Privacy Measure: Max-Divergence

Privacy loss parameters (like $ϵ$) represent an upper bound on the divergence between the output distributions on any two neighboring data sets.

There is a measure that corresponds to the kind of divergence used in pure $ϵ$-DP. To find this measure, first recall the definition of pure differential privacy from Chapter 2:

Pure differential privacy

A mechanism $M(·)$ is $ϵ$-differentially private if for all possible neighboring data sets $x$ and $x^{\text{'}}$, and every possible output $y$:

$$Pr[M\left(x\right)=y]\le Pr[M\left(x^{\text{'}}\right)=y]·e^{ϵ}$$

Recall how this definition was reworded to isolate $ϵ$:¹

You can rewrite this definition by substituting the max-divergence.

Max-divergence

The max-divergence between two probability distributions $Y$ and $Y^{\text{'}}$ is:²

$$D_{\infty }(Y,Y^{\text{'}})=\underset{y\in supp\left(Y\right)}{max}ln\left(\frac{Pr[Y=y]}{Pr[Y’=y]}\right)$$

With the max-divergence, the definition of pure differential privacy simplifies:

Pure differential privacy

A mechanism $M$ is $ϵ$-differentially private if:

$$\underset{x\sim x^{\text{'}}}{max}{D}_{\infty }(M\left(x\right),M\left(x^{\text{'}}\right))\le ϵ$$

This representation of pure-differential privacy is appealing because it is directly interpretable: the privacy loss can be no greater than $ϵ$.

In this notation, $M\left(x\right)$ doesn’t refer to the output of the mechanism but rather to a random variable. That is, the divergence is computing the distance between the distributions of the releases, not of the releases themselves.

Metric Versus Divergence Versus Privacy Measure

While metrics and divergences may feel very similar, they differ primarily in that divergences compute the distance between distributions, whereas metrics compute the distance between data sets.

Divergences also don’t satisfy two of the three requirements of metrics:

• Divergences are not symmetric; for any two distributions $A$ and $B$, $D(A,B)$ is not necessarily equal to $D(B,A)$.

• Divergences do not satisfy the triangle inequality; for any three distributions $A$, $B$ and $C$, $D(A,B)+D(B,C)$ may be less than $D(B,C)$.

Therefore, measures are categorically not metrics. You may even wonder how measures could be useful, given that they are not symmetric. It turns out that this is not particularly impactful in differential privacy, because you only care about the bigger of the two divergences (the case of the greatest distinguishability).

The key requirement for a divergence to qualify as a privacy measure is that it must be closed under postprocessing. That is, the divergence must have the property that you cannot postprocess a random variable in a way that will increase the divergence. Many types of divergence in probability theory do not satisfy this requirement, but this is an essential requirement for privacy: an adversary should never be able to process the outputs of a mechanism in a way that reveals more information about the sensitive data.

Now that you have some familiarity with privacy measures, you are ready for the definition of privacy.

Randomized Response

Randomized response was chosen for an introduction to differential privacy in Chapter 2 precisely because the input metric space is so simple as to be somewhat implicit. The input domain just consists of all booleans ($\{\top ,\perp \}$), and the input metric is the discrete distance.

Discrete distance

The discrete distance between two values $x$ and $x^{\text{'}}$ is 0 if $x=x^{\text{'}}$, otherwise 1.

Justified by the prior proof, you can claim that the randomized response mechanism is $(1,ln(p/(1-p)\left)\right)$-private under the discrete distance and pure-DP, because when $d_{\mathrm{Discrete}}(u,v)\le 1$, then $D_{\infty }(M\left(u\right),M\left(v\right))\le ln(p/(1-p))$.

