IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY, VOL.

5, 2024 369

Summary Statistic Privacy in Data Sharing

Zinan Lin, Shuaiqi Wang , Graduate Student Member, IEEE, Vyas Sekar, and Giulia Fanti , Member, IEEE

Abstract—We study a setting where a data holder wishes to

share data with a receiver, without revealing certain summary
statistics of the data distribution (e.g., mean, standard deviation).
It achieves this by passing the data through a randomization
mechanism. We propose summary statistic privacy, a metric for
quantifying the privacy risk of such a mechanism based on the
worst-case probability of an adversary guessing the distributional
secret within some threshold. Defining distortion as a worst-
case Wasserstein-1 distance between the real and released data,
we prove lower bounds on the tradeoff between privacy and
distortion. We then propose a class of quantization mechanisms
that can be adapted to different data distributions. We show
that the quantization mechanism’s privacy-distortion tradeoff
matches our lower bounds under certain regimes, up to small con-
stant factors. Finally, we demonstrate on real-world datasets that
the proposed quantization mechanisms achieve better privacy-
distortion tradeoffs than alternative privacy mechanisms.
Index Terms—Privacy, data privacy, synthetic data.
I. I NTRODUCTION
ATA sharing is an important enabler for data-driven
D product development [1], coordination efforts (e.g.,
cybersecurity [2], law enforcement [3]), and the creation
of benchmarks for evaluating scientific progress [4], [5], [6].
However, summary statistics of shared data may leak sensitive
information [7], [8]. For example, property inference attacks
allow an attacker to infer properties about the individuals in
the training dataset of a released machine learning model [9],
[10], [11], [12], [13]. An institution that shares Domain Name
System (DNS) data may not want to disclose even aggregated
queries, as these quantities can be used to infer details about
the institution [14]. A cloud provider that shares cluster
performance traces may not want to reveal the proportions of
different server types that the cloud provider owns, which are
regarded as business secrets [15]. Note that this information
(aggregate DNS queries, proportions of server types), cannot
be inferred from any record, but is a property of the data
Manuscript received 27 October 2023; revised 14 January 2024 and 16 April
2024; accepted 15 May 2024. Date of publication 21 May 2024; date of
current version 17 June 2024. This work was supported in part by NSF
under Grant CIF-1705007 and Grant RINGS-2148359; in part by the Sloan
Foundation; in part by Intel; in part by J.P. Morgan Chase; in part by
Siemens; in part by Bosch; in part by Cisco; and in part by the U.S.
Army Research Office and the U.S. Army Futures Command under Contract
W911NF20D0002. (Zinan Lin and Shuaiqi Wang contributed equally to this
work.) (Corresponding author: Shuaiqi Wang.)
Zinan Lin is with the Algorithms Group, Microsoft Research, Redmond,
WA 98052 USA (e-mail:
Fig. 1. Problem overview. The data holder wants to release data while
hiding statistical secrets of the original data. The attacker (which could be
the data user) observes the released data, and wants to guess the secrets of
the original data. We focus on secrets defined over the underlying distribution
(e.g., functions of the moments or quantiles of data columns). Many existing
frameworks (e.g., differential privacy [16]) protect information from samples
(rows).
distribution (or the aggregate dataset). We therefore define
these secrets in Section III as functions that can be computed
from one or more parameters of the data distribution.
Our setup is as follows (detailed formulation in Section III).
A data holder possesses a data distribution. The data holder
chooses one or more secrets, which are defined as deter-
ministic functions of the distribution. For example, a video
analytics company might choose the mean daily observed
traffic as a secret quantity. Then, the data holder obfuscates
their data distribution according to a randomization mechanism
and releases the output (Fig. 1). The goal is to prevent an
adversary from estimating the value of the secrets, while
preserving data utility.
Many widely-used privacy metrics and data sharing
algorithms are not designed to protect summary statistic
privacy, instead protecting the privacy of individual records
in a database (e.g., differential privacy [16], anonymiza-
tion [17], sub-sampling [17]). For example, differential privacy
(DP) [16] evaluates how much individual samples influence the
final output of an algorithm, and does not inherently protect
summary statistics [9].
Many other frameworks have been designed specifi-
cally to hide aggregate properties of a dataset (or a
distribution) [18], [19], [20]; we discuss these in detail in
Section II. Many of these frameworks define privacy in
terms of information-theoretic quantities such as mutual
information [19] or other divergences [21]. In this work, we
directly define the privacy of a mechanism as the posterior
probability that a worst-case attacker can infer the data

