left(1+\mathsf{TV}(\pi_{\vecx_{-i}\|x_{i}\in S_{i}},\pi_{\vecx_{-i}\|X_{i}\in S_{i}^{\prime}})\frac{\max_{\vecx_{-i}}l(\vecx_{-i})-\min_{\vecx_{-i}}l(\vecx_{-i})}{\min_{\vecx_{-i}}l(\vecx_{-i})}\right)$	(51)
	$\displaystyle\leq e^{c_{i}}\left(1+\mathsf{TV}(\pi_{\vecx_{-i}\|x_{i}\in S_{i}},\pi_{\vecx_{-i}\|x_{i}\in S_{i}^{\prime}})(e^{\sum_{j\neq i}c_{j}}-1)\right),$	(52)

where we used $\frac{\max_{\vecx_{-i}}l(\vecx_{-i})}{\min_{\vecx_{-i}}l(\vecx_{-i})}\leq e^{\sum_{j\neq i}c_{j}}$ by CDP property.

The $\sum_{i}c_{i}$ -LDP property follows by straightforward composition.

Finally, notice that, in case that we know the mechanism is $\varepsilon$ -LDP, we can bound $\frac{\max_{\vecx_{-i}}l(\vecx_{-i})}{\min_{\vecx_{-i}}l(\vecx_{-i})}$ by $e^{\varepsilon}$ . In addition, by Proposition 3, we know $\delta_{i}^{\prime}\leq\varepsilon$ . Thus, we get $\delta_{i}^{\prime}\leq\min\{c_{i}+\log(1+q_{i}e^{\varepsilon}-q_{i}),\varepsilon\}$

A.5 Additional Results for Section 3.4

Proposition 6.

Let

A_{\bm{\delta}}[i,j]=\begin{cases}\frac{1}{\delta_{i}}&i=j,\\ \frac{1}{\log\left(1+\frac{e^{\delta_{i}}-1}{q_{i}}\right)}&\text{else}.\end{cases}

(53)

Then, the condition $A_{\bm{\delta}}\vecc\leq\bm{1}$ implies $\delta_{i}\geq c_{i}+\log(1+q_{i}e^{\sum_{j\neq i}c_{j}}-q_{i})$ for all $i\in[d]$ .

Proof.

Without loss of generality, we establish the proof for $i=1$ . For a given value of $c_{1}$ , we have the constraint that

\sum_{j=2}^{d}c_{j}\leq\log\left(1+\frac{e^{\delta_{1}-c_{1}}-1}{q_{1}}\right).

(54)

Note that $g(x)=\log\left(1+\frac{e^{\delta_{1}-x}-1}{q_{1}}\right)$ is concave and $g(0)=\log\left(1+\frac{e^{\delta_{1}}-1}{q_{1}}\right)$ and $g(\delta_{1})=0$ . Thus, $g(x)\geq\left(1-\frac{x}{\delta_{1}}\right)\log\left(1+\frac{e^{\delta_{1}}-1}{q_{1}}\right)$ . Therefore, we can ensure (54) by imposing

\sum_{j=2}^{d}c_{j}\leq\left(1-\frac{c_{1}}{\delta_{1}}\right)\log\left(1+\frac{e^{\delta_{1}}-1}{q_{1}}\right).

(55)

∎

A.6 Proof of Proposition 5

See 5

Proof.

Let the $\sigma$ -field on $\cZ$ be denoted by $\cF_{\cZ}$ . For $T\in\cF_{\cZ},Y(T):=\{y\in\cY|K(y)\in T\}\in\cF_{\cY}$ since $K$ is a measurable function. Thus, we have the following for any $i\in[d],T\in\cF_{\cZ}$ and $S_{i},S_{i}^{\prime}\in\cF_{\cX_{i}}^{+}$ by BCDP guarantees on $M$

