使用敏感用户数据调用隐私保护方法，执行低排名矩阵完成。在这项工作中，我们提出了一种新型的噪声添加机制，用于保留差异隐私，其中噪声分布受Huber损失的启发，Huber损失是众所周知的稳定统计数据中众所周知的损失功能。在使用交替的最小二乘方法来解决矩阵完成问题的同时，对现有的差异隐私机制进行了评估。我们还建议使用迭代重新加权的最小二乘算法来完成低级矩阵，并研究合成和真实数据集中不同噪声机制的性能。我们证明所提出的机制实现了{\ epsilon} - 差异性隐私，类似于拉普拉斯机制。此外，经验结果表明，在某些情况下，Huber机制优于Laplacian和Gaussian，否则是可比的。

作为推荐系统的主要协作过滤方法，一位矩阵完成需要用户收集的数据来提供个性化服务。由于阴险的攻击和意外推断，用户数据的发布通常会引起严重的隐私问题。为了解决此问题，差异隐私（DP）已在标准矩阵完成模型中广泛使用。但是，迄今为止，关于如何在一位矩阵完成中应用DP来实现隐私保护的知之甚少。在本文中，我们提出了一个统一的框架，以确保使用DP对单位矩阵完成的强大隐私保证。在我们的框架中，我们开发了与一位矩阵完成的不同阶段相对应的四种不同的私人扰动机制。对于每种机制，我们设计一个隐私性算法，并提供在适当条件下绑定的理论恢复误差。关于合成和现实世界数据集的数值实验证明了我们的建议的有效性。与没有隐私保护的一位矩阵完成相比，我们提出的机制可以维持高级隐私保护，而边际丧失完成精度。

Non-negative matrix factorization is a popular unsupervised machine learning algorithm for extracting meaningful features from data which are inherently non-negative. However, such data sets may often contain privacy-sensitive user data, and therefore, we may need to take necessary steps to ensure the privacy of the users while analyzing the data. In this work, we focus on developing a Non-negative matrix factorization algorithm in the privacy-preserving framework. More specifically, we propose a novel privacy-preserving algorithm for non-negative matrix factorisation capable of operating on private data, while achieving results comparable to those of the non-private algorithm. We design the framework such that one has the control to select the degree of privacy grantee based on the utility gap. We show our proposed framework's performance in six real data sets. The experimental results show that our proposed method can achieve very close performance with the non-private algorithm under some parameter regime, while ensuring strict privacy.

我们研究私有综合数据生成查询版本，其中目标是构建差异隐私的敏感数据集的消毒版本，这大致保留了大量统计查询的答案。我们首先介绍一个算法框架，统一文献中的长线迭代算法。在此框架下，我们提出了两种新方法。第一种方法，私人熵投影（PEP），可以被视为MWEM的高级变体，可自适应地重复使用过去查询测量以提高精度。我们的第二种方法，具有指数机制（GEM）的生成网络，通过优化由神经网络参数化的生成模型来避免MWEM和PEP等算法中的计算瓶颈，该分布族捕获了丰富的分布系列，同时实现了快速的基于梯度的优化。我们展示了PEP和GEM经验胜过现有算法。此外，我们表明宝石很好地纳入了公共数据的先前信息，同时克服了PMW ^ PUB的限制，现有的现有方法也利用公共数据。

联合数据分析是一个用于分布式数据分析的框架，其中服务器从一组分布式的低型带宽用户设备中编译了嘈杂的响应，以估算总统计信息。该框架中的两个主要挑战是隐私，因为用户数据通常很敏感，并且压缩，因为用户设备的网络带宽较低。先前的工作通过将标准压缩算法与已知的隐私机制相结合，从而分别解决了这些挑战。在这项工作中，我们对问题进行了整体研究，并设计了一个适合任何给定沟通预算的隐私感知压缩机制。我们首先提出了一种在某些条件下传输具有最佳方差的单个实数的机制。然后，我们展示如何将其扩展到位置隐私用例以及向量的指标差异隐私，以应用于联合学习。我们的实验表明，在许多设置中，我们的机制可以导致更好的实用性与压缩权衡。

最大信息系数（MIC）是一个强大的统计量，可以识别变量之间的依赖性。但是，它可以应用于敏感数据，并且发布可能会泄漏私人信息。作为解决方案，我们提出算法以提供差异隐私的方式近似麦克风。我们表明，经典拉普拉斯机制的自然应用产生的精度不足。因此，我们介绍了MICT统计量，这是一种新的MIC近似值，与差异隐私更加兼容。我们证明MICS是麦克风的一致估计器，我们提供了两个差异性私有版本。我们对各种真实和合成数据集进行实验。结果表明，私人微统计数据极大地超过了拉普拉斯机制的直接应用。此外，对现实世界数据集的实验显示出准确性，当样本量至少适中时可用。

