Kunal Talwar MSR SVC [Dwork, McSherry, Talwar, STOC 2007] TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AA A.

Slides:



Advertisements
Similar presentations
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Advertisements

Numerical Linear Algebra in the Streaming Model Ken Clarkson - IBM David Woodruff - IBM.
C&O 355 Lecture 15 N. Harvey TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A A A A A A A A.
C&O 355 Lecture 6 N. Harvey TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A.
Wavelet and Matrix Mechanism CompSci Instructor: Ashwin Machanavajjhala 1Lecture 11 : Fall 12.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.
Information Theory EE322 Al-Sanie.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Foundations of Privacy Lecture 6 Lecturer: Moni Naor.
Iterative methods TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A A A A A.
Privacy Enhancing Technologies
The State of the Art Cynthia Dwork, Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AA A AAA.
ECE Department Rice University dsp.rice.edu/cs Measurements and Bits: Compressed Sensing meets Information Theory Shriram Sarvotham Dror Baron Richard.
A 3-Query PCP over integers a.k.a Solving Sparse Linear Systems Prasad Raghavendra Venkatesan Guruswami.
Seminar in Foundations of Privacy 1.Adding Consistency to Differential Privacy 2.Attacks on Anonymized Social Networks Inbal Talgam March 2008.
Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
Privacy Issues in Disclosing Averages Susmit Sarkar(CMU)
Helping Kinsey Compute Cynthia Dwork Microsoft Research Cynthia Dwork Microsoft Research.
Codes for Deletion and Insertion Channels with Segmented Errors Zhenming Liu Michael Mitzenmacher Harvard University, School of Engineering and Applied.
1 Introduction to Kernels Max Welling October (chapters 1,2,3,4)
The Goldreich-Levin Theorem: List-decoding the Hadamard code
EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.
Group Strategyproofness and No Subsidy via LP-Duality By Kamal Jain and Vijay V. Vazirani.
Privacy without Noise Yitao Duan NetEase Youdao R&D Beijing China CIKM 2009.
Computing Sketches of Matrices Efficiently & (Privacy Preserving) Data Mining Petros Drineas Rensselaer Polytechnic Institute (joint.
2. Attacks on Anonymized Social Networks. Setting A social network Edges may be private –E.g., “communication graph” The study of social structure by.
Locally Decodable Codes Uri Nadav. Contents What is Locally Decodable Code (LDC) ? Constructions Lower Bounds Reduction from Private Information Retrieval.
Lattices for Distributed Source Coding - Reconstruction of a Linear function of Jointly Gaussian Sources -D. Krithivasan and S. Sandeep Pradhan - University.
Foundations of Privacy Lecture 11 Lecturer: Moni Naor.
Privacy Preserving OLAP Rakesh Agrawal, IBM Almaden Ramakrishnan Srikant, IBM Almaden Dilys Thomas, Stanford University.
Practical Private Computation and Zero- Knowledge Tools for Privacy-Preserving Distributed Data Mining Yitao Duan and John Canny
Linear Codes for Distributed Source Coding: Reconstruction of a Function of the Sources -D. Krithivasan and S. Sandeep Pradhan -University of Michigan,
Information Theory and Security
Hamming Codes 11/17/04. History In the late 1940’s Richard Hamming recognized that the further evolution of computers required greater reliability, in.
How Robust are Linear Sketches to Adaptive Inputs? Moritz Hardt, David P. Woodruff IBM Research Almaden.
Binary Variables (1) Coin flipping: heads=1, tails=0 Bernoulli Distribution.
Information Theory & Coding…
The Complexity of Differential Privacy Salil Vadhan Harvard University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.:
Defining and Achieving Differential Privacy Cynthia Dwork, Microsoft TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.:
Foundations of Privacy Lecture 6 Lecturer: Moni Naor.
Great Theoretical Ideas in Computer Science.
C&O 355 Mathematical Programming Fall 2010 Lecture 4 N. Harvey TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A.
Streaming Algorithms Piotr Indyk MIT. Data Streams A data stream is a sequence of data that is too large to be stored in available memory Examples: –Network.
Differentially Private Marginals Release with Mutual Consistency and Error Independent of Sample Size Cynthia Dwork, Microsoft TexPoint fonts used in EMF.
Channel Capacity.
The Sparse Vector Technique CompSci Instructor: Ashwin Machanavajjhala 1Lecture 12 : Fall 12.
Personalized Social Recommendations – Accurate or Private? A. Machanavajjhala (Yahoo!), with A. Korolova (Stanford), A. Das Sarma (Google) 1.
Great Theoretical Ideas in Computer Science.
Error Control Code. Widely used in many areas, like communications, DVD, data storage… In communications, because of noise, you can never be sure that.
Communication System A communication system can be represented as in Figure. A message W, drawn from the index set {1, 2,..., M}, results in the signal.
Boosting and Differential Privacy Cynthia Dwork, Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.
Foundations of Privacy Lecture 5 Lecturer: Moni Naor.
Differential Privacy Some contents are borrowed from Adam Smith’s slides.
Basic Concepts of Encoding Codes and Error Correction 1.
CPSC 536N Sparse Approximations Winter 2013 Lecture 1 N. Harvey TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAA.
An Introduction to Differential Privacy and its Applications 1 Ali Bagherzandi Ph.D Candidate University of California at Irvine 1- Most slides in this.
Differential Privacy Xintao Wu Oct 31, Sanitization approaches Input perturbation –Add noise to data –Generalize data Summary statistics –Means,
1 Differential Privacy Cynthia Dwork Mamadou H. Diallo.
Channel Coding Theorem (The most famous in IT) Channel Capacity; Problem: finding the maximum number of distinguishable signals for n uses of a communication.
Sergey Yekhanin Institute for Advanced Study Lower Bounds on Noise.
Institute for Experimental Mathematics Ellernstrasse Essen - Germany DATA COMMUNICATION introduction A.J. Han Vinck May 10, 2003.
RS – Reed Solomon Error correcting code. Error-correcting codes are clever ways of representing data so that one can recover the original information.
Private Data Management with Verification
On the Size of Pairing-based Non-interactive Arguments
Understanding Generalization in Adaptive Data Analysis
Privacy-preserving Release of Statistics: Differential Privacy
Differential Privacy in Practice
Lecture 4: CountSketch High Frequencies
Differential Privacy.
Presentation transcript:

