Counting Distinct Elements in the Turnstile Model with Differential Privacy under Continual Observation
Palak Jain, Iden Kalemaj, Sofya Raskhodnikova, Satchit Sivakumar, Adam Smith
TL;DR
This paper analyzes counting distinct elements under continual differential privacy in the turnstile model, revealing a rich landscape where deletions cause high sensitivity and hard lower bounds. It introduces the maximum flippancy parameter $w_x$ to capture how often an element’s contribution to the distinct count flips, and provides an item-level private mechanism with additive error $O\left(\sqrt{w_x}\cdot\text{polylog }T\right)$ that adapts without prior knowledge of $w_x$. The authors prove tight (up to polylog factors) lower bounds for event-level DP in many regimes and establish a close match between upper and lower bounds for item-level DP, including a lower bound of at least $T^{1/4}$ in some settings. The work connects private continual counting to foundational DP lower bounds via reductions from InnerProducts and Marginals, and proposes a practical, adaptive strategy that remains polylogarithmic in $T$ when the maximum flippancy is small, offering insights into privacy-preserving streaming analytics in dynamic datasets.
Abstract
Privacy is a central challenge for systems that learn from sensitive data sets, especially when a system's outputs must be continuously updated to reflect changing data. We consider the achievable error for differentially private continual release of a basic statistic - the number of distinct items - in a stream where items may be both inserted and deleted (the turnstile model). With only insertions, existing algorithms have additive error just polylogarithmic in the length of the stream $T$. We uncover a much richer landscape in the turnstile model, even without considering memory restrictions. We show that every differentially private mechanism that handles insertions and deletions has worst-case additive error at least $T^{1/4}$ even under a relatively weak, event-level privacy definition. Then, we identify a parameter of the input stream, its maximum flippancy, that is low for natural data streams and for which we give tight parameterized error guarantees. Specifically, the maximum flippancy is the largest number of times that the contribution of a single item to the distinct elements count changes over the course of the stream. We present an item-level differentially private mechanism that, for all turnstile streams with maximum flippancy $w$, continually outputs the number of distinct elements with an $O(\sqrt{w} \cdot poly\log T)$ additive error, without requiring prior knowledge of $w$. We prove that this is the best achievable error bound that depends only on $w$, for a large range of values of $w$. When $w$ is small, the error of our mechanism is similar to the polylogarithmic in $T$ error in the insertion-only setting, bypassing the hardness in the turnstile model.