点过程模型在现实世界应用中非常重要。在某些关键应用程序中，对点过程模型的估计涉及来自用户的大量敏感个人数据。隐私问题自然出现了现有文献中未解决的问题。为了弥合这一明显的差距，我们提出了第一个针对点过程模型的第一个一般差异私人估计程序。具体来说，我们以霍克斯的流程为例，并根据霍克斯流程的离散表示，为事件流数据引入了严格的差异隐私定义。然后，我们提出了两种差异性优化算法，可以有效地估算霍克斯流程模型，并在两个不同的设置下具有所需的隐私和公用事业保证。提供实验以支持我们的理论分析。

Conventional matrix factorization relies on centralized collection of users' data for recommendation, which might introduce an increased risk of privacy leakage especially when the recommender is untrusted. Existing differentially private matrix factorization methods either assume the recommender is trusted, or can only provide a uniform level of privacy protection for all users and items with untrusted recommender. In this paper, we propose a novel Heterogeneous Differentially Private Matrix Factorization algorithm (denoted as HDPMF) for untrusted recommender. To the best of our knowledge, we are the first to achieve heterogeneous differential privacy for decentralized matrix factorization in untrusted recommender scenario. Specifically, our framework uses modified stretching mechanism with an innovative rescaling scheme to achieve better trade off between privacy and accuracy. Meanwhile, by allocating privacy budget properly, we can capture homogeneous privacy preference within a user/item but heterogeneous privacy preference across different users/items. Theoretical analysis confirms that HDPMF renders rigorous privacy guarantee, and exhaustive experiments demonstrate its superiority especially in strong privacy guarantee, high dimension model and sparse dataset scenario.

When analyzing confidential data through a privacy filter, a data scientist often needs to decide which queries will best support their intended analysis. For example, an analyst may wish to study noisy two-way marginals in a dataset produced by a mechanism M1. But, if the data are relatively sparse, the analyst may choose to examine noisy one-way marginals, produced by a mechanism M2 instead. Since the choice of whether to use M1 or M2 is data-dependent, a typical differentially private workflow is to first split the privacy loss budget rho into two parts: rho1 and rho2, then use the first part rho1 to determine which mechanism to use, and the remainder rho2 to obtain noisy answers from the chosen mechanism. In a sense, the first step seems wasteful because it takes away part of the privacy loss budget that could have been used to make the query answers more accurate. In this paper, we consider the question of whether the choice between M1 and M2 can be performed without wasting any privacy loss budget. For linear queries, we propose a method for decomposing M1 and M2 into three parts: (1) a mechanism M* that captures their shared information, (2) a mechanism M1' that captures information that is specific to M1, (3) a mechanism M2' that captures information that is specific to M2. Running M* and M1' together is completely equivalent to running M1 (both in terms of query answer accuracy and total privacy cost rho). Similarly, running M* and M2' together is completely equivalent to running M2. Since M* will be used no matter what, the analyst can use its output to decide whether to subsequently run M1'(thus recreating the analysis supported by M1) or M2'(recreating the analysis supported by M2), without wasting privacy loss budget.

构建差异私有（DP）估计器需要得出观察结果的最大影响，如果在输入数据或估计器上没有外源性界限，这可能很困难，尤其是在高维度设置中。本文表明，在这方面，统计深度（即半空间深度和回归深度）的标准概念在这方面尤其有利，这在于单个观察值的最大影响很容易分析，并且该值通常很低。这用于使用这两个统计深度概念的最大值来激励新的近似DP位置和回归估计器。还提供了近似DP回归估计器的更高效的变体。此外，为了避免要求用户对估计和/或观察结果指定先验界限，描述了这些DP机制的变体，即满足随机差异隐私（RDP），这是Hall，Wasserman和Wasserman和Wasserman和Wasserman提供的差异隐私的放松Rinaldo（2013）。我们还提供了此处提出的两种DP回归方法的模拟。当样本量至少为100-200或隐私性损失预算足够高时，提出的估计器似乎相对于现有的DP回归方法表现出色。

We study fine-grained error bounds for differentially private algorithms for counting under continual observation. Our main insight is that the matrix mechanism when using lower-triangular matrices can be used in the continual observation model. More specifically, we give an explicit factorization for the counting matrix $M_\mathsf{count}$ and upper bound the error explicitly. We also give a fine-grained analysis, specifying the exact constant in the upper bound. Our analysis is based on upper and lower bounds of the {\em completely bounded norm} (cb-norm) of $M_\mathsf{count}$. Along the way, we improve the best-known bound of 28 years by Mathias (SIAM Journal on Matrix Analysis and Applications, 1993) on the cb-norm of $M_\mathsf{count}$ for a large range of the dimension of $M_\mathsf{count}$. Furthermore, we are the first to give concrete error bounds for various problems under continual observation such as binary counting, maintaining a histogram, releasing an approximately cut-preserving synthetic graph, many graph-based statistics, and substring and episode counting. Finally, we note that our result can be used to get a fine-grained error bound for non-interactive local learning {and the first lower bounds on the additive error for $(\epsilon,\delta)$-differentially-private counting under continual observation.} Subsequent to this work, Henzinger et al. (SODA2023) showed that our factorization also achieves fine-grained mean-squared error.