$\displaystyle P\{K(M(\vecx))\in T\|x_{i}\in S_{i}\}$	$\displaystyle=P\{M(\vecx)\in Y(T)\|x_{i}\in S_{i}\}$	(56)
	$\displaystyle\leq e^{\delta_{i}}P\{M(\vecx)\in Y(T)\|x_{i}\in S_{i}^{\prime}\}$	(57)
	$\displaystyle=e^{\delta_{i}}P\{K(M(\vecx))\in T\|x_{i}\in S_{i}^{\prime}\}.$	(58)

∎

Appendix B Private Mean Estimation

B.1 Numerical Experiment

Refer to caption — Figure 3: MSE as $q$ is varied keeping $\bm{\delta}$ and $\varepsilon$ constant for $M_{\mathsf{mean}}$ and $\min\bm{\delta}$ -LDP.

Here, we provide a simple numerical experiment to validate the performance of our proposed algorithm. For baseline comparison, we consider the $M_{\mathsf{LDP}}$ privacy mechanism from Duchi et al. [2013b] with privacy parameter $\min\bm{\delta}$ . For our proposed privacy mechanism $M_{\mathsf{mean}}$ , we have a degree of freedom in choosing $\zeta$ . We note that, as $q\to 1$ , we would want $\zeta\to 1$ since in this case, the best algorithm is to do $\min\bm{\delta}$ -LDP. As $q\to 0$ , we would want $c_{i}=\tilde{\delta}_{i}$ as CDP is ideal in this case. Thus, we settle with a heuristic choice $\zeta=(1+q)/2$ .

We first construct a distribution for which 1 holds. We consider the distribution where

	$\displaystyle Z$	$\displaystyle\sim\mathsf{Bern}\left(\frac{1}{2}\right),$		(59)
	$\displaystyle(x_{1},\ldots,x_{d})$	$\displaystyle=\begin{cases}(Z,\ldots,Z)&\text{ w.p. }q\\ \text{i.i.d.}\ \ \mathsf{Bern}\left(\frac{1}{2}\right)&\text{ else.}\end{cases}$		(60)

It is easy to verify that $\mathsf{TV}(\pi_{\vecx_{-i}|x_{i}=1},\pi_{\vecx_{-i}|x_{i}=0})=q\ \ \forall i$ in this setting. We fix $d=10$ , $\bm{\delta}=(0.2,0.2,\varepsilon,\varepsilon,\ldots,\varepsilon)$ , and $\varepsilon=2$ . This coordinate-wise privacy demand captures the impact of requiring more privacy protection for the first two-coordinates on the algorithm’s error.

We vary the correlation $q$ and plot the median MSE values, along with the $25$ -th and $75$ -th quantiles, for our proposed algorithm BCDP and the baseline algorithm in Figure 3. We set $n=10000$ , and sample user data i.i.d. $2\times$ Bern $(\frac{1}{2})-1$ . The experiment is run over 1000 trials.

When $q\approx 1$ , there is a high degree of correlation between the coordinates and our algorithm resembles $\min\bm{\delta}$ -LDP. For other values of $q$ , the proposed BCDP algorithm can leverage the heterogeneous nature of the privacy demand and obtain better performance.

B.2 Proofs

See 2

Proof.

Our proof has two main parts that are presented below: proof of privacy guarantee, and proof of the error bounds.

Proof of privacy: Note that we use the channel $M_{\mathsf{LDP}}(.)$ a total of $d$ times with varying size inputs in Mechanism 1. Focusing on any particular data point $\vecx$ , let

\tilde{M}(\vecx):=\left(M_{\mathsf{LDP}}(\vecx_{i:d},c_{i}-c_{i-1},\sqrt{d-i+1})\right)_{i=1}^{d}.