A common way to generalize the randomized response mechanism is to replace the input domain with some known discrete set, as exemplified in the following code:

import opendp.prelude as dp
from random import random, choice
import math

def make_randomized_response_multi(p: float, support: list):
    """
    :param p: probability of returning true answer
    :param support: all possible outcomes"""
    dp.assert_features("contrib", "floating-point")
    t = len(support)
    
    # CONDITIONS (see exercise 2)
    if t != len(set(support)):
        raise ValueError("elements in support must be distinct")
    if p < 1 / t or p > 1:
        raise ValueError(f"prob must be within [{1 / t}, 1.0]")
    
    def f_randomize_response(arg):
        lie = choice([x for x in support if arg != x])
        return arg if arg in support and random() < p else lie

    c = math.log(p / (1 - p) * (t - 1))

    return dp.m.make_user_measurement(
        input_domain=dp.atom_domain(T=type(support[0])),
        input_metric=dp.discrete_distance(),
        output_measure=dp.max_divergence(T=float),
        function=f_randomize_response,
        privacy_map=lambda b_in: min(max(b_in, 0), 1) * c,
        TO=type(support[0])
    )

You could use this measurement to privately release someone’s multiple-choice answer:

rr_multi = make_randomized_response_multi(p=.4, support=["A", "B", "C", "D"])

print('privately release a response of "B":', rr_multi("B"))
print('privacy expenditure ε:',               rr_multi.map(1))  # ~0.288

The OpenDP Library contains a secure implementation of this mechanism.

It is left as an exercise to demonstrate that this generalization of randomized response is private under the discrete distance and pure DP.

The Vector Laplace Mechanism

Instead of just adapting the scalar-valued Laplace mechanism, as defined in Chapter 2, to the updated definition, this section also generalizes the Laplace to operate over vector aggregates with bounded $L^1$ sensitivity. In this case, the Laplace mechanism is applied to a $k$-dimensional vector $a=[a_1,a_2,...,a_k]$, where $a$ is a data set of aggregates that is typically output by a stable transformation, like a vector-valued sum transformation.

The vector-valued Laplace mechanism can be written in several equivalent ways. Each of these ways returns a sample from the Laplace distribution centered at $a$ with scale $r$:

This mechanism satisfies pure differential privacy, where $b_{out}$ corresponds to $ϵ$, and the privacy measure is the max-divergence:

Observe how the Laplace mechanism complements queries with known $L^1$ sensitivity: the $L^1$ sensitivity even appears directly in the formula. Substituting ${max}_{x\sim x^{\text{'}}}{\parallel y-y^{\text{'}}\parallel }_1=b_{in}$ gives the final bound, which holds for any possible pair of adjacent data sets:

Thus we can say the divergence between output distributions will never be greater than $\frac{b_{in}}{r}$, so the smallest upper bound on divergences $ϵ$ is $\frac{b_{in}}{r}$.

In the overall scheme of relating distances, this function that samples Laplace noise is $(b_{in},b_{out})$-private, where $b_{out}$ is $\frac{b_{in}}{r}$, $b_{in}$ is with respect to the $L^1$ distance, and $b_{out}$ is in terms of $ϵ$ pure-DP.

Many very common queries (like counts, sums, and means) are well-suited for the Laplace mechanism.

Discrete Laplace mechanism (geometric mechanism)

Some statistics are more naturally represented as integers, like the count. The Laplace mechanism has a variation supported on the integers: the discrete Laplace mechanism. The discrete Laplace mechanism has similar arguments as the Laplace mechanism, but its noise is sampled from the discrete Laplace distribution, which is supported on the integers $\mathbb{Z}$:

$$Pr[\mathrm{DLap}(\mu ,r)=y]=\frac{{exp}^{1/r}-1}{{exp}^{1/r}+1}·exp\left(-\frac{|x-\mu |}{r}\right),$$

where $\mu$ is the integer-valued shift, and $r$ is the real-valued positive scale.

Another common name for the mechanism is the geometric mechanism, because the tails follow the geometric distribution, as shown in Figure 4-2.

Figure 4-2. Laplace (Lap) versus geometric (DLap) distributions

An abridged proof is given for the privacy map on the scalar-valued discrete Laplace mechanism:

$$\begin{array}{cc}& \underset{a\sim a^{\text{'}}}{max}{D}_{\infty }(M\left(a\right),M\left(a^{\text{'}}\right))\hfill \\ & =\underset{a\sim a^{\text{'}}}{max}\underset{y\in \mathbb{Z}}{max}ln\left(\frac{Pr\left[\mathrm{DLap}(a,r)=y\right]}{Pr\left[\mathrm{DLap}(a^{\text{'}},r)=y\right]}\right)\hfill & & \text{substitute}{M}_{\infty }\text{and}M(·)\hfill \\ & =\underset{a\sim a^{\text{'}}}{max}\underset{y\in \mathbb{Z}}{max}\frac{|a’-y|-|a-y|}{r}\hfill & & \text{substitute}\text{pdf}\text{and}\text{simplify}\hfill \\ & \le \frac{{max}_{a\sim a^{\text{'}}}|a-a^{\text{'}}|}{r}\hfill & & \text{by}\text{reverse}\text{triangle}\text{inequality}\hfill \\ & =\frac{b_{in}}{r}\hfill & & \text{by}\text{definition}\text{of}\text{absolute}\text{distance}\hfill \end{array}$$

