Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Private Truly-Everlasting Robust-Prediction

Uri Stemmer

TL;DR

This work extends private prediction by introducing private everlasting robust prediction (PERP), which remains private while providing utility under unbounded prediction queries. It relaxes the prior PEP model to tolerate adversarial queries and decouples the privacy parameter δ from the time horizon, enabling truly everlasting performance. The authors present computationally efficient PERP constructions for axis-aligned rectangles and for decision-stumps, achieving linear-in-dimension and near-linear sample complexities in contrast to the previous quadratic VC-bound, and they prove strong robustness against poisoning. Central to the approach are privacy-preserving primitives (RSC, Stopper, BetweenThresholds, ChallengeBT) that support adaptive, privacy-safe querying, and a simulation-based privacy analysis that extends DP to evolving, interactive predictors. Overall, the results suggest that PEP and PERP can be practical private-learning alternatives for certain concept classes where classical private learning is impossible, with substantial improvements in longevity and robustness.

Abstract

Private Everlasting Prediction (PEP), recently introduced by Naor et al. [2023], is a model for differentially private learning in which the learner never publicly releases a hypothesis. Instead, it provides black-box access to a "prediction oracle" that can predict the labels of an endless stream of unlabeled examples drawn from the underlying distribution. Importantly, PEP provides privacy both for the initial training set and for the endless stream of classification queries. We present two conceptual modifications to the definition of PEP, as well as new constructions exhibiting significant improvements over prior work. Specifically, (1) Robustness: PEP only guarantees accuracy provided that all the classification queries are drawn from the correct underlying distribution. A few out-of-distribution queries might break the validity of the prediction oracle for future queries, even for future queries which are sampled from the correct distribution. We incorporate robustness against such poisoning attacks into the definition of PEP, and show how to obtain it. (2) Dependence of the privacy parameter $δ$ in the time horizon: We present a relaxed privacy definition, suitable for PEP, that allows us to disconnect the privacy parameter $δ$ from the number of total time steps $T$. This allows us to obtain algorithms for PEP whose sample complexity is independent from $T$, thereby making them "truly everlasting". This is in contrast to prior work where the sample complexity grows with $polylog(T)$. (3) New constructions: Prior constructions for PEP exhibit sample complexity that is quadratic in the VC dimension of the target class. We present new constructions of PEP for axis-aligned rectangles and for decision-stumps that exhibit sample complexity linear in the dimension (instead of quadratic). We show that our constructions satisfy very strong robustness properties.

Private Truly-Everlasting Robust-Prediction

TL;DR

This work extends private prediction by introducing private everlasting robust prediction (PERP), which remains private while providing utility under unbounded prediction queries. It relaxes the prior PEP model to tolerate adversarial queries and decouples the privacy parameter δ from the time horizon, enabling truly everlasting performance. The authors present computationally efficient PERP constructions for axis-aligned rectangles and for decision-stumps, achieving linear-in-dimension and near-linear sample complexities in contrast to the previous quadratic VC-bound, and they prove strong robustness against poisoning. Central to the approach are privacy-preserving primitives (RSC, Stopper, BetweenThresholds, ChallengeBT) that support adaptive, privacy-safe querying, and a simulation-based privacy analysis that extends DP to evolving, interactive predictors. Overall, the results suggest that PEP and PERP can be practical private-learning alternatives for certain concept classes where classical private learning is impossible, with substantial improvements in longevity and robustness.

Abstract

Private Everlasting Prediction (PEP), recently introduced by Naor et al. [2023], is a model for differentially private learning in which the learner never publicly releases a hypothesis. Instead, it provides black-box access to a "prediction oracle" that can predict the labels of an endless stream of unlabeled examples drawn from the underlying distribution. Importantly, PEP provides privacy both for the initial training set and for the endless stream of classification queries. We present two conceptual modifications to the definition of PEP, as well as new constructions exhibiting significant improvements over prior work. Specifically, (1) Robustness: PEP only guarantees accuracy provided that all the classification queries are drawn from the correct underlying distribution. A few out-of-distribution queries might break the validity of the prediction oracle for future queries, even for future queries which are sampled from the correct distribution. We incorporate robustness against such poisoning attacks into the definition of PEP, and show how to obtain it. (2) Dependence of the privacy parameter in the time horizon: We present a relaxed privacy definition, suitable for PEP, that allows us to disconnect the privacy parameter from the number of total time steps . This allows us to obtain algorithms for PEP whose sample complexity is independent from , thereby making them "truly everlasting". This is in contrast to prior work where the sample complexity grows with . (3) New constructions: Prior constructions for PEP exhibit sample complexity that is quadratic in the VC dimension of the target class. We present new constructions of PEP for axis-aligned rectangles and for decision-stumps that exhibit sample complexity linear in the dimension (instead of quadratic). We show that our constructions satisfy very strong robustness properties.
Paper Structure (23 sections, 13 theorems, 6 equations, 1 figure, 7 algorithms)

This paper contains 23 sections, 13 theorems, 6 equations, 1 figure, 7 algorithms.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Disconnecting the privacy parameter $\boldsymbol{\delta}$ from the time horizon.
  4. New constructions for PEP.
  5. Preliminaries
  6. Notation.
  7. Preliminaries from private prediction
  8. Conceptual Modifications to the Definition of PEP
  9. Robustness to out-of-distribution queries
  10. Truly everlasting private prediction
  11. New Constructions for PEP
  12. Additional preliminaries
  13. The Reorder-Slice-Compute (RSC) paradigm.
  14. Algorithm Stopper.
  15. Algorithm BetweenThresholds.
  16. ...and 8 more sections

Key Result

Theorem 1.2

For every concept class $C$ there is a private everlasting predictor using training set of size $\approx\frac{1}{\alpha\cdot\varepsilon^2}\cdot\operatorname{\rm VC}^2(C)$, where $\alpha$ is the accuracy parameter and $\varepsilon$ is the privacy parameter (ignoring the dependence on all other parame

Figures (1)

  • Figure 1: Definition of $\hbox{View}_{\mathcal{B},t}^0$ and $\hbox{View}_{\mathcal{B},t}^1$.

Theorems & Definitions (40)

  • Definition 1.1: DMNS06
  • Theorem 1.2: NaorNSY23, informal
  • Theorem 1.4: informal
  • Theorem 1.5: informal
  • Definition 2.1: Prediction Oracle NaorNSY23
  • Definition 2.2: Everlasting Prediction NaorNSY23
  • Definition 2.3: Private Prediction Oracle NaorNSY23
  • Definition 2.4: Private Everlasting Prediction NaorNSY23
  • Theorem 2.5: NaorNSY23
  • Definition 3.1: Everlasting robust prediction
  • ...and 30 more