Aggregation and Transformation of Vector-Valued Messages in Differential Privacy Shuffle Model

aggregation and transformation of vector valued n.w
1 / 32
Embed
Share

Explore the Shuffle Model of Differential Privacy and its aggregation techniques for preserving privacy in data analysis. Learn about the research motivations, models of DP, and the concepts of Differential Privacy.

  • Privacy
  • Differential Privacy
  • Data Analysis
  • Research
  • Technology
rayaanacharya
ksale Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Aggregation and Transformation of Vector-Valued Messages in the Shuffle Model of Differential Privacy Shuffle Model of Differential Privacy Mary Scott Joint work with Graham Cormode and Carsten Maple Accepted by British International Conference on Databases (BICOD) Submitted to IEEE Transactions on Information Forensics and Security (TIFS)

  2. Research Motivation Research Motivation My research area is Privacy-Enhancing Technologies (PETs), with a particular focus on Differential Privacy (DP). DP is a strong, mathematical definition of privacy in the context of statistical and machine learning analysis. Provides mathematically provable guarantee of privacy protection against wide range of privacy attacks, e.g. differencing attacks, linkage attacks, reconstruction attacks. Ensures that any given disclosure is within a small multiplicative factor, whether or not an individual participates in the dataset.

  3. Research Motivation Research Motivation A randomized function ? gives ?,? -differential privacy (for parameters ? 0 and 0) if for all datasets ? and ? differing on at most one element, and all ? Range ? , ?? ? ? ? ??? ? ?? ? ? ? + ? . To achieve this guarantee, introduce uncertainty (noise) to input of each individual. Get true answer plus noise from a distribution, e.g. Geometric distribution, Laplace distribution. The more different the outputs are, the more noise required to make them indistinguishable from each other.

  4. Research Motivation Research Motivation

  5. Models of Differential Privacy Models of Differential Privacy Centralized Model of DP: users submit sensitive personal information directly to a trusted central data collector, who adds random noise to raw data to provide DP, and assembles and analyses the aggregated results. Local Model of DP: each user applies a local randomizer to add random noise to their data before it is submitted. No need for trusted party but noise required per user for same privacy guarantee is much higher. Limits usage of Local Differential Privacy (LDP) to major companies, e.g. Google, Apple and Microsoft. Neither provides a good balance between trust of central entity and level of noise required to guarantee DP.

  6. The Shuffle Model of DP The Shuffle Model of DP The (Single-Message) Shuffle Model sits in between the Centralized and Local Models of DP: noise required per user for same privacy guarantee is not as high as in the Local Model. Introduces an additional shuffling step to the Local Model: after the data from each user is encoded, it is randomly permuted to unbind each user from their data before analysis takes place. Only introduced in 2019, there is much more work to be done. Contrasts with general DP which was first defined in 2006. Currently working on a protocol for vector-valued messages, extending an existing protocol only applicable for scalars.

  7. The Shuffle Model of DP The Shuffle Model of DP

  8. Extending the Shuffle Model to Vectors Extending the Shuffle Model to Vectors Extended The Privacy Blanket of the Shuffle Model (Balle et al., 2019) to be applicable to vectors rather than just scalars. Two contributions: an optimal single message protocol for summation of real vectors in the Shuffle Model, and an improvement of this bound through implementation of a Discrete Fourier Transform (DFT), which minimises initial error at expense of the loss in accuracy. Can be extended to produce similar protocol for linearization of matrices and higher-dimensional tensors, useful for representation of multi-dimensional data in Neural Networks.

  9. Applications for Vector Data Collection Applications for Vector Data Collection Why did I choose vectors specifically as the data type? Practical applications in Federated Learning: a Machine Learning (ML) setting where multiple users collaborate in solving a ML problem, under coordination of service provider. e.g. training a Deep Neural Network to predict the next word that a user types, where updates are high-dimensional vectors based on information from user s private database. Why did I investigate the aggregation of these vectors? Closely related to Secure Aggregation: used to privately compute outputs of local ML on user devices. Example above requires only element-wise weighted averages of update vectors.

