On Differentially Private Online Predictions
Haim Kaplan, Yishay Mansour, Shay Moran, Kobbi Nissim, Uri Stemmer

TL;DR
This paper introduces an interactive variant of joint differential privacy tailored for online processes, demonstrating its favorable properties and showing that private online learning can be achieved with only polynomial overhead in mistake bounds.
Contribution
It proposes a new interactive joint differential privacy definition and proves that it allows private online learning with polynomial mistake overhead, unlike previous more restrictive notions.
Findings
Interactive joint privacy satisfies group privacy, composition, and post-processing.
Any online learning rule can be privatized with polynomial mistake overhead.
Contrasts with previous notions requiring double exponential overhead.
Abstract
In this work we introduce an interactive variant of joint differential privacy towards handling online processes in which existing privacy definitions seem too restrictive. We study basic properties of this definition and demonstrate that it satisfies (suitable variants) of group privacy, composition, and post processing. We then study the cost of interactive joint privacy in the basic setting of online classification. We show that any (possibly non-private) learning rule can be effectively transformed to a private learning rule with only a polynomial overhead in the mistake bound. This demonstrates a stark difference with more restrictive notions of privacy such as the one studied by Golowich and Livni (2021), where only a double exponential overhead on the mistake bound is known (via an information theoretic upper bound).
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy-Preserving Technologies in Data · Internet Traffic Analysis and Secure E-voting · Cryptography and Data Security
On Differentially Private Online Predictions
Haim Kaplan Tel Aviv University and Google Research. [email protected]. Partially supported by Israel Science Foundation (grant 1595/19), and the Blavatnik Family Foundation.
Yishay Mansour Tel Aviv University and Google research. [email protected]. Work partially funded from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program (grant agreement No. 882396), by the Israel Science Foundation (grant number 993/17), Tel Aviv University Center for AI and Data Science (TAD), and the Yandex Initiative for Machine Learning at Tel Aviv University.
Shay Moran Departments of Mathematics and Computer Science, Technion and Google Research. [email protected]Shay Moran is a Robert J. Shillman Fellow; he acknowledges support by ISF grant 1225/20, by BSF grant 2018385, by an Azrieli Faculty Fellowship, by Israel PBC-VATAT, by the Technion Center for Machine Learning and Intelligent Systems (MLIS), and by the European Union (ERC, GENERALIZATION, 101039692). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Research Council Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.
Kobbi Nissim Department of Computer Science, Georgetown University. [email protected]. Work partially funded by NSF grant No. 2001041 and by a gift to Georgetown University.
Uri Stemmer Tel Aviv University and Google research. [email protected]. Partially supported by the Israel Science Foundation (grant 1871/19) and by Len Blavatnik and the Blavatnik Family foundation.
(February 27, 2023)
Abstract
In this work we introduce an interactive variant of joint differential privacy towards handling online processes in which existing privacy definitions seem too restrictive. We study basic properties of this definition and demonstrate that it satisfies (suitable variants) of group privacy, composition, and post processing.
We then study the cost of interactive joint privacy in the basic setting of online classification. We show that any (possibly non-private) learning rule can be effectively transformed to a private learning rule with only a polynomial overhead in the mistake bound. This demonstrates a stark difference with more restrictive notions of privacy such as the one studied by Golowich and Livni (2021), where only a double exponential overhead on the mistake bound is known (via an information theoretic upper bound).
1 Introduction
In this work we introduce a new variant of differential privacy (DP) (Dwork et al., 2006), suitable for interactive processes, and design new online learning algorithms that satisfy our definition. As a motivating story, consider a chatbot that continuously improves itself by learning from the conversations it conducts with users. As these conversations might contain sensitive information, we would like to provide privacy guarantees to the users, in the sense that the content of their conversations with the chatbot would not leak. This setting flashes out the following two requirements.
- (1)
Clearly, the answers given by the chatbot to user must depend on the queries made by user . For example, the chatbot should provide different answers when asked by user for the weather forecast in Antarctica, and when asked by for a pasta recipe.
This is in contrast to the plain formulation of differential privacy, where it is required that all of the mechanism outputs would be (almost) independent of any single user input. Therefore, the privacy requirement we are aiming for is that the conversation of user will remain “hidden” from other users, and would not leak through the other users’ interactions with the chatbot. Moreover, this should remain true even if a “privacy attacker” (aiming to extract information about the conversation user had) conducts many different conversations with the chatbot. 2. (2)
The interaction with the chatbot is, by design, interactive and adaptive, as it aims to conduct dialogues with the users. This allows the privacy attacker (mentioned above) to choose its queries to the chatbot adaptively. Privacy, hence, needs to be preserved even in the presence of adaptive attackers.