Privacy-preserving machine learning algorithms are crucial for the increasingly common setting in which personal data, such as medical or financial records, are analyzed. We provide general techniques to produce privacy-preserving approximations of classifiers learned via (regularized) empirical risk minimization (ERM). These algorithms are private under the ǫ-differential privacy definition due to Dwork et al. (2006). First we apply the output perturbation ideas of Dwork et al. (2006), to ERM classification. Then we propose a new method, objective perturbation, for privacy-preserving machine learning algorithm design. This method entails perturbing the objective function before optimizing over classifiers. If the loss and regularizer satisfy certain convexity and differentiability criteria, we prove theoretical results showing that our algorithms preserve privacy, and provide generalization bounds for linear and nonlinear kernels. We further present a privacy-preserving technique for tuning the parameters in general machine learning algorithms, thereby providing end-to-end privacy guarantees for the training process. We apply these results to produce privacy-preserving analogues of regularized logistic regression and support vector machines. We obtain encouraging results from evaluating their performance on real demographic and benchmark data sets. Our results show that both theoretically and empirically, objective perturbation is superior to the previous state-of-the-art, output perturbation, in managing the inherent tradeoff between privacy and learning performance.

在本文中，我们研究了差异化的私人经验风险最小化（DP-erm）。已经表明，随着尺寸的增加，DP-MER的（最坏的）效用会减小。这是私下学习大型机器学习模型的主要障碍。在高维度中，某些模型的参数通常比其他参数更多的信息是常见的。为了利用这一点，我们提出了一个差异化的私有贪婪坐标下降（DP-GCD）算法。在每次迭代中，DP-GCD私人沿梯度（大约）最大条目执行坐标梯度步骤。从理论上讲，DP-GCD可以通过利用问题解决方案的结构特性（例如稀疏性或准方面的）来改善实用性，并在早期迭代中取得非常快速的进展。然后，我们在合成数据集和真实数据集上以数值说明。最后，我们描述了未来工作的有前途的方向。

在共享数据的统计学习和分析中，在联合学习和元学习等平台上越来越广泛地采用，有两个主要问题：隐私和鲁棒性。每个参与的个人都应该能够贡献，而不会担心泄露一个人的敏感信息。与此同时，系统应该在恶意参与者的存在中插入损坏的数据。最近的算法在学习中，学习共享数据专注于这些威胁中的一个，使系统容易受到另一个威胁。我们弥合了这个差距，以获得估计意思的规范问题。样品。我们介绍了素数，这是第一算法，实现了各种分布的隐私和鲁棒性。我们通过新颖的指数时间算法进一步补充了这一结果，提高了素数的样本复杂性，实现了近最优保证并匹配（非鲁棒）私有平均估计的已知下限。这证明没有额外的统计成本同时保证隐私和稳健性。

Rankings are widely collected in various real-life scenarios, leading to the leakage of personal information such as users' preferences on videos or news. To protect rankings, existing works mainly develop privacy protection on a single ranking within a set of ranking or pairwise comparisons of a ranking under the $\epsilon$-differential privacy. This paper proposes a novel notion called $\epsilon$-ranking differential privacy for protecting ranks. We establish the connection between the Mallows model (Mallows, 1957) and the proposed $\epsilon$-ranking differential privacy. This allows us to develop a multistage ranking algorithm to generate synthetic rankings while satisfying the developed $\epsilon$-ranking differential privacy. Theoretical results regarding the utility of synthetic rankings in the downstream tasks, including the inference attack and the personalized ranking tasks, are established. For the inference attack, we quantify how $\epsilon$ affects the estimation of the true ranking based on synthetic rankings. For the personalized ranking task, we consider varying privacy preferences among users and quantify how their privacy preferences affect the consistency in estimating the optimal ranking function. Extensive numerical experiments are carried out to verify the theoretical results and demonstrate the effectiveness of the proposed synthetic ranking algorithm.