  10. Accuracy Measure: Accuracy Measure: Mean Squared Error (MSE) Mean Squared Error (MSE) measures average squared difference in comparison between fixed input ? ? to randomized protocol ?, and output ? ? . When ? ? ? =? ? , 2 MSE ?,? = ? ? ? ? ? = Var ? ? , showing that when protocol ? is unbiased, MSE is equivalent to variance.

  11. Protocol for the Local Randomizer Local Randomizer ?? applied by Provided a protocol for the local randomizer ?,?,? each user ? to their message ??. Outcome of this protocol is private histogram of shuffled messages over domain ? . Local randomizer applies randomized response mechanism that: returns the true message ?? with probability 1 ?, and returns a uniformly random message with probability ?. Presence of these random messages forms a privacy blanket to protect against a difference attack on a particular user.

  12. Modified Protocol Modified Protocol for the Local Randomizer ?? Modified earlier protocol ?,?,?,? sum of real vectors ??= ?? Shuffle Model. to address problem of computing 1, ,?? 0,1? in Single-Message ? Problem was explored by Balle et al. for scalar-valued messages: addition of dimension ? can choose number ? ? ? of coordinates to uniformly sample from each vector.

  13. Privacy Analysis Privacy Analysis of Modified Protocol Focus of problem now shifted to optimising this ? to minimise the Mean Squared Error (MSE) of new protocol ??,?,?,?,?. Optimal choice is ? = 1. Theorem 1: The shuffled mechanism = ? ?,?,?,? is ?,? -DP for any ?,?,? , ? | ? ? ,? < 1 and ? 0, 1 such that ? =56??log 1/? log 2?/? ? 1 ?2 < 1 .

  14. Advanced Composition Advanced Composition Results Used Theorem (Dwork et al.): For all ? , ? , ? 0, the class of ? ,? -DP mechanisms satisfies ?,?? + ? -DP under ?-fold adaptive composition for 2?log 1/? ? + ?? ?? 1 . ? = Corollary (Dwork et al.): Given target privacy parameters 0 < ? < 1 and ? > 0, to ensure ?,?? + ? cumulative privacy loss over ?mechanisms, it suffices that each mechanism is ? ,? -DP, where ? ? = . 2 2?log 1/?

  15. Normalizing Normalizing the Mean Squared Error (MSE) When calculating MSE, each coordinate location is used roughly ?/? times. Need to normalize by ?/?2 to get required expression: Corollary 1: For any ?,? , ? | ? ? , ? < 1 and ? 0, exists a parameter ? such that ??,?,?,? is ?,? -DP and 1 , there MSE ??,?,?,? =2??8/314log 1/? log 2?/? 2/3 . 1 ?2?5/3?4/3 MSEdenotes the squared error between the estimated average vector and the true average vector.

  16. Useful Error: Useful Error: Between Average Vectors Simply take the square root of Corollary 1: Corollary 2: For every statistical query ? ? 0,1?, ?,? , ? , ? < 1 and ? 0, 1 , there is an ?,? -DP ?-party unbiased protocol for estimating ? ? ?? ?? in the Single-Message Shuffle Model with standard deviation ? | ? 2?1/2?4/314log 1/? log 2?/? 1 ? ?5/6?2/3 1/3 ? ??,?,?,? = . ?denotes the error between the estimated average vector and the true average vector.

  17. Improved Bounds Improved Bounds for ? = 1 Observe that in optimal case ? = 1, can tighten bounds further, as do not need to invoke advanced composition results when each user samples only a single coordinate. Can more simply set ? = ? and ? = ? in proof of Theorem 1, which yields 14??log 2/? ? 1 ?2 27?? ? 1 ? ? = max , . Coincides with values obtained by Balle et al. in scalar case.

  18. Improved Bounds Improved Bounds for ? = 1 981/3?8/3log 2/? 1 ?2?5/3?4/3, 18?8/3 MSE = max . 1 ?2?5/34?2/3 981/6?4/3log1/22/? 1 ? ?5/6?2/3 181/2?4/3 1 ? ?5/64?1/3 ? = max , .

  19. Adding a Discrete Fourier Transform Discrete Fourier Transform Combined private summation protocol with Discrete Fourier Transform (DFT) to improve accuracy of tight bound: transformed each ?-dimensional message to Fourier domain and selected a small number ? of its coordinates, before running the private summation protocol on these ? remaining coordinates. Resulting estimator has normalized standard deviation ??,??1/3?1/6, a vast improvement on the previous estimator, but some accuracy was lost through transformation of messages between original and Fourier domains.