While each of these two requirements was studied in isolation, to the best of our knowledge, they have not been unified into a combined privacy framework. Requirement (1) was formalized by Kearns et al. (2015) as joint differential privacy (JDP). It provides privacy against non-adaptive attackers. Intuitively, in the chatbot example, JDP aims to hide the conversation of user from any privacy attacker that chooses in advance all the queries it poses to the chatbot. This is unsatisfactory since the adaptive nature of this process invites adaptive attackers.
Requirement (2) was studied in many different settings, but to the best of our knowledge, only w.r.t. the plain formulation of DP, where the (adaptive) privacy attacker sees all of the outputs of the mechanism. Works in this vein include (Dwork et al., 2009; Chan et al., 2010; Hardt and Rothblum, 2010; Dwork et al., 2010b; Bun et al., 2017; Kaplan et al., 2021; Jain et al., 2021). In the chatbot example, plain DP would require, in particular, that even the messages sent from the chatbot to user would reveal (almost) no information about . In theory, this could be obtained by making sure that the entire chatbot model is computed in a privacy preserving manner, such that even its full description leaks almost no information about any single user. Then, when user comes, we can “simply” share the model with her, and let her query it locally on her device. But is likely unrealistic with large models involving hundreds of billions of parameters.
In this work we introduce challenge differential privacy, which can be viewed as an interactive variant of JDP, aimed at maintaining privacy against adaptive privacy attackers. Intuitively, in the chatbot example, our definition would guarantee that even an adaptive attacker that controls all of the users except for user , learns (almost) no information about the conversation user had with the chatbot. We give the formal definition of challenge-DP in Section 3, after surveying the existing variants of differential privacy in Section 2. In addition, we show that challenge-DP is closed under post-processing, composition, and group-privacy (where the first two properties are immediate, and the third is more subtle).
1.1 Private Online Classification
We initiate the study of challenge differential privacy in the basic setting of online classification. Let be the domain, be the label space, and be set of labeled examples. An online learner is a (possibly randomized) mapping . That is, it is a mapping that maps a finite sequence (the past examples), and an unlabeled example (the current query point) to a label , which is denoted by .
Let be a hypothesis class. A sequence is said to be realizable by if there exists such that for every . For a sequence we write for the random variable denoting the number of mistakes makes during the execution on . That is
[TABLE]
where is the (randomized) prediction of on .
Definition 1.1** (Online Learnability: Realizable Case).**
We say that a hypothesis class is online learnable if there exists a learning rule such that \operatorname*{\mathbb{E}}\left[\mathcal{M}\bigl{(}\mathcal{A};S\bigr{)}\right]=o(T) for every sequence which is realizable by .
Remark 1.2**.**
Notice that Definition 1.1 corresponds to an oblivious adversary, as it quantifies over the input sequence in advance. This should not be confused with the adversaries considered in the context of privacy which are always adaptive in this work. In the non-private setting, focusing on oblivious adversaries does not affect generality in terms of utility. This is less clear when privacy constraints are involved.111In particular, Golowich and Livni (2021) studied both oblivious and adaptive adversaries, and obtained very different results in these two cases. We emphasize that our results (our mistake bounds) continue to hold even when the realizable sequence is chosen by an adaptive (stateful) adversary, that at every point in time chooses the next input to the algorithm based on all of the previous outputs of the algorithm.
A classical result due to Littlestone (1988) characterizes online learnability (without privacy constraints) in terms of the Littlestone dimension. The latter is a combinatorial parameter of which was named after Littlestone by Ben-David et al. (2009).
In particular, Littlestone’s characterization implies the following dichotomy: if has finite Littlestone dimension then there exists a (deterministic) learning rule which makes at most mistakes on every realizable input sequence. In the complementing case, when the Littlestone dimension of is infinite, for every learning rule and every there exists a realizable sequence of length such that \operatorname*{\mathbb{E}}\left[\mathcal{M}\bigl{(}\mathcal{A};S\bigr{)}\right]\geq T/2. In other words, as a function of , the optimal mistake bound is either uniformly bounded by the Littlestone dimension, or it is . Because of this dichotomy, in some places online learnability is defined with respect to a uniform bound on the number of mistakes (and not just a sublinear one as in the above definition). In this work we follow the more general definition.