Kunal Talwar MSR SVC [Dwork, McSherry, Talwar, STOC 2007] TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AA A AA

Compressed Sensing: If x 2 R N is k -sparse Take M ~ Ck log N / k random Gaussian measurements Then L 1 minimization recovers x. For what k does this make sense (i.e M < N )? How small can C be?

Privacy motivation Coding setting Results Proof Sketch

Database of information about individuals E.g. Medical history, Census data, Customer info. Need to guarantee confidentiality of individual entries Want to make deductions about the database; learn large scale trends. E.g. Learn that drug V increases likelihood of heart disease Do not leak info about individual patients Curator Analyst

Simple Model (easily justifiable) Database: n -bit binary vector x Query: vector a True answer: Dot product ax Response is ax + e = True Answer + Noise Blatant Non-Privacy: Attacker learns n−o ( n ) bits of x. Theorem: If all responses are within o ( √n ) of the true answer, then the algorithm is blatantly non-private even against a polynomial time adversary asking O ( n log 2 n ) random questions.

Privacy has a Price There is no safe way to avoid increasing the noise as the number of queries increases Applies to Non-Interactive Setting Any non-interactive solution permitting answers that are “too accurate” to “too many” questions is vulnerable to the DiNi attack. This work : what if most responses have small error, but some can be arbitrarily off?

Real vector x 2 R n Matrix A 2 R m x n with i.i.d. Gaussian entries Transmit codeword Ax 2 R m Channel corrupts message. Receive y = Ax + e Decoder must reconstruct x, assuming e has small support small support: at most  m entries of e are non-zero. Channel EncoderDecoder

min support( e ' ) such that y = Ax ' + e ' x ' 2 R n solving this would give the original message x. min | e ' | 1 such that y = Ax ' + e ' x ' 2 R n this is a linear program; solvable in poly time.

Theorem [Donoho/ Candes-Rudelson-Tao-Vershynin] For an error rate  < 1 / 2000, LP decoding succeeds in recovering x (for m = 4n ). This talk: How large an error rate  can LP decoding tolerate?

Let  * = … Theorem 1: For any  <  *, there exists c such that if A has i.i.d. Gaussian entries, and if A has m = cn rows For k=  m, every support k vector e k satisfies| e – e k | <  then LP decoding reconstructs x’ where | x ’ -x | 2 is O(  ∕ √ n). Theorem 2: For any  >  *, LP decoding can be made to fail, even if m grows arbitrarily.

In the privacy setting: Suppose, for  <  *, the curator answers (1-  ) fraction of questions within error o( √ n) answers  fraction of the questions arbitrarily. Then the curator is blatantly non-private. Theorem 3: Similar LP decoding results hold when the entries of A are randomly chosen from § 1. Attack works in non-interactive setting as well. Also leads to error correcting codes over finite alphabets.

Theorem 1: For any  <  *, there exists c such that if B has i.i.d. Gaussian entries, and if B has M = (1 – c) N rows For k=  m, for any vector x 2 R N then given Ax, LP decoding reconstructs x’ where

Let  * = … Theorem 1 (  =0 ): For any  <  *, there exists c such that if A has i.i.d. Gaussian entries with m=cn rows, and if the error vector e has support at most  m, then LP decoding accurately reconstructs x. Proof sketch…

LP decoding is scale and translation invariant Thus, without loss of generality, transmit x = 0 Thus receive y = Ax+e = e If reconstruct z  0, then | z | 2 = 1 Call such a z bad for A. Ax Ax ’ y

Proof: Any fixed z is very unlikely to be bad for A : Pr[z bad] · exp(-cm) Net argument to extend to R n : Pr[ 9 bad z] · exp(-c ’ m) Thus, with high probability, A is such that LP decoding never fails.

