Integer Subspace Differential Privacy

TL;DR

This paper introduces integer subspace differential privacy, a new framework for private data release that enforces invariants and integer constraints, using novel mechanisms and MCMC sampling to ensure accuracy and privacy in real-world applications.

Contribution

It formalizes integer subspace differential privacy, develops unbiased additive mechanisms for restricted discrete spaces, and provides an MCMC-based implementation with empirical convergence guarantees.

Findings

Mechanisms achieve sub-exponential and sub-Gaussian tail errors.

Effective MCMC sampling with convergence assessment demonstrated.

Successful application to census and contingency table data.

Abstract

We propose new differential privacy solutions for when external \emph{invariants} and \emph{integer} constraints are simultaneously enforced on the data product. These requirements arise in real world applications of private data curation, including the public release of the 2020 U.S. Decennial Census. They pose a great challenge to the production of provably private data products with adequate statistical usability. We propose \emph{integer subspace differential privacy} to rigorously articulate the privacy guarantee when data products maintain both the invariants and integer characteristics, and demonstrate the composition and post-processing properties of our proposal. To address the challenge of sampling from a potentially highly restricted discrete space, we devise a pair of unbiased additive mechanisms, the generalized Laplace and the generalized Gaussian mechanisms, by solving the Diophantine equations as defined by the constraints. The proposed mechanisms have good accuracy, with errors exhibiting sub-exponential and sub-Gaussian tail probabilities respectively. To implement our proposal, we design an MCMC algorithm and supply empirical convergence assessment using estimated upper bounds on the total variation distance via $L$-lag coupling. We demonstrate the efficacy of our proposal with applications to a synthetic problem with intersecting invariants, a sensitive contingency table with known margins, and the 2010 Census county-level demonstration data with mandated fixed state population totals.