We investigate the following questions:
*Can every online learnable class be learned by an algorithm which satisfies challenge differential privacy? What is the optimal mistake bound attainable by private learners? *
Our main result in this part provides an affirmative answer to the first question. We show that for any class with Littlestone dimension there exists an -challenge-DP learning rule which makes at most
[TABLE]
mistakes, with probability , on every realizable sequence of length . Remarkably, our proof provides an efficient transformation taking a non-private learner to a private one: that is, given a black box access to a learning rule which makes at most mistakes in the realizable case, we efficiently construct an -challenge-DP learning rule which makes at most mistakes.
1.1.1 Construction overview
We now give a simplified overview of our construction, called POP, which transforms a non-private online learning algorithm into a private one (while maintaining computational efficiency). Let be a non-private algorithm, guaranteed to make at most mistakes in the realizable setting. We maintain copies of . Informally, in every round we do the following:
Obtain an input point . 2. 2.
Give to each of the copies of to obtain predicted labels . 3. 3.
Output a “privacy preserving” aggregation of , which is some variant of noisy majority. This step will only satisfy our notion of challenge-DP. 4. 4.
Obtain the “true” label . 5. 5.
Let be chosen at random. 6. 6.
Rewind all of the copies of algorithm except for the th copy, so that they “forget” ever seeing . 7. 7.
Give the true label to the th copy of .
As we aggregate the predictions given by the copies of using (noisy) majority, we know that if the algorithm errs than at least a constant fraction of the copies of err. As we feed the true label to a random copy, with constant probability, the copy which we do not rewind incurs a mistake at this moment. That is, whenever we make a mistake then with constant probability one of the copies we maintain incurs a mistake. This can happen at most times, since we have copies and each of them makes at most mistakes. This allows us to bound the number of mistakes made by our algorithm (w.h.p.). The privacy analysis is more involved. Intuitively, by rewinding all of the copies of (except one) in every round, we make sure that a single user can affect the inner state of at most one of the copies. This allows us to efficiently aggregate the predictions given by the copies in a privacy preserving manner. The subtle point is that the prediction we release in time does require querying all the experts on the current example (before rewinding them). Nevertheless, we show that this algorithm is private.
1.1.2 Comparison with Golowich and Livni (2021)
The closest prior work to this manuscript is by Golowich and Livni who also studied the problem of private online classification, but under a more restrictive notion of privacy than challenge-DP. In particular their definition requires that the sequence of predictors which the learner uses to predict in each round does not compromise privacy. In other words, it is as if at each round the learner publishes the entire truth-table of its predictor, rather than just its current prediction. This might be too prohibitive in certain applications such as the chatbot example illustrated above. Golowich and Livni show that even with respect to their more restrictive notion of privacy it is possible to online learn every Littlestone class. However, their mistake bound is doubly exponential in the Littlestone dimension (whereas ours is quadratic), and their construction requires more elaborate access to the non-private learner. In particular, it is not clear whether their construction can be implemented efficiently.
1.2 Additional Related Work
Several works studied the related problem of private learning from expert advice (Dwork et al., 2010a; Jain et al., 2012; Thakurta and Smith, 2013; Dwork and Roth, 2014; Jain and Thakurta, 2014; Agarwal and Singh, 2017; Asi et al., 2022). These works study a variant of the experts problem in which the learning algorithm has access to experts; on every time step the learning algorithm chooses one of the experts to follow, and then observes the loss of each expert. The goal of the learning algorithm is that its accumulated loss will be competitive with the loss of the best expert in hindsight. In this setting the private data is the sequence of losses observed throughout the execution, and the privacy requirement is that the sequence of experts chosen by the algorithm should not compromise the privacy of the sequence of losses.222Asi et al. (2022) study a more general framework of adaptive privacy in which the private data is an auxiliary sequence . During the interaction with the learner, these ’s are used (possibly in an adaptive way) to choose the sequence of loss functions. When applying these results to our context, the set of experts is the set of hypotheses in the class , which means that the outcome of the learner (on every time step) is a complete model (i.e., a hypothesis). That is, in our context, applying prior works on private prediction from expert advice would result in a privacy definition similar to that of Golowich and Livni (2021) that accounts (in the privacy analysis) for releasing complete models, rather than just the predictions, which is significantly more restrictive.
