Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A novel analysis of utility in privacy pipelines, using Kronecker products and quantitative information flow

Mário S. Alvim, Natasha Fernandes, Annabelle McIver, Carroll Morgan, Gabriel H. Nunes

TL;DR

This work combines Kronecker products, and quantitative information flow, to give a novel formal analysis for the fine-grained verification of utility in complex privacy pipelines, and offers the prospect of formal-analysis tools for utility that complement extant formal analyses of privacy.

Abstract

We combine Kronecker products, and quantitative information flow, to give a novel formal analysis for the fine-grained verification of utility in complex privacy pipelines. The combination explains a surprising anomaly in the behaviour of utility of privacy-preserving pipelines -- that sometimes a reduction in privacy results also in a decrease in utility. We use the standard measure of utility for Bayesian analysis, introduced by Ghosh at al., to produce tractable and rigorous proofs of the fine-grained statistical behaviour leading to the anomaly. More generally, we offer the prospect of formal-analysis tools for utility that complement extant formal analyses of privacy. We demonstrate our results on a number of common privacy-preserving designs.

A novel analysis of utility in privacy pipelines, using Kronecker products and quantitative information flow

TL;DR

This work combines Kronecker products, and quantitative information flow, to give a novel formal analysis for the fine-grained verification of utility in complex privacy pipelines, and offers the prospect of formal-analysis tools for utility that complement extant formal analyses of privacy.

Abstract

We combine Kronecker products, and quantitative information flow, to give a novel formal analysis for the fine-grained verification of utility in complex privacy pipelines. The combination explains a surprising anomaly in the behaviour of utility of privacy-preserving pipelines -- that sometimes a reduction in privacy results also in a decrease in utility. We use the standard measure of utility for Bayesian analysis, introduced by Ghosh at al., to produce tractable and rigorous proofs of the fine-grained statistical behaviour leading to the anomaly. More generally, we offer the prospect of formal-analysis tools for utility that complement extant formal analyses of privacy. We demonstrate our results on a number of common privacy-preserving designs.
Paper Structure (43 sections, 15 theorems, 38 equations, 4 figures, 3 algorithms)

This paper contains 43 sections, 15 theorems, 38 equations, 4 figures, 3 algorithms.

Table of Contents

  1. Introduction
  2. Technical Background
  3. Quantitative Information Flow and the Refinement of Mechanisms
  4. Channels and uncertainty
  5. Refinement
  6. Differential privacy
  7. Refinement's relation to $\varepsilon$-DP
  8. Measures of utility, and their relation to refinement
  9. Two-stage data-release pipelines, and the notion of stability
  10. Examples of perturbing mechanisms and post-processors
  11. Perturbers: Randomised response and Geometric mechanisms
  12. Post-processors
  13. Guaranteed stability
  14. Random response with one respondent
  15. Multiple respondents via Kronecker
  16. ...and 28 more sections

Key Result

Theorem 4

Mechanism $M$ is refined by $M'$ just when there is a stochastic-matrix "witness" $W$ such that $M{\,{\cdot}\,}W{=}M'$ where ($\,{\cdot}\,$) here is matrix multiplication. This is a soundness/completeness result if $\ell/\pi$ is regarded as testing $M$McIver:2014aa: if there's a $W$, then any $\ell/

Figures (4)

  • Figure 1: Data-release pipeline considered in this work.
  • Figure 2: Matrix representation of ${\mathit RR}_\varepsilon^4$
  • Figure 3: Noisy $\mathit ArgMax$ for 20 individuals, 3 categories.
  • Figure 4: Example of instability in the public domain

Theorems & Definitions (28)

  • Definition 1: Loss function
  • Definition 2: Posterior uncertainty
  • Definition 3: QIF-refinement Alvim20:Book
  • Theorem 4: Coriaceous McIver:2014aa
  • Lemma 5: $\varepsilon$-preserving DBLP:conf/aplas/McIverM19Chatzi:2019
  • Definition 6: refinement-preserving
  • Lemma 7: Optimal utility DBLP:conf/csfw/FernandesMPD22
  • Definition 8: Pipeline model
  • Definition 9: Stability
  • Definition 10: $\ell$-stability
  • ...and 18 more