Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Differential Privacy on Trust Graphs

Badih Ghazi, Ravi Kumar, Pasin Manurangsi, Serena Wang

TL;DR

Given a trust graph where vertices correspond to parties and neighbors are mutually trusting, a DP algorithm for aggregation is given with a much better privacy-utility trade-off than in the well-studied local model of DP.

Abstract

We study differential privacy (DP) in a multi-party setting where each party only trusts a (known) subset of the other parties with its data. Specifically, given a trust graph where vertices correspond to parties and neighbors are mutually trusting, we give a DP algorithm for aggregation with a much better privacy-utility trade-off than in the well-studied local model of DP (where each party trusts no other party). We further study a robust variant where each party trusts all but an unknown subset of at most $t$ of its neighbors (where $t$ is a given parameter), and give an algorithm for this setting. We complement our algorithms with lower bounds, and discuss implications of our work to other tasks in private learning and analytics.

Differential Privacy on Trust Graphs

TL;DR

Given a trust graph where vertices correspond to parties and neighbors are mutually trusting, a DP algorithm for aggregation is given with a much better privacy-utility trade-off than in the well-studied local model of DP.

Abstract

We study differential privacy (DP) in a multi-party setting where each party only trusts a (known) subset of the other parties with its data. Specifically, given a trust graph where vertices correspond to parties and neighbors are mutually trusting, we give a DP algorithm for aggregation with a much better privacy-utility trade-off than in the well-studied local model of DP (where each party trusts no other party). We further study a robust variant where each party trusts all but an unknown subset of at most of its neighbors (where is a given parameter), and give an algorithm for this setting. We complement our algorithms with lower bounds, and discuss implications of our work to other tasks in private learning and analytics.

Paper Structure

This paper contains 35 sections, 18 theorems, 25 equations, 4 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Trust Graph DP Models.
  3. Our Results.
  4. Technical Overview
  5. Related Work
  6. Organization.
  7. Preliminaries
  8. Differential Privacy Definitions and Tools
  9. Trust Graph Differential Privacy
  10. Aggregation.
  11. Algorithm via Dominating Set
  12. Privacy Analysis.
  13. Improved Algorithm via Linear Programming
  14. Lower Bound
  15. Robust Trust Graph Differential Privacy
  16. ...and 20 more sections

Key Result

Lemma 1

For any random variables $X, X'$ and a (possibly randomized) function $f$, we have $D_{\infty}(f(X) ~\|~ f(X')) \leq D_{\infty}(X ~\|~ X')$.

Figures (4)

  • Figure 1: Simple example trust graph. User A is only willing to share their data with users B and C, and user C is additionally willing to share their data with D. We introduce a privacy model (TGDP) in which users D and E cannot identify user A's data based on any communication exchanged.
  • Figure 2: $\mathbf{t}_{\alpha}$-RTGDP error ratios for varying levels of mistrust $\alpha$. Even for relatively high levels of mistrust $\alpha$ up to $0.5$, RTGDP can yield a substantial improvement in error relative to LDP for most datasets. Note that for $\alpha = 1$, $\mathbf{t}_{\alpha}$-RTGDP is equivalent to LDP.
  • Figure 3: A graph with a gap between the domination number (4) and the packing number (1). The relaxed LP solution $\mathrm{OPT}_{\mathrm{LP}} = 16/7 \approx 2.285$.
  • Figure 4: A star graph representing a central DP setting in which all users trust user A as a central analyst. TGDP exactly matches central DP here in that TGDP would allow for user A to handle all data, while no individual user's data can be identified by communication across non-neighbors. The minimum dominating set size is simply 1.

Theorems & Definitions (36)

  • Definition 1
  • Definition 2
  • Definition 3: View
  • Definition 4
  • Lemma 1: Post-Processing
  • Lemma 2
  • Definition 5
  • Theorem 3
  • proof
  • Theorem 4
  • ...and 26 more