There were a few works that studied private learning in online settings under the constraint of JDP. For example, Shariff and Sheffet (2018) studied the stochastic contextual linear bandits problem under JDP. Here, in every round the learner receives a context , then it selects an action (from a fixed set of actions), and finaly it receives a reward which depends on in a linear way. The learner’s objective is to maximize cumulative reward. The (non-adaptive) definition of JDP means that action is revealed only to user . Furthermore, it guarantees that the inputs of user (specifically the context and the reward ) do not leak to the other users via the actions they are given, provided that all these other users fix their data in advance. This non-adaptive privacy notion fits the stochastic setting of Shariff and Sheffet (2018), but (we believe) is less suited for adversarial processes like the ones we consider in this work. We also note that the algorithm of Shariff and Sheffet (2018) in fact satisfies the more restrictive privacy definition which applies to the sequence of predictors (rather than the sequence of predictions), similarly to the that of Golowich and Livni (2021).
A parallel (unpublished) work by Nissim et al. studied a related setting, which can be viewed as an “evolving” variant of the private PAC learning model. They also use an adaptive variant of JDP, similar to our notion of privacy, which is tailored to their stochastic setting.
2 Preliminaries
Notation.
Two datasets and are called neighboring if one is obtained from the other by adding or deleting one element, e.g., . For two random variables we write to mean that for every event it holds that , and . Throughout the paper we assume that the privacy parameter satisfies , but our analyses trivially extend to larger values of epsilon.
The standard definition of differential privacy is,
Definition 2.1** ((Dwork et al., 2006)).**
Let be a randomized algorithm that operates on datasets. Algorithm is -differentially private (DP) if for any two neighboring datasets we have .
The Laplace mechanism.
The most basic constructions of differentially private algorithms are via the Laplace mechanism as follows.
Definition 2.2**.**
A random variable has probability distribution if its probability density function is , where .
Definition 2.3** (Sensitivity).**
A function that maps datasets to the reals has sensitivity if for every two neighboring datasets and it holds that .
Theorem 2.4** (The Laplace Mechanism (Dwork et al., 2006)).**
Let be a function that maps datasets to the reals with sensitivity . The mechanism that on input adds noise with distribution to the output of preserves -differential privacy.
Joint differential privacy.
The standard definition of differential privacy (Definition 2.1) captures a setting in which the entire output of the computation may be publicly released without compromising privacy. While this is a very desirable requirement, it is sometimes too restrictive. Indeed, Kearns et al. (2015) considered a relaxed setting in which we aim to analyze a dataset , where every represents the information of user , and to obtain a vector of outcomes . This vector, however, is not made public. Instead, every user only receives its “corresponding outcome” . This setting potentially allows the outcome to strongly depend on the the input , without compromising the privacy of the th user from the view point of the other users.
Definition 2.5** ((Kearns et al., 2015)).**
Let be a randomized algorithm that takes a dataset and outputs a vector . Algorithm satisfies -joint differential privacy (JDP) if for every and every two datasets differing only on their th point it holds that . Here denotes the (random) vector of length obtained by running and returning .
In words, consider an algorithm that operates on the data of individuals and outputs outcomes . This algorithm is JDP if changing only the th input point has almost no affect on the outcome distribution of the other outputs (but the outcome distribution of is allowed to strongly depend on ). Kearns et al. (2015) showed that this setting fits a wide range of problems in economic environments.
Example 2.6** ((Nahmias et al., 2019)).**
Suppose that a city water corporation is interested in promoting water conservation. To do so, the corporation decided to send each household a customized report indicating whether their water consumption is above or below the median consumption in the neighborhood. Of course, this must be done in a way that protects the privacy of the neighbors. One way to tackle this would be to compute a privacy preserving estimation for the median consumption (satisfying Definition 2.1). Then, in each report, we could safely indicate whether the household’s water consumption is bigger or smaller than . While this solution is natural and intuitive, it turns out to be sub-optimal: We can obtain better utility by designing a JDP algorithm that directly computes a different outcome for each user (“above” or “below”), which is what we really aimed for, without going through a private median computation.
Algorithm AboveThreshold.
Consider a large number of low sensitivity functions which are given (one by one) to a data curator (holding a dataset ). Algorithm AboveThreshold allows for privately identifying the queries whose value is (roughly) greater than some threshold .
Even though the number of possible rounds is unbounded, algorithm AboveThreshold preserves differential privacy. Note, however, that AboveThreshold is an interactive mechanism, while the standard definition of differential privacy (Definition 2.1) is stated for non-interactive mechanisms, that process their input dataset, release an output, and halt. The adaptation of DP to such interactive settings is done via a game between the (interactive) mechanism and an adversary that specifies the inputs to the mechanism and observes its outputs. Intuitively, the privacy requirement is that the view of the adversary at the end of the execution should be differentially private w.r.t. the inputs given to the mechanism. Formally,
Definition 2.7** (DP under adaptive queries (Dwork et al., 2006; Bun et al., 2017)).**
Let be a mechanism that takes an input dataset and answers a sequence of adaptively chosen queries (specified by an adversary and chosen from some family of possible queries). Mechanism is -differentially private if for every adversary we have that (defined below) is -differentially private (w.r.t. its input bit ).