(61)

First, notice that, by composition, $\tilde{M}$ is $c_{d}$ -LDP. Given that $c_{d}\leq\tilde{\delta}_{d}\leq\varepsilon$ , this immediately implies that our algorithm is $\varepsilon$ -LDP. To show the BCDP bound, given Proposition 5, it suffices to show $\tilde{M}$ is $\bm{\delta}$ -BCDP. First, notice that Proposition 3, along with choice of $c_{d}\leq\tilde{\delta}_{d}$ , implies that this algorithm is $\delta_{d}$ -BCDP with respect to coordinate $d$ . In fact, for any $i$ for which $c_{d}\leq\tilde{\delta}_{i}$ , a similar argument implies that $\tilde{M}$ is $\tilde{\delta}_{i}$ -BCDP with respect to coordinate $i$ . Hence, we could only focus on other coordinates $i<d$ for which $c_{d}>\tilde{\delta}_{i}$ .

Next, we claim that $\tilde{M}(\vecx)$ is $\vecc$ -CDP. To see this, notice that, by perturbing the $k$ -th coordinate of $\vecx$ , the terms affected in $\tilde{M}(\vecx)$ are $M_{\mathsf{LDP}}(\vecx_{i:d},c_{i}-c_{i-1},\sqrt{d-i+1})$ for $i\leq k$ ; in Figure 2, this corresponds to the bottom $i$ rows of the $Y$ (s), i.e., $\{Y^{k}\}_{k\in[i]}$ . Thus, it suffices to show

\tilde{M}_{k}(\vecx):=\left(M_{\mathsf{LDP}}(\vecx_{i:d},c_{i}-c_{i-1},\sqrt{d-i+1})\right)_{i=1}^{k}

(62)

is $c_{k}$ -CDP with respect to coordinate $k$ . However, this immediately follows as $\tilde{M}_{k}$ is $c_{k}$ -LDP, implying it is also $c_{k}$ -CDP with respect to the $k$ -th coordinate.

As a result, by the second part of Proposition 4, and given that $\tilde{M}$ is $c_{d}$ -LDP and 1 holds, we obtain that $\tilde{M}$ is $c_{i}+\log(1+qe^{c_{d}}-q)$ -BCDP with respect to coordinate $i$ . It remains to show that $c_{i}+\log(1+qe^{c_{d}}-q)\leq\delta_{i}$ for any $i<d$ . This also follows from the choice of $c_{i}$ for $i<d$ and $c_{d}>\tilde{\delta}_{i}$ , which are the conditions we are operating under. It is worth noting that the condition

c_{d}\leq\log(\frac{e^{\zeta\tilde{\delta}_{1}}+q-1}{q})

(63)

guarantees that the chosen $c_{i}$ ’s are nonnegative, given $\zeta\in(0,1)$ .

Proof of the mean-squared error bound:

Duchi et al. [2013a] show that the channel $M_{\mathsf{LDP}}(\cdot)$ ’s output is unbiased and it holds that for any $\vecx\in[-1,1]^{d}$ , we have

\bbE[\|M_{\mathsf{LDP}}(\vecx,\varepsilon,d)-\vecx\|^{2}_{2}|\vecx]\leq\cO(d)\left(\frac{d}{\varepsilon^{2}}\wedge 1\right).

(64)

Note that, due to the symmetry of Algorithm 2, the error is identically distributed across each coordinate in expectation. Hence, for any vector $\vecx$ and any $k\leq i$ , the random variable $Y^{k}_{i-k+1}$ is an unbiased estimators of $\vecx_{i}$ with its variance bounded by $\mathcal{O}(1)\left(\frac{d-i+1}{(c_{i}-c_{i-1})^{2}}\wedge 1\right)$ .

Note that, the errors from different runs of the algorithm are independent. Therefore, using the Cauchy–Schwarz inequality, we can see that the minimum variance in estimating $\vecx_{i}$ through a linear combination of $Y^{(i,j)}$ is achieved by choosing weights proportional to the inverse of the variances which would result in the following estimator

\frac{\sum_{k=1}^{i}Y_{i+1-k}^{k}w_{k}}{\sum_{k=1}^{i}w_{k}}

(65)

with the error rate given by

\mathcal{O}(1)\frac{1}{\sum_{k=1}^{i}\frac{(c_{k}-c_{k-1})^{2}}{d-k+1}}\wedge 1.