The same can be shown for a vector-valued version of the mechanism (this is left as an exercise).

While the Laplace mechanism is an incredibly useful primitive, it is not always the best-suited algorithm to privatize your query. The Laplace mechanism can only privatize numbers, whereas some queries may involve private selection from a set or detection of the first anomaly in a sequence of events. Some numeric queries may also lose significant utility when the addition of noise perturbs the release beyond some unknown threshold.

Exponential Mechanism

As defined in Chapter 2, the exponential mechanism is used for private selection from a set of candidates.⁴ In this setting, you know what the set of possible outputs can be (your candidate set), and you want to choose one (or more) candidates from that set that best answers a query on the private data set. The best candidate is defined according to a scoring function that assigns the score $s_c=\mathrm{score}(x,c)$ to a candidate $c$ for a data set $x$.

A motivating example (similar to the seminal paper) involves pricing: imagine that you have decided to sell off each of your baseball cards and want to choose the best price point to maximize profit. If you set the price too high, you will fail to find buyers, whereas setting the price too low will also mean losing money. This problem is not suitable for the Laplace mechanism, because a small perturbation to the chosen price may result in an extreme loss in realized profit, as there may be many buyers right at the edge. In this setting, assume that prospective buyers will tell you what they are willing to spend, so long as this information isn’t leaked to other buyers.

To use the exponential mechanism, you must define a set of potential price points before conferring with the buyers. This set of potential price points forms the candidate set. The exponential mechanism selects one of those candidates based on the private information from the buyers.

Just like many other DP mechanisms, you can break the algorithm into a stable transformation and a private mechanism. The stable transformation is the scoring function, which maps the private data set to a vector of scores. The private mechanism is the exponential mechanism, which selects one of the candidates based on the scores. A small postprocessor is then employed to index into the candidate set to retrieve the final selection.

You can think of the scoring as a data set aggregation, just like you might think of a data set sum as an aggregation. You can define a scoring transformation $T(·)$ that aggregates a data set down to a vector of scores, where each score corresponds to a different candidate price point.

You can then use the infinity norm $L^{\infty }$ to define a metric that computes the distance between adjacent score vectors. The sensitivity of this score vector is based on the greatest amount any one score may change.

$L^{\infty }$ distance

The $L^{\infty }$ distance between two vectors of scores and $s=[s_1,s_2,...,s_k]$ and $s^{\text{'}}=[s_1^{\text{'}},s_2^{\text{'}},...,s_k^{\text{'}}]$ is $d_{L\infty }(s,s^{\text{'}})={\parallel s-s’\parallel }_{\infty }={max}_i|s_i-s_i^{\text{'}}|$.

The $L^{\infty }$ metric is used on the output of the scorer and input to the exponential mechanism.

Quantile Score Transformation

An example of a useful scoring function is the quantile score transformation. This transformation assigns a score to each candidate in a vector $c_i$ in a set of candidates $C$.⁵

The score function gives higher scores to candidates nearer the $\alpha$-quantile in the data set $x$:

The score function is based on the number of records in the data set that are less than $c$ (denoted $\#(x<c)$) or greater than $c$ (denoted $\#(x>c)$) for each candidate quantile $c$.

If you’d like to find the median, let $\alpha$ = 0.5. Candidates that evenly divide the data set will have the greatest possible score of zero, because the two terms will cancel each other out. The more unevenly that a candidate divides the data set, the more negative the score will become. It may help to think through how the scoring function will behave for other choices of $\alpha$, like zero or one.

