Local Pan-Privacy for Federated Analytics
Vitaly Feldman, Audra McMillan, Guy N. Rothblum, Kunal Talwar
TL;DR
The paper defines local pan-privacy to protect against on-device intrusions while estimating population statistics in federated analytics. It demonstrates that information-theoretic local pan-privacy for CountNonZero imposes a $\Omega(\sqrt{nT})$ additive error, making such a guarantee incompatible with scalable telemetry collection. To achieve practical privacy, the authors design computational local pan-private protocols for CountNonZero, histograms, and mean in both single- and two-server models, leveraging rerandomizable public-key cryptography and, in the two-server setting, non-interactive zero-knowledge proofs. These schemes preserve privacy under continual device intrusions with favorable privacy-utility trade-offs under standard cryptographic assumptions. The work also shows that rerandomizable public-key cryptography is necessary for achieving computational local pan-privacy and outlines avenues for future research on extending to other statistics and predicates.
Abstract
Pan-privacy was proposed by Dwork et al. as an approach to designing a private analytics system that retains its privacy properties in the face of intrusions that expose the system's internal state. Motivated by federated telemetry applications, we study local pan-privacy, where privacy should be retained under repeated unannounced intrusions on the local state. We consider the problem of monitoring the count of an event in a federated system, where event occurrences on a local device should be hidden even from an intruder on that device. We show that under reasonable constraints, the goal of providing information-theoretic differential privacy under intrusion is incompatible with collecting telemetry information. We then show that this problem can be solved in a scalable way using standard cryptographic primitives.