(66)

Also, note that, the algorithm’s runs over different users are independent. Therefore, taking average of $M_{\mathsf{mean}}(\vecx^{(j)},\vecc)$ over $j$ , i.e., different users’ data, gives us an estimator of

\frac{1}{n}\sum_{j=1}^{n}\vecx^{(j)}_{i}

(67)

with the error rate

\mathcal{O}(1)\frac{1}{n}\cdot\frac{1}{\sum_{k=1}^{i}\frac{(c_{k}-c_{k-1})^{2}}{d-k+1}}\wedge 1.

(68)

Summing this over the coordinates gives us the following upper bound:

\mathcal{O}(1)\frac{1}{n}\sum_{i=1}^{d}\frac{1}{\sum_{k=1}^{i}\frac{(c_{k}-c_{k-1})^{2}}{d-k+1}}\wedge d.

(69)

∎

See 1

Proof.

For convenience, we set $\zeta=0.5$ . We do not focus on refining the constants in the Mean-Squared Error (MSE) bound with a potentially better choice of $\zeta$ . Now consider two cases for the correlation bound $q$

$q\in[0,\frac{e^{\delta/2}-1}{e^{\varepsilon}-1}]$ : in this case, we have $c_{k+1}=c_{k+2}=\ldots=c_{d}=\varepsilon$ and $c_{1}=c_{2}=\ldots=c_{k}=\delta-\log(1+qe^{\varepsilon}-q)$ . Using the range of $q$ , we get $\delta-\log(1+qe^{\varepsilon}-q)\in[\delta/2,\delta]$ . Thus, replacing the $c_{1}$ to $c_{k}$ values by the worst-case of $\delta/2$ we get an error of

\mathsf{MSE}\lesssim\frac{d}{n}\left(\frac{k}{\delta^{2}}+\frac{d-k}{\delta^{2}+\frac{d}{d-k}(\varepsilon-\delta/2)^{2}}\right)\wedge d

(70)

Using $\varepsilon\geq 2\delta$ , we get

\mathsf{MSE}\lesssim\left(\frac{dk}{n\delta^{2}}+\frac{(d-k)^{2}}{n\varepsilon^{2}}\right)\wedge d

(71)

$q\in(\frac{e^{\delta/2}-1}{e^{\varepsilon}-1},1]$ : in this case we have $c_{k+1}=\ldots=c_{d}=\log\frac{e^{\delta/2}+q-1}{q}$ and $c_{1}=\ldots=c_{k}=\delta-\log(1+qe^{c_{d}}-q)=\delta/2$ . Thus, we get an error of

\mathsf{MSE}\lesssim\left(\frac{dk}{n\delta^{2}}+\frac{(d-k)d}{n\left(\delta^{2}+\frac{d}{d-k}(c_{d}-\delta/2)^{2}\right)}\right)\wedge d

(72)

∎

Appendix C Least-Squares Regression

C.1 Proof of Theorem 3

See 3

Proof.

Proof of privacy: The proof of the privacy guarantee follows a similar structure to the proof of Theorem 2. Note that while composition does not hold for BCDP, it does hold for LDP and CDP. This is why we divide $\vecc$ by two, rather than dividing $\bm{\delta}$ by two. Additionally, since the OPT algorithm only observes the private copies of the data, by the post processing inequality, it does not matter how the algorithm finds the minimizer (e.g., how many passes it makes over each private data point), as the privacy guarantee remains unchanged.

Proof of error rate: Without loss of generality, we can ignore the constant term in $f(\cdot)$ that does not depend on $\bm{\theta}$ , and hence, with a slight abuse of notation, we can rewrite $f(\cdot)$ as

{f}(\bm{\theta}):=\frac{1}{2n}\sum_{i=1}^{n}\left(\bm{\theta}^{\top}\bm{{z}}^{(i)}\bm{{z}}^{{(i)}^{\top}}\bm{\theta}-2\bm{\theta}^{\top}{l}^{(i)}\bm{{z}}^{(i)}\right).