As written in Python, the score transformation executes this score function for each candidate, returning a vector of scores (one score for each candidate):

def make_score_quantile_finite(candidates, alpha):
    dp.assert_features("contrib")
    assert 0 <= alpha <= 1, "alpha must be in [0, 1]"
    assert len(set(candidates)) == len(candidates), "candidates must be unique"
    def f_score_candidates(x):
        """Assuming `x` is sorted, scores every element in `candidates`
        according to rank distance from the `alpha`-quantile."""
        num_leq = (np.array(x)[None] <= candidates[:, None]).sum(axis=1)
        return -abs(num_leq - alpha * len(x))
    
    return dp.t.make_user_transformation(
        input_domain=dp.vector_domain(dp.atom_domain(T=type(candidates[0]))),
        input_metric=dp.symmetric_distance(),
        output_domain=dp.vector_domain(dp.atom_domain(T=float)),
        output_metric=dp.linf_distance(T=float),
        function=f_score_candidates,
        stability_map=lambda b_in: b_in * max(alpha, 1 - alpha))

The scoring transformation is stable because, when the distance between the input data sets is bounded, the distance between the output vectors is also bounded under the $L^{\infty }$ distance:

This bound skips over many steps for brevity, but it would be good practice to fill in the gaps yourself. Start by substituting the definition of $S$, and then consider the cases of adding or removing a single record from the data set.

def make_finite_exponential_mechanism(temperature, monotonic=False):
    """Privately select the index of the best score from a vector of scores"""
    dp.assert_features("contrib", "floating-point")
    def f_select_index(scores):
        scores = np.array(scores)
        scores -= scores.max() # for numerical stability; doesn't affect probs

        likelihoods = np.exp(scores * temperature) # each candidate's likelihood
        probabilities = likelihoods / likelihoods.sum() # normalize
        # use inverse transform sampling from the cdf to select a candidate
        return np.argmax(probabilities.cumsum() >= np.random.uniform())
    
    return dp.m.make_user_measurement(
        input_domain=dp.vector_domain(dp.atom_domain(T=float)),
        input_metric=dp.linf_distance(T=float, monotonic=monotonic),
        output_measure=dp.max_divergence(T=float),
        function=f_select_index,
        privacy_map=lambda b_in: b_in / temperature * (1 if monotonic else 2))

def make_private_quantile_in_candidates(candidates, alpha, scale):
    return make_score_quantile_finite(candidates, alpha=alpha) >> \
        make_finite_exponential_mechanism(scale) >> \
        (lambda idx: candidates[idx]) # postprocess: retrieve the candidate

def make_interval_exponential_mechanism(bounds, scorer, entropy):
    L, U = bounds; assert L < U, "bounds must be increasing"
    def f_select_from_interval(x):
        # NEW: sort, clip and bookend x with bounds
        x = np.concatenate(([L], np.clip(np.sort(x), *bounds), [U]))

        scores = np.array(scorer(x)) # score all intervals in x
        scores -= scores.max() # for numerical stability; doesn't affect probs

        # NEW: area = width      * height; gives each interval's likelihood
        likelihoods = np.diff(x) * np.exp(scores * entropy)
        probabilities = likelihoods / likelihoods.sum() # normalize

        # use inverse transform sampling from the cdf to select an interval
        index = np.argmax(probabilities.cumsum() >= np.random.uniform())
        # NEW: sample uniformly from the selected interval
        return np.random.uniform(low=x[index], high=x[index + 1])
    
    mono = 1 if "monotonic" in str(scorer.output_metric) else 2
    return dp.m.make_user_measurement(
        input_domain=scorer.input_domain,
        input_metric=scorer.input_metric,
        output_measure=dp.max_divergence(T=float),
        function=f_select_from_interval,
        privacy_map=lambda b_in: scorer.map(b_in) / entropy * mono)

def make_score_quantile_interval(alpha, T=float):
    assert 0 <= alpha <= 1, "alpha must be in [0, 1]"
    def f_score_quantile_interval(x):
        """Assuming `x` is sorted, scores each gap in `x`
        according to rank distance from the `alpha`-quantile."""
        ranks = np.arange(len(x) - 1)
        left, right = abs(ranks - alpha * len(x)), abs(ranks + 1 - alpha * len(x))
        return -np.minimum(left, right)
    