Theorem 2.8** ((Dwork et al., 2009; Hardt and Rothblum, 2010; Kaplan et al., 2021)).**
Algorithm AboveThreshold is -differentially private.
A private counter.
In the setting of algorithm AboveThreshold, the dataset is fixed in the beginning of the execution, and the queries arrive sequentially one by one. Dwork et al. (2010a) and Chan et al. (2010) considered a different setting, in which the data arrives sequentially. In particular, they considered the counter problem where in every time step we obtain an input bit (representing the data of user ) and must immediately respond with an approximation for the current sum of the bits. That is, at time we wish to release an approximation for .
Similarly to our previous discussion, this is an interactive setting, and privacy is defined via a game between a mechanism and an adversary that adaptively determines the inputs for the mechanism.
Definition 2.9** (DP under adaptive inputs (Dwork et al., 2006, 2010a; Chan et al., 2010; Kaplan et al., 2021; Jain et al., 2021)).**
Let be a mechanism that in every round obtains an input point (representing the information of user ) and outputs a response . Mechanism is -differentially private if for every adversary we have that (defined below) is -differentially private (w.r.t. its input bit ).
Theorem 2.10** (Private counter (Dwork et al., 2010a; Chan et al., 2010; Jain et al., 2021)).**
There exists a mechanism that in each round obtains an input bit and outputs a response with the following properties:
* is -differentially private (as in Definition 2.9).* 2. 2.
Let denote the random coins of . Then there exists an event such that: (1) , and (2) Conditioned on every , for every input sequence , the answers satisfy
[TABLE]
3 Challenge Differential Privacy
We now introduce the privacy definition we consider in this work is. Intuitively, the requirement is that even an adaptive adversary controlling all of the users except Alice, cannot learn much information about the interaction Alice had with the algorithm.
Definition 3.1**.**
Consider an algorithm that, in each round obtains an input point , outputs a “predicted” label , and obtains a “true” label . We say that algorithm is -challenge differentially private if for any adversary we have that , defined below, is -differentially private (w.r.t. its input bit ).
Remark 3.2**.**
For readability, we have simplified Definition 3.1 and tailored it to the setting of online learning. Our algorithms satisfy a stronger variant of the definition, in which the adversary may adaptively choose the “true” labels also based on the “predicted” labels . See Appendix A for the generalized definition.
Composition and post-processing.
Composition and post-processing for challenge-DP follows immediately from their analogues for (standard) DP. Formally, composition is defined via the following game, called CompositionGame, in which a “meta adversary” is trying to guess an unknown bit . The meta adversary is allowed to (adaptively) invoke executions of the game specified in Algorithm 4, where all of these executions are done with the same (unknown) bit . See Algorithm 5. The following theorem follows immediately from standard composition theorems for differential privacy (Dwork et al., 2010b).
Theorem 3.3** (special case of (Dwork et al., 2010b)).**
For every , every and every it holds that is -differentially private (w.r.t. the input bit ) for
[TABLE]
Group privacy.
We show that challenge-DP is closed under group privacy. This is more subtle than the composition argument. In fact, we first need to define what do we mean by “group privacy” in the context of challenge-DP. This is done using the parameter in algorithm OnlineGame.
Theorem 3.4**.**
Let be an algorithm that in each round obtains an input point , outputs a “predicted” label , and obtains a “true” label . If is -challenge-DP then for every and every adversary (posing at most challenges) we have that is -differentially private.
Proof.
Fix and fix an adversary (that poses at most challenge rounds). We consider a sequence of games , where is defined as follows.
Initialize algorithm and the adversary . 2. 2.
For round :
- (a)
Obtain a challenge indicator and two labeled inputs and from . 2. (b)
If then set . Otherwise set . 3. (c)
Feed to algorithm , obtain an outcome , and feed it . 4. (d)
If then set . Otherwise set . 5. (e)
Give to . 3. 3.
Output and the internal randomness of .