(73)

Also, recall that $\hat{f}(\cdot)$ is given by

\hat{f}(\bm{\theta}):=\frac{1}{2n}\sum_{i=1}^{n}\left(\bm{\theta}^{\top}\bm{\hat{z}}^{(i,1)}\bm{\hat{z}}^{{(i,2)}^{\top}}\bm{\theta}-2\bm{\theta}^{\top}\hat{l}^{(i,1)}\bm{\hat{z}}^{(i,2)}\right).

(74)

Denote the minimizer of $\hat{f}(\bm{\theta})$ over $\Theta$ by $\bm{\theta}^{*}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})$ . Also, we denote the output of Algorithm 3 by $\bm{\hat{\theta}}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})$ . Finally, recall that $\bm{\theta}^{*}$ denotes the minimizer of function $f$ .

For convenience and brevity, we drop the conditioning on $\vecx^{(1)},\ldots,\vecx^{(n)}$ from the notation, but all expectations henceforth are conditioned on $\vecx^{(1)},\ldots,\vecx^{(n)}$ .

Next, note that

By the definition of OPT, we have

\hat{f}\left(\bm{\hat{\theta}}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})\right)-\hat{f}\left(\bm{\theta}^{*}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})\right)\leq\frac{1}{n}.

(75)

By the definition of $\bm{\theta}^{*}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})$ , we have

\hat{f}\left(\bm{\theta}^{*}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})\right)-\hat{f}(\bm{\theta}^{*})\leq 0.

(76)

3.

Given the construction of $\hat{f}$ , it is an unbiased estimator of $f$ for any fixed $\bm{\theta}$ . Hence, we have

$\mathbb{E}[\hat{f}(\bm{\theta}^{*})-f(\bm{\theta}^{*})]=0.$ (77)

Summing all the three, given us

\mathbb{E}\left[\hat{f}\left(\bm{\hat{\theta}}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})\right)-f(\bm{\theta}^{*})\right]\leq\frac{1}{n}.

(78)

However, we need to bound

\mathbb{E}\left[{f}\left(\bm{\hat{\theta}}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})\right)-f(\bm{\theta}^{*})\right].

(79)

Therefore, it suffices to bound

\mathbb{E}\left[{f}\left(\bm{\hat{\theta}}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})\right)-\hat{f}\left(\bm{\hat{\theta}}(\{\bm{\hat{x}}^{(i,1)},\bm{\hat{x}}^{(i,2)}\}_{i=1}^{n})\right)\right].

(80)

Observe that this term is upper bounded by

\mathbb{E}\left[\sup_{\bm{\theta}}(f(\bm{\theta})-\hat{f}(\bm{\theta}))\right].

(81)

Note that (81) is upper bounded by

\sup_{\bm{\theta}\in\Theta}\|\theta\|^{2}\mathbb{E}\left[\left\|\frac{1}{n}\sum_{i=1}^{n}\bm{{z}}^{(i)}\bm{{z}}^{{(i)}^{\top}}-\bm{\hat{z}}^{(i,1)}\bm{\hat{z}}^{{(i,2)}^{\top}}\right\|\right]+\sup_{\bm{\theta}\in\Theta}\|\theta\|\mathbb{E}\left[\left\|\frac{1}{n}\sum_{i=1}^{n}{l}^{(i)}\bm{{z}}^{(i)}-\hat{l}^{(i,1)}\bm{\hat{z}}^{(i,2)}\right\|\right].

(82)

We bound the first term above. The second term can be bounded similarly. To do so, first note that we can decompose $\bm{\hat{z}}^{(i,1)}\bm{\hat{z}}^{{(i,2)}^{\top}}-\bm{{z}}^{(i)}\bm{{z}}^{{(i)}^{\top}}$ as

(\bm{\hat{z}}^{(i,1)}-\bm{{z}}^{(i)})\bm{{z}}^{{(i)}^{\top}}+\bm{{z}}^{(i)}(\bm{\hat{z}}^{(i,2)}-\bm{{z}}^{(i)})^{\top}+(\bm{\hat{z}}^{(i,1)}-\bm{{z}}^{(i)})(\bm{\hat{z}}^{(i,2)}-\bm{{z}}^{(i)})^{\top}.