  20. Adding a Discrete Fourier Transform Discrete Fourier Transform One problem to address: basic vector summation protocol requires each coordinate to be in range 0,1 , while the DFT coordinates may be in range 1,1 . Two natural approaches: could extend protocol to handle negative values, by expanding histogram to 2? buckets (? for positive and ? for negative values), or remap Fourier coefficients by linear transformation (adding 1 and dividing result by 2) before putting them in protocol, then apply inverse transform on decoded result. Chose to apply the latter approach in experiments.

  21. Experimental Evaluation Experimental Evaluation Applied protocol to an ECG Heartbeat Categorization Dataset in Python. Investigated parameters of both the algorithm and the data: the number of coordinates ? retained, the number of buckets ? used, the number of Fourier coefficients ? (in Fourier case only), the vector dimension ? (in basic case only), the value of ?, and the number of vectors ? used.

  22. ? = ? clearly optimal

  23. ? = ? optimal

  24. Fits closely to ??/? dependency from theory

  25. Current and Future Projects Current and Future Projects Internship with the Alan Turing Institute: provide key insights into synthetic data generation, federated learning and privacy-efficacy trade-offs understand the impact of statistical heterogeneity in federated learning systems on efficacy and privacy Possible Future Topics: Secure Aggregation (applied to Shuffle Model) Regression (minimal distance from all vectors) Fourier with Shuffle (to intrinsically provide privacy) Mechanism of Shuffle (multiparty computation)

  26. Thank you for listening Any questions?

Related


Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

lillia
Normed Vector Spaces for Nanotechnology Engineering

Normed Vector Spaces for Nanotechnology Engineering

reverie
Database Normalization and Aggregation Concepts

Database Normalization and Aggregation Concepts

rayyan
Privacy in Information Security Training

Privacy in Information Security Training

lillia
NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

haley
Privacy-Preserving Analysis of Graph Structures

Privacy-Preserving Analysis of Graph Structures

bilal
Differential Equations: Types, Classification, and Solutions

Differential Equations: Types, Classification, and Solutions

allie
Differential Equations in Economics Honours

Differential Equations in Economics Honours

damaris
Privacy-Preserving Prediction and Learning in Machine Learning Research

Privacy-Preserving Prediction and Learning in Machine Learning Research

eviegrace
Subspaces and Span of Vector Sets

Subspaces and Span of Vector Sets

zipporah
Privacy Considerations in Data Management for Data Science Lecture

Privacy Considerations in Data Management for Data Science Lecture

maen728
The Privacy Paradox: Attitudes vs. Behaviors

The Privacy Paradox: Attitudes vs. Behaviors

clai_evi
Mary Shelley, William Godwin, and Mary Wollstonecraft: Pioneers of Modern Thought

Mary Shelley, William Godwin, and Mary Wollstonecraft: Pioneers of Modern Thought

kene_708
Secure Distributed Framework for Achieving Differential Privacy

Secure Distributed Framework for Achieving Differential Privacy

avts944
Influence of Mary in Byzantine and Western Art Through the Ages

Influence of Mary in Byzantine and Western Art Through the Ages

jamairh
Enhancing Flow Opportunities in Scott Valley Groundwater Study

Enhancing Flow Opportunities in Scott Valley Groundwater Study

emm_p
Privacy Rights in Europe: A Comprehensive Overview

Privacy Rights in Europe: A Comprehensive Overview

jesu_26
Data Privacy Best Practices Training for Libraries

Data Privacy Best Practices Training for Libraries

teo_nah
Differential Privacy in Statistical Analysis

Differential Privacy in Statistical Analysis

rakiy
Distributed Search Logging: CrowdLogging vs. Centralized Model

Distributed Search Logging: CrowdLogging vs. Centralized Model

lyki420
The Challenges of Protecting Privacy with Differential Privacy

The Challenges of Protecting Privacy with Differential Privacy

rashiqu
Mary I of England - The Reign of Bloody Mary

Mary I of England - The Reign of Bloody Mary

kamchub

More Related Content