That is, simulates the online game between and , where during the first challenge rounds algorithm is given , and in the rest of the challenge rounds algorithm is given . Note that
[TABLE]
We claim that for every it holds that . To this end, fix and consider an adversary , that poses at most one challenge, defined as follows. Algorithm runs internally. In every round , algorithm obtains from a challenge bit and two labeled inputs and . As long as did not pose its th challenge, algorithm outputs . During the round in which poses its th challenge, algorithm outputs . This is the challenge round posed by algorithm . In every round afterwards, algorithm outputs . When algorithm obtains an answer it sets \tilde{\raisebox{0.0pt}[0.85pt]{\tilde{y}}}_{i}=\begin{cases}\tilde{y}_{i},\text{ if }c_{i}=0\\ \bot,\text{ if }c_{i}=1\end{cases} and gives \tilde{\raisebox{0.0pt}[0.85pt]{\tilde{y}}}_{i} to algorithm .
As is an adversary that poses (at most) one challenge, by the privacy properties of we know that is -DP. Recall that the output of includes all of the randomness of , as well as the answers generated throughout the game. This includes the randomness of (which runs internally), and hence, determines also all of the \tilde{\raisebox{0.0pt}[0.85pt]{\tilde{y}}}_{i}’s defined by throughout the interaction. Let be a post-processing procedure that takes the output of and returns the randomness of as well as (\tilde{\raisebox{0.0pt}[0.85pt]{\tilde{y}}}_{1},\dots,\tilde{\raisebox{0.0pt}[0.85pt]{\tilde{y}}}_{T}). By closure of DP to post-processing, we have that
[TABLE]
Now note that
[TABLE]
and hence . Overall we have that
[TABLE]
This shows that is -differentially private, thereby completing the proof. ∎
4 Online Classification under Challenge Differential Privacy
Towards presenting our private online learner, we introduce a variant of algorithm AboveThreshold with additional guarantees, which we call ChallengeAT. Recall that AboveThreshold “hides” arbitrary modifications to a single input point. Intuitively, the new variant we present aims to hide both an arbitrary modification to a single input point and an arbitrary modification to a single query throughout the execution. Consider algorithm ChallengeAT.
Remark 4.1**.**
When we apply ChallengeAT, it sets . Technically, for this it has to know and . To simplify the description this is not explicit in our algorithms.
The utility guarantees of ChallengeAT are straightforward. The following theorem follows by bounding (w.h.p.) all the noises sampled throughout the execution (when instantiating ChallengeAT with the private counter from Theorem 2.10).333The event occurs when all the Laplace noises of the counter and ChallengeAT are within a factor of of their expectation.
Theorem 4.2**.**
Let denote the random coins of ChallengeAT. Then there exists an event such that: (1) , and (2) Conditioned on every , for every input dataset and every sequence of queries it holds that
*Algorithm ChallengeAT does not halt before the *th time in which it outputs . 2. 2.
For every such that it holds that 3. 3.
For every such that it holds that
where is the error of the counter of Theorem 2.10.
The privacy guarantees of ChallengeAT are defined via a game with an adversary whose goal is to guess a secret bit . At the beginning of the game, the adversary chooses two neighboring datasets , and ChallengeAT is instantiated with . Then throughout the game the adversary specifies queries and observes the output of ChallengeAT on these queries. At some special round , chosen by the adversary, the adversary specifies two queries , where only is fed into ChallengeAT. In round the adversary does not get to see the answer of ChallengeAT on (otherwise it could easily learn the bit since may be very different). The formal statement of this game is given in algorithm .
Theorem 4.3**.**
For every adversary it holds that is -DP w.r.t. the bit (the input of the game).
Proof.
Fix an adversary . Let CATG denote the algorithm with this fixed . Consider a variant of algorithm CATG, which we call defined as follows. During the challenge round , inside the call to ChallengeAT, instead of feeding to the PrivateCounter we simply feed it 0 (in Step 3d of ChallengeAT).
By the privacy properties of PrivateCounter (Theorem 2.10), for every we have that
[TABLE]
so it suffices to show that is DP (w.r.t. ). Now observe that the execution of PrivateCounter during the execution of can be simulated from the view of the adversary (the only bit that ChallengeAT feeds the counter which is not in the view of the adversary is the one of the challange round which we replaced by zero in ). Hence, we can generate the view of in algorithm CATG by interacting with AboveThreshold instead of with ChallengeAT. This is captured by algorithm .
This algorithm is almost identical to , except for the fact that AboveThreshold might halt the execution itself (even without the halting condition on the outcome of PrivateCounter). However, by the utility guarantees of PrivateCounter, with probability at least it never errs by more than , in which case algorithm AboveThreshold never halts prematurely. Hence, for every bit we have that
[TABLE]
So it suffices to show that is DP (w.r.t. its input bit ). This almost follows directly from the privacy guarantees of AboveThreshold, since interacts only with this algorithm, except for the fact that during the challenge round the adversary specifies two queries (and only one of them is fed into AboveThreshold). To bridge this gap, we consider one more (and final) modification to the algorithm, called . This algorithm is identical to , except that in Step 4c we do not feed to AboveThreshold if . That is, during the challenge round we do not interact with AboveThreshold.
