Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Personalized Privacy Amplification via Importance Sampling

Dominik Fay, Sebastian Mair, Jens Sjölund

TL;DR

This work studies how data-dependent importance sampling interacts with differential privacy by introducing Poisson importance sampling and a personalized DP framework. It derives a PDP-based amplification rule and shows that a thoughtful sampling distribution can align privacy with utility while reducing sample size, yielding two practical strategies: privacy-constrained sampling and coreset-based sampling. Applied to differentially private k-means (DP-Lloyd), the authors develop weighted DP-Lloyd and lightweight coreset-based sampling, establishing DP guarantees and favorable empirical trade-offs between privacy budget, computation, and clustering accuracy across eight real datasets. The results indicate that importance sampling can outperform uniform subsampling in both privacy and utility, with potential for one-shot subsampling and extensions to streaming, federated, and fairness-aware contexts.

Abstract

For scalable machine learning on large data sets, subsampling a representative subset is a common approach for efficient model training. This is often achieved through importance sampling, whereby informative data points are sampled more frequently. In this paper, we examine the privacy properties of importance sampling, focusing on an individualized privacy analysis. We find that, in importance sampling, privacy is well aligned with utility but at odds with sample size. Based on this insight, we propose two approaches for constructing sampling distributions: one that optimizes the privacy-efficiency trade-off; and one based on a utility guarantee in the form of coresets. We evaluate both approaches empirically in terms of privacy, efficiency, and accuracy on the differentially private $k$-means problem. We observe that both approaches yield similar outcomes and consistently outperform uniform sampling across a wide range of data sets. Our code is available on GitHub: https://github.com/smair/personalized-privacy-amplification-via-importance-sampling

Personalized Privacy Amplification via Importance Sampling

TL;DR

This work studies how data-dependent importance sampling interacts with differential privacy by introducing Poisson importance sampling and a personalized DP framework. It derives a PDP-based amplification rule and shows that a thoughtful sampling distribution can align privacy with utility while reducing sample size, yielding two practical strategies: privacy-constrained sampling and coreset-based sampling. Applied to differentially private k-means (DP-Lloyd), the authors develop weighted DP-Lloyd and lightweight coreset-based sampling, establishing DP guarantees and favorable empirical trade-offs between privacy budget, computation, and clustering accuracy across eight real datasets. The results indicate that importance sampling can outperform uniform subsampling in both privacy and utility, with potential for one-shot subsampling and extensions to streaming, federated, and fairness-aware contexts.

Abstract

For scalable machine learning on large data sets, subsampling a representative subset is a common approach for efficient model training. This is often achieved through importance sampling, whereby informative data points are sampled more frequently. In this paper, we examine the privacy properties of importance sampling, focusing on an individualized privacy analysis. We find that, in importance sampling, privacy is well aligned with utility but at odds with sample size. Based on this insight, we propose two approaches for constructing sampling distributions: one that optimizes the privacy-efficiency trade-off; and one based on a utility guarantee in the form of coresets. We evaluate both approaches empirically in terms of privacy, efficiency, and accuracy on the differentially private -means problem. We observe that both approaches yield similar outcomes and consistently outperform uniform sampling across a wide range of data sets. Our code is available on GitHub: https://github.com/smair/personalized-privacy-amplification-via-importance-sampling
Paper Structure (18 sections, 12 theorems, 28 equations, 7 figures, 3 tables, 3 algorithms)

This paper contains 18 sections, 12 theorems, 28 equations, 7 figures, 3 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Privacy Amplification via Importance Sampling
  4. General Sampling Distributions
  5. Sampling with optimal privacy-efficiency trade-off
  6. Importance sampling for the Laplace mechanism
  7. Importance Sampling for DP $k$-means
  8. Experiments
  9. Related Work
  10. Conclusion
  11. Can sampling improve privacy?
  12. Results on the Remaining Data Sets
  13. Detailed Timing Results
  14. Proofs
  15. Theorem \ref{['thm:amplification']}
  16. ...and 3 more sections

Key Result

Proposition 3

Let $\mathcal{D}$ be a data set of size $n$, $\mathcal{S}$ be a subset of $\mathcal{D}$ where every $\mathbf{x}$ has a constant probability $p$ of being independently sampled, i.e., $q(\mathbf{x})=p\in(0,1]$, and $\mathcal{M}$ be an $\epsilon$-DP mechanism. Then, $\mathcal{M}(\mathcal{S})$ satisfies

Figures (7)

  • Figure 1: Illustration of three subsampling strategies for the learning task of $k$-means clustering on the Song data set. We show a scatter plot of the first two principal components of the sampled points. The marker size is proportional to the importance weight, while the color represents the individual privacy loss before sampling. Left: Our privacy-constrained sampling selects data points with higher individual privacy loss more frequently and with lower weight. Middle: Coreset-based sampling selects data points based on their potential impact on the objective function. Right: Uniform sampling selects data points with equal probability.
  • Figure 2: Comparison of sampling strategies for the Laplace sum mechanism. Left: The importance weight for each data point. Each marker in the plot represents one data point. The points are ordered by their $\ell_1$-norm. Right: Estimation error for varying noise scales. Lower is better. The horizontal axis is the maximum PDP loss over the data set.
  • Figure 3: The trade-off between the privacy parameter $\epsilon$ and the total cost of DP-Lloyd on KDD-Protein, RNA, Song, and Covertype data. Non-private counterparts ($\epsilon=\infty$) are shown for reference. Lower is better on both axes. The $\epsilon$-axis is in log-scale.
  • Figure 4: The trade-off between subsample size $m$ and the total cost of DP-Lloyd for fixed privacy parameters $\epsilon\in\{3, 100\}$ on KDD-Protein, RNA, Song, and Covertype data. The performance of DP-Lloyd on the full data is shown for reference. Lower is better on both axes.
  • Figure 5: Left: Total relative computation times (left $y$-axis) and relative subset sizes (right $y$-axis) as functions of subsample sizes $m$ for five data sets. Right: Relative computation times decomposed in weight computation, sampling, and DP-Lloyd for the Covertype data and a subsample size of $m$=20000.0.
  • ...and 2 more figures

Theorems & Definitions (24)

  • Definition 1: $\epsilon$-indistinguishability
  • Definition 2: $\epsilon$-DP
  • Proposition 3: Privacy Amplification by Subsampling
  • Definition 4: Personalized differential privacy
  • Definition 5: Poisson Importance Sampling
  • Theorem 6: Amplification by Importance Sampling
  • Theorem 7
  • Proposition 7
  • Proposition 7
  • Definition 8: Lightweight coreset
  • ...and 14 more