    return dp.t.make_user_transformation(
        input_domain=dp.vector_domain(dp.atom_domain(T=T)),
        input_metric=dp.symmetric_distance(),
        output_domain=dp.vector_domain(dp.atom_domain(T=float)),
        output_metric=dp.linf_distance(T=float),
        function=f_score_quantile_interval,
        stability_map=lambda b_in: b_in * max(alpha, 1 - alpha))

def make_private_quantile_in_bounds(bounds, alpha, scale):
    scorer = make_score_quantile_interval(alpha)
    return make_interval_exponential_mechanism(bounds, scorer, scale)

meas = make_private_quantile_in_bounds(bounds=(0, 100.), alpha=.5, scale=1.)
print(meas(np.random.normal(22., scale=12, size=1000))) # ~> 21.37
print(meas.map(1)) # -> 1 = ε

Report Noisy Max Mechanisms

Report Noisy Max (RNM) is a family of algorithms for private selection from a finite set of candidates.

To privately select the index of the best score from a vector of scores $S=[s_1,s_2,...,s_k]$ in a way that satisfies $ϵ$-differential privacy, return $\underset{i}{\text{argmax}}{s}_i+z_i$, where $z_i$ denotes the $i^{th}$ independent and identically distributed sample from an appropriate distribution. There are several possible distributions where this mechanism satisfies $ϵ$-differentially privacy.

For example, noisy max with noise sampled from a carefully calibrated Gumbel distribution is equivalent to the finite-support exponential mechanism. Since both approaches effectively sample an index from the same distribution, they can be used interchangeably.

The Gumbel distribution for a scale parameter $\beta$ is defined by the following probability density function:

By sampling $z_i$ from the Gumbel distribution with scale parameter $\beta =\frac{2{\dot{b}}_{in}}{ϵ}$, the resulting noisy max mechanism is $ϵ$-differentially private.

This algorithm is much simpler than make_finite_exponential_mechanism: the scores are left as log-likelihoods, which avoids the numerical instability of exponentiating scores:

def make_report_noisy_max_gumbel(scale, monotonic=False, T=float):
    dp.assert_features("contrib")
    assert scale >= 0, "scale must not be negative"
    return dp.m.make_user_measurement(
        input_domain=dp.vector_domain(dp.atom_domain(T=T)),
        input_metric=dp.linf_distance(T=T),
        output_measure=dp.max_divergence(T=float),
        # the value with the largest noisy score is the selected bin index
        function=lambda scores: np.argmax(np.random.gumbel(scores, scale=scale)),
        privacy_map=lambda b_in: b_in / scale * (1 if monotonic else 2))

Another nice computational benefit is that the algorithm can be adjusted to run on a data stream. In addition, the distribution of the top $k$ indexes by noisy scores is equivalent to peeling the top $k$ scores. Therefore, it is easy to adjust the algorithm to efficiently release the top $k$ scores together in one shot.

Keep in mind that this noisy max approach is only useful when the support is finite, as it is clearly impossible to add noise to an infinite number of candidates.

Streams

A stream is a sequence of values that are produced consecutively. The terminology is common in signal processing (where data is produced by a sensor) and in functional languages (where data is produced by a function).

Just as you can measure the distance between vectors, scalars, dataframes, and other forms of data, you can also measure the distance between streams. The same is true for the divergence between the distributions of randomized streams.

And similarly, just as you have many metrics to choose from when measuring the distance between vectors, you have many metrics to choose from when measuring the distance between streams. Instead of exploring the set of possible metrics, we’ll just focus on the metric needed for the above threshold mechanism and introduce more as necessary.

The $L^{\infty }$ distance between streams is very similar to the $L^{\infty }$ distance for vectors. If a stream has bounded $L^{\infty }$ sensitivity of $d$, then each element in a neighboring stream may differ by up to $d$. A similar extension can be made to the max-divergence.

In stream processing terminology, a filter processes a stream, producing another stream. A filter can even be proven to be a stable transformation or private mechanism and can be implemented via a queryable. Above threshold is an example of a stream filter: it is a private mechanism that returns a queryable.

Online Private Selection

You can think of “above threshold” as online private selection from a stream of candidates. The closest analogue to existing mechanisms is the Laplace Noisy Max (LNM) mechanism, but LNM still requires all candidates to be known up front.

