TY - GEN
T1 - Impossibility of differentially private universally optimal mechanisms
AU - Brenner, Hai
AU - Nissim, Kobbi
PY - 2010/1/1
Y1 - 2010/1/1
N2 - The notion of a universally utility-maximizing privacy mechanism was recently introduced by Ghosh, Roughgarden, and Sundararajan [STOC 2009]. These are mechanisms that guarantee optimal utility to a large class of information consumers, simultaneously, while preserving Differential Privacy [Dwork, McSherry, Nissim, and Smith, TCC 2006]. Ghosh, Roughgarden and Sundararajan have demonstrated, quite surprisingly, a case where such a universally-optimal differentially-private mechanisms exists, when the information consumers are Bayesian. This result was recently extended by Gupte and Sundararajan [PODS 2010] to risk-averse consumers. Both positive results deal with mechanisms (approximately) computing a single count query (i.e., the number of individuals satisfying a specific property in a given population), and the starting point of our work is a trial at extending these results to similar settings, such as sum queries with non-binary individual values, histograms, and two (or more) count queries. We show, however, that universally-optimal mechanisms do not exist for all these queries, both for Bayesian and risk-averse consumers. For the Bayesian case, we go further, and give a characterization of those functions that admit universally-optimal mechanisms, showing that a universally-optimal mechanism exists, essentially, only for a (single) count query. At the heart of our proof is a representation of a query function f by its privacy constraint graph G f whose edges correspond to values resulting by applying f to neighboring databases.
AB - The notion of a universally utility-maximizing privacy mechanism was recently introduced by Ghosh, Roughgarden, and Sundararajan [STOC 2009]. These are mechanisms that guarantee optimal utility to a large class of information consumers, simultaneously, while preserving Differential Privacy [Dwork, McSherry, Nissim, and Smith, TCC 2006]. Ghosh, Roughgarden and Sundararajan have demonstrated, quite surprisingly, a case where such a universally-optimal differentially-private mechanisms exists, when the information consumers are Bayesian. This result was recently extended by Gupte and Sundararajan [PODS 2010] to risk-averse consumers. Both positive results deal with mechanisms (approximately) computing a single count query (i.e., the number of individuals satisfying a specific property in a given population), and the starting point of our work is a trial at extending these results to similar settings, such as sum queries with non-binary individual values, histograms, and two (or more) count queries. We show, however, that universally-optimal mechanisms do not exist for all these queries, both for Bayesian and risk-averse consumers. For the Bayesian case, we go further, and give a characterization of those functions that admit universally-optimal mechanisms, showing that a universally-optimal mechanism exists, essentially, only for a (single) count query. At the heart of our proof is a representation of a query function f by its privacy constraint graph G f whose edges correspond to values resulting by applying f to neighboring databases.
KW - Differential privacy
KW - Geometric mechanism
KW - Universally optimal mechanisms
KW - Utility
UR - http://www.scopus.com/inward/record.url?scp=78751555871&partnerID=8YFLogxK
U2 - 10.1109/FOCS.2010.13
DO - 10.1109/FOCS.2010.13
M3 - Conference contribution
AN - SCOPUS:78751555871
SN - 9780769542447
T3 - Proceedings - Annual IEEE Symposium on Foundations of Computer Science, FOCS
SP - 71
EP - 80
BT - Proceedings - 2010 IEEE 51st Annual Symposium on Foundations of Computer Science, FOCS 2010
PB - Institute of Electrical and Electronics Engineers
T2 - 2010 IEEE 51st Annual Symposium on Foundations of Computer Science, FOCS 2010
Y2 - 23 October 2010 through 26 October 2010
ER -