Algorithms for bounding contribution for histogram estimation under user-level privacy

TL;DR

This paper develops algorithms for optimally bounding user contributions in histogram estimation under user-level differential privacy, balancing privacy and data utility in both bounded and unbounded domain scenarios.

Contribution

It introduces new algorithms that nearly optimize user contribution bounds for differential privacy, with theoretical guarantees and practical effectiveness demonstrated through experiments.

Findings

Algorithms achieve near-optimal bounds in bounded domain settings.

Logarithmic approximation for unbounded domain histogram estimation.

Clipping bias can be reduced under mild distribution assumptions.

Abstract

We study the problem of histogram estimation under user-level differential privacy, where the goal is to preserve the privacy of all entries of any single user. We consider the heterogeneous scenario where the quantity of data can be different for each user. In this scenario, the amount of noise injected into the histogram to obtain differential privacy is proportional to the maximum user contribution, which can be amplified by few outliers. One approach to circumvent this would be to bound (or limit) the contribution of each user to the histogram. However, if users are limited to small contributions, a significant amount of data will be discarded. In this work, we propose algorithms to choose the best user contribution bound for histogram estimation under both bounded and unbounded domain settings. When the size of the domain is bounded, we propose a user contribution bounding strategy that almost achieves a two-approximation with respect to the best contribution bound in hindsight. For unbounded domain histogram estimation, we propose an algorithm that is logarithmic-approximation with respect to the best contribution bound in hindsight. This result holds without any distribution assumptions on the data. Experiments on both real and synthetic datasets verify our theoretical findings and demonstrate the effectiveness of our algorithms. We also show that clipping bias introduced by bounding user contribution may be reduced under mild distribution assumptions, which can be of independent interest.