Now, by the privacy properties of AboveThreshold we have that is DP (w.r.t. its input bit ). Furthermore, when algorithm AboveThreshold does not halt prematurely, we have that is identical to . Therefore, for every bit we have
[TABLE]
Overall we get that
[TABLE]
∎
4.1 Algorithm POP
We are now ready to present our private online prediction algorithm. Consider algorithm POP (see Algorithm 9).
We now analyze the privacy guarantees of POP.
Theorem 4.4**.**
Algorithm POP is -Challenge-DP. That is, For every adversary it holds that is -DP w.r.t. the bit (the input of the game).
Proof.
Let be an adversary that playes in OnlineGame against POP, posing at most 1 challenge. That is, at one time step , the adversary specifies two inputs , algorithm POP processes , and the adversary does not see the prediction at this time step. We need to show that the view of the adversary is DP w.r.t. the bit . To show this, we observe that the view of can be generated (up to a small statistical distance of ) by interacting with ChallengeAT as in the game ChallengeAT-Game. Formally, consider the following adversary that simulates while interacting with ChallengeAT instead of POP.
As only interacts with ChallengeAT, its view at the end of the execution (which includes the view of the simulated ) is DP w.r.t. the bit . Furthermore, the view of the simulated generated in this process is almost identical to the view of had it interacted directly with POP. Specifically, the only possible difference is that the computation of in Step 3(e)ii of might not be well-defined. But this does not happen when ChallengeAT maintains correctness, which holds with probability at least .
Overall, letting \texttt{ChallengeAT-Game}_{\hat{\mathcal{B}}\raise-1.50694pt\hbox{|}_{\mathcal{B}}} denote the view of the simulated at the end of the interaction of with ChallengeAT, we have that
[TABLE]
∎
We proceed with the utility guarantees of POP. See Appendix C for an extension to the agnostic setting.
Theorem 4.5**.**
When executed with a learner that makes at most mistakes and with parameters and , then with probability at least the number of mistakes made by algorithm POP is bounded by
Proof.
By Theorem 4.2, with probability over the internal coins of ChallengeAT, for every input sequence, its answers are accurate up to error of
[TABLE]
where in our case, the sensitivity is , and the error of the counter is at most by Theorem 2.10. We continue with the proof assuming that this event occurs. Furthermore, we set , large enough, such that if less than the experts disagree with the other experts, then algorithm POP returns the majority vote with probability 1.
Consider the execution of algorithm POP and define -Err be a random variable that counts the number of time steps in which at least th of the experts make an error. That is
[TABLE]
We also define the random variable
[TABLE]
That is expertAdvance counts the number of times steps in which the random expert we choose (the th expert) errs. Note that the th expert is the expert that gets the “true” label as feedback. As we run experts, and as each of them is guaranteed to make at most mistakes, we get that
[TABLE]
We now show that with high probability 1/5-Err is not much larger than . Let be a time step in which at least fraction of the experts err. As the choice of (the expert we update) is random, then with probability at least the chosen expert also errs. It is therefore unlikely that 1/5-Err is much larger than , which is bounded by . Specifically, by standard concentration arguments (see Appendix B for the precise version we use) it holds that
[TABLE]
Note that when at least of the experts disagree with other experts then at least of the experts err. It follows that 1/5-Err upper bounds the number of times in which algorithm ChallengeAT returns an “above threshold” answer. Hence, by setting we ensure that w.h.p. algorithm ChallangeAT does not halt prematurely (and hence POP does not either).
Furthermore our algorithm errs either when there is a large disagreement between the experts or when all experts err. It follows that 1/5-Err also upper bounds the number of times which our algorithm errs.
Overall, by setting we ensure that POP does not halt prematurely, and by setting we ensure that POP does not err too many times throughout the execution. Combining the requirement on and on , it suffices to take
[TABLE]
in which case algorithm POP makes at most with high probability. ∎
Appendix A General Variant of challenge-DP
Definition A.1**.**
Consider an algorithm that, in each phase , conducts an arbitrary interaction with the th user. We say that algorithm is -challenge differentially private if for any adversary we have that , defined below, is -differentially private (w.r.t. its input bit ).
Appendix B A Coin Flipping Game
Consider algorithm 12 which specifies an -round “coin flipping game” against an adversary . In this game, the adaptively chooses the biases of the coins we flip. In every flip, the adversary might gain a reward or incur a “budget loss”. The adversary aims to maximize the rewards it collects before its budget runs out.
