Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Differential privacy from axioms

Guy Blanc, William Pires, Toniann Pitassi

TL;DR

This paper formalizes an axiomatic framework for privacy measures and proves that any reasonable privacy notion with nontrivial composition is equivalent to differential privacy up to polynomial factors in sample size. Central to the argument is TV-stability, which acts as a bridge from a general privacy measure to DP, via a sequence of steps that leverage preprocessing, blatanthood prohibition, strong composition, and linear scalability. The authors also show that DP itself satisfies the proposed axioms and demonstrate the minimality of the axioms by constructing ill-behaved privacy notions when any axiom is removed, including DP-hardness results for fundamental tasks like FindElement. The results justify DP as the robust, essentially unique notion under the stated axioms for statistical tasks, and connect privacy with stability concepts from the broader algorithmic toolkit. Practically, this suggests that average-case relaxations of DP are unlikely to yield substantial gains without sacrificing core privacy guarantees or venturing into degenerate definitions.

Abstract

Differential privacy (DP) is the de facto notion of privacy both in theory and in practice. However, despite its popularity, DP imposes strict requirements which guard against strong worst-case scenarios. For example, it guards against seemingly unrealistic scenarios where an attacker has full information about all but one point in the data set, and still nothing can be learned about the remaining point. While preventing such a strong attack is desirable, many works have explored whether average-case relaxations of DP are easier to satisfy [HWR13,WLF16,BF16,LWX23]. In this work, we are motivated by the question of whether alternate, weaker notions of privacy are possible: can a weakened privacy notion still guarantee some basic level of privacy, and on the other hand, achieve privacy more efficiently and/or for a substantially broader set of tasks? Our main result shows the answer is no: even in the statistical setting, any reasonable measure of privacy satisfying nontrivial composition is equivalent to DP. To prove this, we identify a core set of four axioms or desiderata: pre-processing invariance, prohibition of blatant non-privacy, strong composition, and linear scalability. Our main theorem shows that any privacy measure satisfying our axioms is equivalent to DP, up to polynomial factors in sample complexity. We complement this result by showing our axioms are minimal: removing any one of our axioms enables ill-behaved measures of privacy.

Differential privacy from axioms

TL;DR

This paper formalizes an axiomatic framework for privacy measures and proves that any reasonable privacy notion with nontrivial composition is equivalent to differential privacy up to polynomial factors in sample size. Central to the argument is TV-stability, which acts as a bridge from a general privacy measure to DP, via a sequence of steps that leverage preprocessing, blatanthood prohibition, strong composition, and linear scalability. The authors also show that DP itself satisfies the proposed axioms and demonstrate the minimality of the axioms by constructing ill-behaved privacy notions when any axiom is removed, including DP-hardness results for fundamental tasks like FindElement. The results justify DP as the robust, essentially unique notion under the stated axioms for statistical tasks, and connect privacy with stability concepts from the broader algorithmic toolkit. Practically, this suggests that average-case relaxations of DP are unlikely to yield substantial gains without sacrificing core privacy guarantees or venturing into degenerate definitions.

Abstract

Differential privacy (DP) is the de facto notion of privacy both in theory and in practice. However, despite its popularity, DP imposes strict requirements which guard against strong worst-case scenarios. For example, it guards against seemingly unrealistic scenarios where an attacker has full information about all but one point in the data set, and still nothing can be learned about the remaining point. While preventing such a strong attack is desirable, many works have explored whether average-case relaxations of DP are easier to satisfy [HWR13,WLF16,BF16,LWX23]. In this work, we are motivated by the question of whether alternate, weaker notions of privacy are possible: can a weakened privacy notion still guarantee some basic level of privacy, and on the other hand, achieve privacy more efficiently and/or for a substantially broader set of tasks? Our main result shows the answer is no: even in the statistical setting, any reasonable measure of privacy satisfying nontrivial composition is equivalent to DP. To prove this, we identify a core set of four axioms or desiderata: pre-processing invariance, prohibition of blatant non-privacy, strong composition, and linear scalability. Our main theorem shows that any privacy measure satisfying our axioms is equivalent to DP, up to polynomial factors in sample complexity. We complement this result by showing our axioms are minimal: removing any one of our axioms enables ill-behaved measures of privacy.

Paper Structure

This paper contains 35 sections, 42 theorems, 144 equations, 5 figures.

Table of Contents

  1. Introduction
  2. Our Framework
  3. Privacy measures and our axioms
  4. Axioms any reasonable definition of privacy should satisfy
  5. Strong-composition axioms
  6. Technical Overview
  7. Overview of \ref{['thm:axioms-imply-dp-intro']}: Our axioms imply DP
  8. Exploiting TV-unstable algorithms
  9. Overview of \ref{['thm:DP-fits-axioms-intro']}: DP satisfies the axioms
  10. Overview of \ref{['thm:minimal-intro']}: Necessity of our axioms
  11. Discussion and Related Work
  12. Preliminaries
  13. Proof of \ref{['thm:axioms-imply-dp-intro']}: Our axioms imply DP
  14. A first step toward \ref{['lem:axioms-to-tv-formal']}
  15. Exploiting \ref{['lem:key-lemma-overview']} and hypothesis selection
  16. ...and 20 more sections

Key Result

Theorem 1

Let $\mathcal{P}$ be any privacy measure that satisfies axiom:preprocessingaxiom:blalantaxiom:strong-compositionaxiom:amplification and $\mathcal{M}:X^n \to Y$ be any algorithm that is $\mathcal{P}$-private. For any $\varepsilon, \delta> 0$ and $m \coloneqq \mathrm{poly}(n, 1/\varepsilon, \log(1/\de

Figures (5)

  • Figure 1: The adversary $\mathcal{M}_{\overline{\gamma}}$ where ${\overline{\gamma}}=(\gamma_1, \ldots, \gamma_\ell) \in \mathfrak{S}(X,n)^\ell$.
  • Figure 2: A procedure to turn $\mathcal{M}:X^n \to Y$ into a TV-Stable algorithm $\mathcal{M}'$ by learning the distribution $\mathcal{D}$.
  • Figure 3: Reduction from $\textsc{FindElement}$ to $\textsc{FindLightElement}$
  • Figure 4: Pick-Heavy : A differentially private algorithm to find an very frequent element of a dataset.
  • Figure 5: Replicability to DP reduction

Theorems & Definitions (125)

  • Definition 1: $(\varepsilon,\delta)$-Differential Privacy, DMNS06DKMMN06
  • Theorem 1: Our axioms imply differential privacy
  • Theorem 2: Informal
  • Theorem 3: Minimality of our axioms
  • Definition 2: Statistical task, F17BGHILPSS23
  • Definition 3: Equivalent algorithm
  • Definition 4: Privacy measure
  • Definition 5: Blatantly non-private
  • Definition 6: TV-Stability, also called TV-indistinguishability by KKMV23)
  • Theorem 4: Our privacy axioms imply TV-stability
  • ...and 115 more