From Randomized Response to Randomized Index: Answering Subset Counting Queries with Local Differential Privacy
Qingqing Ye, Liantong Yu, Kai Huang, Xiaokui Xiao, Weiran Liu, Haibo Hu
TL;DR
This paper tackles subset counting queries under Local Differential Privacy for set-valued data by introducing CRI, an index-based counting mechanism that achieves index-level deniability without perturbing the values. To further boost utility and scalability, it extends CRI into CRIAD with augmented dummy bits and a flexible multi-dummy, multi-sample, multi-group design, accompanied by formal privacy guarantees, unbiasedness, and variance bounds. The authors provide rigorous analyses and demonstrate that CRIAD substantially outperforms traditional value-perturbation LDP methods on real-world datasets across various privacy budgets and category sizes. The work offers practical implications for private analytics of category-level statistics and lays the groundwork for scalable, privacy-preserving analytics in federated or heterogeneous settings.
Abstract
Local Differential Privacy (LDP) is the predominant privacy model for safeguarding individual data privacy. Existing perturbation mechanisms typically require perturbing the original values to ensure acceptable privacy, which inevitably results in value distortion and utility deterioration. In this work, we propose an alternative approach -- instead of perturbing values, we apply randomization to indexes of values while ensuring rigorous LDP guarantees. Inspired by the deniability of randomized indexes, we present CRIAD for answering subset counting queries on set-value data. By integrating a multi-dummy, multi-sample, and multi-group strategy, CRIAD serves as a fully scalable solution that offers flexibility across various privacy requirements and domain sizes, and achieves more accurate query results than any existing methods. Through comprehensive theoretical analysis and extensive experimental evaluations, we validate the effectiveness of CRIAD and demonstrate its superiority over traditional value-perturbation mechanisms.