z bad: | Az – e | 1 < | A0 – e | 1 ) | Az – e | 1 < | e | 1 Let e have support T. Without loss of generality, e | T = Az | T Thusz bad: | Az | T c < | Az | T ) | Az | T > ½| Az | 1 e1e2e3....eme1e2e3....em a1za2za3z....amza1za2za3z....amz T 0y=eAz 0 TcTc

A i.i.d. Gaussian ) Each entry of Az is an i.i.d. Gaussian Let W = Az; its entries W 1, … W m are i.i.d. Gaussians z bad )  i 2 T | W i | > ½  i | W i | Recall: | T | ·  m Define S  (W) to be sum of magnitudes of the top  fraction of entries of W Thus z bad ) S  (W) > ½ S 1 (W) Few Gaussians with a lot of mass! 0 T

Let us look at E[S  ] Let w * be such that Let  * = Pr[ | W | ¸ w * ] Then E[S  * ] = ½ E[S 1 ] Moreover, for any  <  *, E[S  ] · ( ½ –  ) E[S 1 ] E[S  * ] = ½ E[S 1 ] E[S  ] w*w*

S  depends on many independent Gaussians. Gaussian Isoperimetric inequality implies: With high probability, S  (W) close to E[S  ]. S 1 similarly concentrated. Thus Pr[z is bad] · exp(-cm) E[S  * ] = ½ E[S 1 ] E[S  ]

1) Any fixed z is very unlikely to be bad for A Pr[z bad] · exp(-cm) 2) Union bound over a dense net of unit ball in R n (size of net e xp(c ’ n) ) Pr[ 9 bad z in net] · exp(-c ’’ m) 3) A continuity-type argument to show that no z is bad.

Now E[S  ] > ( ½ +  ) E[S 1 ] Similar measure concentration argument shows that any z is bad with high probability. Thus LP decoding fails w.h.p. beyond  * Donoho/CRTV experiments used random error model. E[S  * ] = ½ E[S 1 ] E[S  ]

Compressed Sensing: If x 2 R N is k -sparse Take M ~ Ck log N / k random Gaussian measurements Then L 1 minimization recovers x. For what k does this make sense (i.e M < N )? How small can C be? k <  * N ≈ N C > (  * log 1 /  * ) –1 ≈ 2.02

Tight threshold for Gaussian LP decoding To preserve privacy: lots of error in lots of answers. Similar results hold for +1/-1 queries. Inefficient attacks can go much further: Correct (½ -  ) fraction of wild errors. Correct ( 1-  ) fraction of wild errors in the list decoding sense. Efficient Versions of these attacks? Dwork-Yekhanin: (½ -  ) using AG codes.

Formally Database : a vector d  D N Mechanism: M : D N → R Evaluating M ( d ) should not reveal specific info about tuples in d Curator Analyst

When  is small: For d, d '  D N differing on one input, and any S  R Pr [ M ( d )  S ]  (1 ±  ) × Pr [ M ( d ' )  S ] Probabilities taken over coins flipped by curator Independent of other sources of data, databases, or even knowledge of every other input in d. “Anything, good or bad, is essentially equally likely to occur, whether I join the database or not.” Generalizes to groups of respondents Although, if group is large, then outcomes should differ.

Dalenius’ Goal: “Anything that can be learned about a respondent, given access to the statistical database, can be learned without access” is Provably Unachievable. Sam the smoker tries to buy medical insurance Statistical DB teaches smoking causes cancer Sam harmed: high premiums for medical insurance Sam need not be in the database! Differential Privacy guarantees that risk to Sam will not noticably increase if he enters the DB DBs have intrinsic social value

No perceptible risk is incurred by joining data set Anything adversary can do to Sam, it could do even if his data not in data set Bad r’s: XXX Pr [r]

Suppose analyst is interested in a counting query f ( d ) =  i P [ d i ] for some predicate P Example: P = 1 iff d i smokes and has cancer Curator adds noise scaled symmetric noise ~ Lap(s) with s =  /  0 s2s3s4s5s-s-2s-3s-4s 0 p(x)  exp(-|x|/s)

Suppose analyst is interested in a counting query f ( d ) =  i P [ d i ] for some predicate P Example: P = 1 iff d i smokes and has cancer Curator adds noise scaled symmetric noise ~ Lap(s) with s =  /  0 s2s3s4s5s-s-2s-3s-4s 0 p(x)  exp(-|x|/s) p(x)  exp(-|x-1|/s)

For a general query f : D N → R k Let ∆ f = max d, d ´ :| d - d ´ |= 1 | f ( d ) - f ( d ´)| 1 Example: f histogram has sensitivity ∆ f = 1 Curator adds noise symmetric multidimensional noise ~ Lap(s) k with s = ∆ f /  Theorem: This gives  -differential privacy. 0 s2s3s4s5s-s-2s-3s-4s 0

This allows fairly accurate reporting of insensitive functions When asking e.g. independent counting questions, noise grows linearly in the number of questions. Lots of algorithms/analyses can be written/rephrased so as to use a sequence of insensitive questions to the database Means/Variance/Covariances EM algorithm for k-means PCA A set of low-dimensional marginals