(83)

Hence, it suffices to bound the expected norm of the average of each term separately, and all of them can be handled similarly. We will focus on the last term in particular, i.e., we will bound

\mathbb{E}\left[\left\|\frac{1}{n}\sum_{i=1}^{n}A^{i}\right\|\right]

(84)

with $A^{i}:=(\bm{\hat{z}}^{(i,1)}-\bm{{z}}^{(i)})(\bm{\hat{z}}^{(i,2)}-\bm{{z}}^{(i)})^{\top}$ . Next, we make the following claim regarding matrices $\{A^{i}\}_{i=1}^{n}$ , proved in Section C.2.

Lemma 1.

Let

r^{2}:=\sup_{\vecx\in[-1,1]^{d}}\mathbb{E}[\|M_{\mathsf{mean}}(\vecx,\vecc/2)-\vecx\|^{2}|\vecx].

(85)

Then, the following two results hold:

	$\displaystyle\\|\sum_{i}\mathbb{E}[A^{i}A^{i^{\top}}]\\|$	$\displaystyle\leq nr^{4},$		(86)
	$\displaystyle\mathbb{E}[\max_{i}\\|A^{i}\\|^{2}]$	$\displaystyle\leq nr^{4}.$		(87)

Let us first show how this lemma completes the proof. Using Theorem 1 in Tropp [2016], Jensen’s inequality, along with this lemma, we can immediately upper bound (84) by

\mathcal{O}(1)\log(d)\frac{r^{2}}{\sqrt{n}}.

(88)

Similarly, the terms $\|(\bm{\hat{z}}^{(i,1)}-\bm{{z}}^{(i)})\bm{{z}}^{{(i)}^{\top}}\|$ and $\|\bm{{z}}^{(i)}(\bm{\hat{z}}^{(i,2)}-\bm{{z}}^{(i)})^{\top}\|$ can be upper bounded by $\cO(\frac{\log(d)rd}{\sqrt{n}})$ using similar steps as proof of Lemma 1.

Recall $r^{2}=\mathcal{O}(1)\sum_{i=1}^{d}\frac{1}{\sum_{k=1}^{i}\frac{(c_{k}-c_{k-1})^{2}}{d-k+1}}$ . Note that we use $M_{\mathsf{mean}}$ without the truncation to $[-1,1]^{d}$ to preserve unbaisedness, and hence, the minimum with $d$ does not appear in $r^{2}$ , unlike Theorem 2. Thus we obtain the bound

\mathbb{E}\left[\sup_{\bm{\theta}}(f(\bm{\theta})-\hat{f}(\bm{\theta}))\right]\lesssim\max_{\bm{\theta}\in\Theta}(\|\bm{\theta}\|^{2}+\|\bm{\theta}\|)\left(\frac{r^{2}\log d}{\sqrt{n}}+\frac{rd\log d}{\sqrt{n}}\right).

(89)

We can also project the estimate $\hat{\theta}$ to the set $\Theta$ to obtain the bound $\max_{\bm{\theta}\in\Theta}(\|\bm{\theta}\|^{2}+\|\bm{\theta}\|)d$ . Taking minimum of the terms, we get Theorem 3.

C.2 Proof of Lemma 1

First, note that

A^{i}A^{i^{\top}}=\|\bm{\hat{z}}^{(i,2)}-\bm{{z}}^{(i)}\|^{2}(\bm{\hat{z}}^{(i,1)}-\bm{{z}}^{(i)})(\bm{\hat{z}}^{(i,1)}-\bm{{z}}^{(i)})^{\top},

(90)

which yields

\|\mathbb{E}[A^{i}A^{i^{\top}}]\|\leq r^{2}\mathbb{E}[\|(\bm{\hat{z}}^{(i,1)}-\bm{{z}}^{(i)})(\bm{\hat{z}}^{(i,1)}-\bm{{z}}^{(i)})^{\top}\|].

