Successive Refinement of Privacy

TL;DR

This paper explores the minimum randomness needed for local differential privacy, introducing a hierarchical privacy model that allows multiple analysts to access data at different privacy levels using the same output.

Contribution

It introduces the concept of successive refinement of privacy, extending classical security models to local differential privacy, with tight characterizations and mechanisms for multi-level privacy.

Findings

Tight bounds on privacy-utility-randomness trade-offs.

A new privacy mechanism for multi-level privacy.

Random keys cannot be reused over time without compromising privacy.

Abstract

This work examines a novel question: how much randomness is needed to achieve local differential privacy (LDP)? A motivating scenario is providing {\em multiple levels of privacy} to multiple analysts, either for distribution or for heavy-hitter estimation, using the \emph{same} (randomized) output. We call this setting \emph{successive refinement of privacy}, as it provides hierarchical access to the raw data with different privacy levels. For example, the same randomized output could enable one analyst to reconstruct the input, while another can only estimate the distribution subject to LDP requirements. This extends the classical Shannon (wiretap) security setting to local differential privacy. We provide (order-wise) tight characterizations of privacy-utility-randomness trade-offs in several cases for distribution estimation, including the standard LDP setting under a randomness constraint. We also provide a non-trivial privacy mechanism for multi-level privacy. Furthermore, we show that we cannot reuse random keys over time while preserving privacy of each user.