The next theorem states that no adversary can obtain reward much larger than in this game. Intuitively, this holds because in every time step , the probability of is not much smaller than the probability that , then (w.h.p.) it is very unlikely that the number of rewards would be much larger than .
Theorem B.1** ([Gupta et al., 2010, Kaplan et al., 2021]).**
For every adversary’s strategy, every , every , and every , we have
[TABLE]
Appendix C Extension to the Agnostic Case
In this section we extend the analysis of POP to the agnostic setting. We use the tilde-notation to hide logarithmic factors in .
Theorem C.1** ([Ben-David et al., 2009]).**
For any hypothesis class and scalar there exists an online learning algorithm such that for any sequence satisfying the predictions given by the algorithm satisfy
[TABLE]
Definition C.2**.**
For parameters , let denote a variant of POP in which we halt the execution after the th time in which we err, for some arbitrary value . (Note that the execution might halt even before that, by the halting condition of POP itself.) This could be done while preserving privacy (for appropriate values of ) by using the counter of Theorem 2.10 for privately counting the number of mistakes.
Lemma C.3**.**
Let be a hypothesis class with , and let denote the non-private algorithm from Theorem C.1 with . Denote , , and . Consider executing with and with parameters on an adaptively chosen sequence of inputs , where denotes the time at which halts. Then, with probability at least it holds that
[TABLE]
Proof sketch.
Similarly to the proof of Theorem 4.5, we set , and assume that if less than the experts disagree with the other experts, then algorithm returns the majority vote with probability 1.
Let -Err denote the random variable that counts the number of time steps in which at least th of the experts make an error. As in the proof of Theorem 4.5, -Err upper bounds both the number of mistakes made by , which we denote by , as well as the number of times in which algorithm ChallengeAT returns an “above threshold” answer, which we denote by . By Theorem 4.2, we know that (w.h.p.) . Also let denote the largest number of mistakes made by a single expert.
Consider the time at which halts. If it halts because mistakes have been made, then
[TABLE]
Alternatively, if halts after “above threshold” answer, then
[TABLE]
At any case, when halts it holds that at least one expert made at least mistakes. Therefore, by Theorem C.1, we have that .
∎
Theorem C.4**.**
Let be a hypothesis class with . There exists an -Challenge-DP online learning algorithm providing the following guarantee. When executed on an adaptively chosen sequence of inputs , then the algorithm makes at most mistakes (w.h.p.), where
[TABLE]
Proof sketch.
This is obtained by repeatedly re-running , with the parameter setting specified in Lemma C.3. We refer to the time span of every single execution of as a phase.
By construction, in every phase, makes at most mistakes. By Lemma C.3 every hypothesis in makes at least mistakes in this phase. Therefore, there could be at most phases, during which we incur a total of at most mistakes. ∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Agarwal and Singh [2017] Naman Agarwal and Karan Singh. The price of differential privacy for online learning. In ICML , volume 70 of Proceedings of Machine Learning Research , pages 32–40. PMLR, 06–11 Aug 2017.
- 2Asi et al. [2022] Hilal Asi, Vitaly Feldman, Tomer Koren, and Kunal Talwar. Private online prediction from experts: Separations and faster rates. Co RR , abs/2210.13537, 2022.
- 3Ben-David et al. [2009] Shai Ben-David, Dávid Pál, and Shai Shalev-Shwartz. Agnostic online learning. In COLT , 2009.
- 4Bun et al. [2017] Mark Bun, Thomas Steinke, and Jonathan Ullman. Make up your mind: The price of online queries in differential privacy. In Proceedings of the twenty-eighth annual ACM-SIAM symposium on discrete algorithms , pages 1306–1325. SIAM, 2017.
- 5Chan et al. [2010] T.-H. Hubert Chan, Elaine Shi, and Dawn Song. Private and continual release of statistics. In ICALP (2) , volume 6199 of Lecture Notes in Computer Science , pages 405–417. Springer, 2010.
- 6Dwork and Roth [2014] Cynthia Dwork and Aaron Roth. The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science , 9(3-4):211–407, 2014.
- 7Dwork et al. [2006] Cynthia Dwork, Frank Mc Sherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In TCC , pages 265–284, 2006.
- 8Dwork et al. [2009] Cynthia Dwork, Moni Naor, Omer Reingold, Guy N. Rothblum, and Salil P. Vadhan. On the complexity of differentially private data release: efficient algorithms and hardness results. In STOC , pages 381–390, 2009.
