Approximate Differential Privacy of the $\ell_2$ Mechanism

TL;DR

We address releasing a $d$-dimensional statistic with bounded $\ell_2$ sensitivity under $(\varepsilon,\delta)$-DP by analyzing and deploying the $\ell_2$ mechanism, an instance of the $K$-norm family. We derive a practical method to choose the scale parameter $\sigma$ to guarantee $(\varepsilon,\delta)$-DP for arbitrary $d$, and we provide a parallel sampler for efficient deployment. The privacy analysis reduces the DP condition to two tail probabilities of the privacy-loss random variable, which we upper bound and lower bound using a spherical-cap geometric framework with gamma and incomplete beta function tools, yielding tight, implementable bounds. Empirically, the $\ell_2$ mechanism achieves lower mean-squared $\ell_2$-error than both Laplace and analytic Gaussian mechanisms across dimensions, while maintaining a pure DP guarantee, making it a strong candidate for high-dimensional DP tasks in practice.

Abstract

We study the $\ell_2$ mechanism for computing a $d$-dimensional statistic with bounded $\ell_2$ sensitivity under approximate differential privacy. Across a range of privacy parameters, we find that the $\ell_2$ mechanism obtains lower error than the Laplace and Gaussian mechanisms, matching the former at $d=1$ and approaching the latter as $d \to \infty$.

Figures (5)

• Figure 1: Left: normalized mean squared $\ell_2$ error. At each $d$, we compute mean squared $\ell_2$ error for the $(1, 10^{-5})$-DP Laplace, analytic Gaussian BW18, and $\ell_2$ mechanisms. Quantities are normalized so that the analytic Gaussian mechanism error is always 1. Note that we truncate the Laplace mechanism at $d=8$, after which its error relative to the analytic Gaussian mechanism continues to grow. See \ref{['subsec:experiments_error']} for details. Right: the pure DP guarantee of the $(1, 10^{-5})$-DP $\ell_2$ mechanism as $d$ grows.
• Figure 2: An illustration of $V$ for $\sigma = 1/(2\varepsilon)$. We draw the projection of $V$ onto $\text{span}(e_1,e_2)$ as the shaded region.
• Figure 3: The unit circle in $\mathbb{R}^2$ with a spherical cap (thick purple arc) of height 0.5. In $\mathbb{R}^d$, the sphere and spherical cap are both $(d-1)$-dimensional objects.
• Figure 4: A comparison of empirical (dotted) and algorithmic (solid) estimates of privacy loss. At each $d$, the empirical method uses $n = 1000 / \delta = 10^5$ samples.
• Figure 5: Left: a plot of mean time to compute the minimum $\sigma$ to achieve $(1, 10^{-5})$-DP for the $\ell_2$ (solid purple) and analytic Gaussian mechanism (dotted black) mechanisms. Time is measured in seconds, across 100 trials for each $d$. Note that the analytic Gaussian mechanism computation is dimension-independent, so the time is constant; the $\ell_2$ mechanism jumps after $d=1$ because that case uses \ref{['lem:large_sigma']} instead of approximating the spherical cap region. Right: a similar plot for drawing 1000 samples from the mechanism.

Theorems & Definitions (63)

• Definition 2.1
• Lemma 2.2
• Lemma 2.3: BW18
• Lemma 2.4: HT10
• Definition 3.1
• Lemma 3.2
• proof
• Lemma 3.3
• proof
• Definition 3.5