The mechanism privatizes a stream with bounded $L^{\infty }$ sensitivity:

def make_above_threshold(threshold, scale, monotonic=False):
    """Privately find the first item above `threshold` in a stream."""
    dp.assert_features("contrib", "floating-point")

    def f_above_threshold(stream):
        found, threshold_p = False, laplace(loc=threshold, scale=scale)
        def transition(query):
            nonlocal found # the state of the queryable
            assert not found, "queryable is exhausted"

            value = laplace(loc=stream(query), scale=2 * scale)
            if value >= threshold_p:
                found = True
            return found
        return dp.new_queryable(transition, Q=query_type(stream), A=bool)
        
    return dp.m.make_user_measurement(
        input_domain=queryable_domain(dp.atom_domain(T=type(threshold))),
        input_metric=dp.linf_distance(T=type(threshold), monotonic=monotonic),
        output_measure=dp.max_divergence(T=float),
        function=f_above_threshold,
        privacy_map=lambda b_in: b_in / scale * (1 if monotonic else 2),
    )

In the case of above_threshold, the state of the queryable simply consists of the found boolean.

When you invoke above_threshold, you get a queryable. The queryable implements a private filter on the input stream, emitting a private output stream:

meas = make_above_threshold(threshold=4, scale=1.)
# since the measurement privatizes a stream, initialize with a dummy stream
qbl = meas(lambda x: x)

qbl(2) # very likely to emit False
qbl(3) # likely to emit False
qbl(6) # likely to emit True for the first time
qbl(4) # expected to throw an assertion error

There are more connections between the above threshold mechanism and noisy max:

• The gap between the noisy threshold and noisy query can also be released without additional privacy consumption.

• You can apply another private mechanism to release an estimate of the score with additional privacy consumption.

• You can tighten the analysis with the range distance.

Differentially private stream processing algorithms share the modularity of other DP algorithms.

Stable Transformations on Streams

You may now be wondering what you can do with the above threshold mechanism: under what conditions are your analyses best served by privatizing a stream?

Consider a situation where you want to know the first query on a data set that returns a value above a threshold. To accomplish this, first construct a stable transformation from a sensitive data set to a stable filter, and then chain this transformation and the above threshold mechanism together:

def make_query_stream(input_domain, input_metric, b_in, b_out):
    """Return a stream for asking queries about a data set"""
    dp.assert_features("contrib")
    T = type(b_out)
    input_space = input_domain, input_metric
    output_space = dp.atom_domain(T=T), dp.absolute_distance(T=T)
    stream_space = queryable_domain(output_space[0]), dp.linf_distance(T=T)

    def f_query_stream(data):
        def transition(trans):
            assert trans.input_space == input_space
            assert trans.output_space == output_space
            assert trans.map(b_in) <= b_out, "query is too sensitive"
            return trans(data)
        return dp.new_queryable(transition, A=T)

    return dp.t.make_user_transformation(
        *input_space, *stream_space, f_query_stream,
        stability_map=lambda b_in_p: b_in_p / b_in * b_out
    )

The query_stream function takes a data set $x$ and returns a queryable, upon which you may submit a stream of transformations. Since each transformation has bounded sensitivity, the resulting stream has bounded $L^{\infty }$ sensitivity and can be privatized by the preceding threshold mechanism:

space = dp.vector_domain(dp.atom_domain(T=int)), dp.symmetric_distance()
meas = make_query_stream(*space, b_in=1, b_out=1) >> \
       make_above_threshold(threshold=4, scale=1.)

The algorithm now searches for the first query above a threshold in a stream of queries. This example submits a sensitivity-1 unique count first (which is likely below the threshold) and then a sensitivity-1 count (which is likely above the threshold):

qbl = meas([1, 2, 2, 2, 3])
print(qbl(dp.t.make_count_distinct(*space))) # likely to emit False
print(qbl(dp.t.make_count(*space))) # likely to emit True

There are many stable transformations on streams that can be used with the above threshold mechanism. It is your responsibility to ensure that the stream processing transformations you use satisfy the necessary stability properties of the mechanism you want to use them with. Luckily, stable or differentially private primitives are completely encapsulated to be easily composable and provably correct in isolation.