(91)

Using the result that $\|uu^{\top}\|=\|u\|^{2}$ for any vector $u$ completes the proof of the first part of the lemma. To prove the second part, note that

\mathbb{E}[\max_{i}\|A^{i}\|^{2}]\leq\mathbb{E}[\sum_{i=1}^{n}\|A^{i}\|^{2}]=\sum_{i=1}^{n}\mathbb{E}[\|A^{i}\|^{2}].

(92)

Using the result that $\|uv^{\top}\|\leq\|u\|\|v\|$ for any two vectors $u$ and $v$ implies

\mathbb{E}[\|A^{i}\|^{2}]\leq\mathbb{E}\left[\|\bm{\hat{z}}^{(i,1)}-\bm{{z}}^{(i)}\|^{2}\|\bm{\hat{z}}^{(i,2)}-\bm{{z}}^{(i)}\|^{2}\right].

(93)

Finally, the conditional independence of $\bm{\hat{z}}^{(i,1)}$ and $\bm{\hat{z}}^{(i,2)}$ given $z^{(i)}$ completes the proof of lemma. ∎

$\displaystyle P\{K(M(\vecx))\in T\|x_{i}\in S_{i}\}$	$\displaystyle=P\{M(\vecx)\in Y(T)\|x_{i}\in S_{i}\}$	(56)
	$\displaystyle\leq e^{\delta_{i}}P\{M(\vecx)\in Y(T)\|x_{i}\in S_{i}^{\prime}\}$	(57)
	$\displaystyle=e^{\delta_{i}}P\{K(M(\vecx))\in T\|x_{i}\in S_{i}^{\prime}\}.$	(58)

Enhancing Feature-Specific Data Protection via Bayesian Coordinate Differential Privacy ††thanks: The authors are listed in alphabetical order.

Abstract

1 Introduction

Our contributions:

Bayesian Feature-Specific Protection:

Related Work:

Organization:

2 Problem Formulation

Local differential privacy

Definition 1 (Local DP (Kasiviswanathan et al., 2011)).

Bayesian differential privacy:

Definition 2 (Bayesian DP).

Proposition 1.

Coordinate differential privacy:

Definition 3 (Coordinate DP).

Our formulation: Bayesian coordinate differential privacy:

Definition 4 (Bayesian Coordinate DP).

3 Properties of BCDP

3.1 BCDP through the Lens of Hypothesis Testing

Proposition 2.

For BCDP:

Theorem 1.

3.2 BCDP can be achieved via LDP

Proposition 3.

3.3 BCDP does not imply LDP

Example 1.

3.4 Achieving BCDP via CDP

Proposition 4.

3.5 Do Composition and Post-Prossesing Hold for BCDP?

Example 2.

Proposition 5.

4 Private Mean Estimation

Problem Setup:

Assumption 1.

Theorem 2.

Corollary 1.

5 Private Least-Squares Regression

Assumption 2.

Theorem 3.

6 Acknowledgements

References

Appendix A Proofs for Section 2 and Section 3

A.1 Proof of Proposition 1

Proof.

A.2 Proof of Theorem 1

Proof.

A.3 Proof of Proposition 3

Proof.

A.4 Proof of Proposition 4

Proof.

A.5 Additional Results for Section 3.4

Proposition 6.

Proof.

A.6 Proof of Proposition 5

Proof.

Appendix B Private Mean Estimation

B.1 Numerical Experiment

B.2 Proofs

Proof.

Proof.

Appendix C Least-Squares Regression

C.1 Proof of Theorem 3

Proof.

Lemma 1.

C.2 Proof of Lemma 1

Enhancing Feature-Specific Data Protection via
Bayesian Coordinate Differential Privacy ^†^†thanks: The authors are listed in alphabetical order.