我们研究了差异私有线性回归的问题，其中每个数据点都是从固定的下高斯样式分布中采样的。我们提出和分析了一个单次迷你批次随机梯度下降法（DP-AMBSSGD），其中每次迭代中的点都在没有替换的情况下进行采样。为DP添加了噪声，但噪声标准偏差是在线估计的。与现有$（\ epsilon，\ delta）$ - 具有子最佳错误界限的DP技术相比，DP-AMBSSGD能够在关键参数（如多维参数）（如多维参数）等方面提供几乎最佳的错误范围$，以及观测值的噪声的标准偏差$ \ sigma $。例如，当对$ d $二维的协变量进行采样时。从正常分布中，然后由于隐私而引起的DP-AMBSSGD的多余误差为$ \ frac {\ sigma^2 d} {n} {n}（1+ \ frac {d} {\ epsilon^2 n}）$，即当样本数量$ n = \ omega（d \ log d）$，这是线性回归的标准操作制度时，错误是有意义的。相比之下，在此设置中现有有效方法的错误范围为：$ \ mathcal {o} \ big（\ frac {d^3} {\ epsilon^2 n^2} \ big）$，即使是$ \ sigma = 0 $。也就是说，对于常量的$ \ epsilon $，现有技术需要$ n = \ omega（d \ sqrt {d}）$才能提供非平凡的结果。

蜂窝提供商和数据聚合公司从用户设备中占群体的Celluar信号强度测量以生成信号映射，可用于提高网络性能。认识到这种数据收集可能与越来越多的隐私问题的认识可能存在赔率，我们考虑在数据离开移动设备之前混淆这些数据。目标是提高隐私，使得难以从混淆的数据（例如用户ID和用户行踪）中恢复敏感功能，同时仍然允许网络提供商使用用于改进网络服务的数据（即创建准确的信号映射）。要检查本隐私实用程序权衡，我们识别适用于信号强度测量的隐私和公用事业度量和威胁模型。然后，我们使用几种卓越的技术，跨越差异隐私，生成的对抗性隐私和信息隐私技术进行了衡量测量，以便基准，以基准获得各种有前景的混淆方法，并为真实世界的工程师提供指导，这些工程师是负责构建信号映射的现实工程师在不伤害效用的情况下保护隐私。我们的评估结果基于多个不同的现实世界信号映射数据集，展示了同时实现了充足的隐私和实用程序的可行性，并使用了使用该结构和预期使用数据集的策略以及目标平均案例的策略，而不是最坏的情况，保证。

深度神经网络（DNNS）铰接对大型数据集的可用性的最新成功;但是，对此类数据集的培训经常为敏感培训信息构成隐私风险。在本文中，我们的目标是探讨生成模型和梯度稀疏性的力量，并提出了一种可扩展的隐私保留生成模型数据标准。与标准展示隐私保留框架相比，允许教师对一维预测进行投票，在高维梯度向量上投票在隐私保存方面具有挑战性。随着需要尺寸减少技术，我们需要在（1）之间的改进之间导航精致的权衡空间，并进行SGD收敛的放缓。为了解决这一点，我们利用通信高效学习，并通过将顶-K压缩与相应的噪声注入机构相结合，提出一种新的噪声压缩和聚集方法TopAGG。理论上，我们证明了DataLens框架保证了其生成数据的差异隐私，并提供了其收敛性的分析。为了展示DataLens的实际使用情况，我们对不同数据集进行广泛的实验，包括Mnist，Fashion-Mnist和高维Celeba，并且我们表明，DataLens显着优于其他基线DP生成模型。此外，我们改进了所提出的Topagg方法，该方法是DP SGD培训的主要构建块之一，并表明它能够在大多数情况下实现比最先进的DP SGD方法更高的效用案件。我们的代码在HTTPS://github.com/ai-secure/datalens公开提供。

我们考虑如何私下分享客观扰动，使用每个实例差异隐私（PDP）所产生的个性化隐私损失。标准差异隐私（DP）为我们提供了一个最坏的绑定，可能是相对于固定数据集的特定个人的隐私丢失的数量级。PDP框架对目标个人的隐私保障提供了更细粒度的分析，但每个实例隐私损失本身可能是敏感数据的函数。在本文中，我们分析了通过客观扰动释放私人经验风险最小化器的每案隐私丧失，并提出一组私下和准确地公布PDP损失的方法，没有额外的隐私费用。

The ''Propose-Test-Release'' (PTR) framework is a classic recipe for designing differentially private (DP) algorithms that are data-adaptive, i.e. those that add less noise when the input dataset is nice. We extend PTR to a more general setting by privately testing data-dependent privacy losses rather than local sensitivity, hence making it applicable beyond the standard noise-adding mechanisms, e.g. to queries with unbounded or undefined sensitivity. We demonstrate the versatility of generalized PTR using private linear regression as a case study. Additionally, we apply our algorithm to solve an open problem from ''Private Aggregation of Teacher Ensembles (PATE)'' -- privately releasing the entire model with a delicate data-dependent analysis.