[email protected]). holder’s true secret after observing the released data. This
Shuaiqi Wang, Vyas Sekar, and Giulia Fanti are with the Department
of Electrical and Computer Engineering, Carnegie Mellon University, definition is related to prior work analyzing min-entropy
Pittsburgh, PA 15213 USA (e-mail: [email protected]; vsekar@ as a privacy metric [22]. To capture the utility of released
andrew.cmu.edu; [email protected]

). data, we define the distortion of a mechanism as the worst-
This article has supplementary downloadable material available at
https://doi.org/10.1109/JSAIT.2024.3403811, provided by the authors. case Wasserstein-1 distance between the original and released
Digital Object Identifier 10.1109/JSAIT.2024.3403811 data distributions, given that data release typically occurs in
2641-8770 
c 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
370
one shot. Our goal is to design data release mechanisms
that efficiently trade off privacy and distortion (defined in
Section III).
A. Contributions
Our contributions are as follows.
• Lower bounds (Section IV): We derive general lower
bounds on distortion given a privacy budget for any
mechanism. These bounds depend on both the secret
function and the data distribution. We derive closed-
form lower bounds for a number of case studies (i.e.,
combinations of prior beliefs on the data distribution and
secret functions).
• Mechanism design and upper bounds (Section V): We
propose a class of mechanisms that achieve summary
statistic privacy called quantization mechanisms, which
intuitively quantize a data distribution’s parameters1 into
bins. We show that for the case studies analyzed theoret-
ically in Table I, the quantization mechanism achieves a
privacy-distortion tradeoff within a small constant factor
of optimal (usually ≤3) in the regime where quantization
bins are small relative to the overall support set of the
distribution parameters. We present a sawtooth technique
for theoretically analyzing the quantization mechanism’s
privacy tradeoff under various types of secret func-
tions and data distributions (Section V-C). Intuitively,
the sawtooth technique exploits the geometry of the
distribution parameter(s) to divide the parametric space
into two regions: one in which privacy risk is small and
analytically tractable, and another in which privacy risk
can be high, but which occurs with low probability. For
the case studies that we do not analyze theoretically, we
provide a dynamic programming algorithm that efficiently
numerically instantiates the quantization mechanism.
• Empirical evaluation (Section VII): We give empirical
results showing how to use summary statistic privacy
to release a real dataset, and how to evaluate the cor-
responding summary statistic privacy metric. We show
that the proposed quantization mechanism achieves better
privacy-distortion tradeoffs than other related privacy
mechanisms.
II. R ELATED W ORK
We divide the related work into two categories: approaches
based on indistinguishability over candidate inputs, and
information-theoretic approaches.
A. Indistinguishability-Based Approaches
Differential privacy (DP) [16] is one of the most
commonly-adopted privacy frameworks. A random mecha-
nism M is (, δ)-differentially-private if for any neighboring
datasets X0 and X1 (i.e., X0 and X1 differ one sample), and
any set S ⊆ range(M), we have
P(M(X0 ) ∈ S) ≤ e · P(M(X1 ) ∈ S) + δ.
1 We assume data distributions are drawn from a parametric family; more
details in Section III.
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY, VOL. 5, 2024
Fig. 2. An illustrative example of why naive differential privacy mechanisms
do not protect summary statistics. Suppose we want to protect the mean of
the data. A typical differential privacy algorithm [23] would add zero-mean
noise (e.g., Laplace noise) to the bins. This mechanism does not change the
expected mean of the data.
A natural first attempt at the problem might use DP by
treating M as the data release mechanism that takes the
original dataset as input and outputs the released dataset.
For example, suppose we want to release the histogram in
Fig. 2, representing the number of items sold by a company
at different prices. Suppose the mean of this distribution is
sensitive, as it can be used to determine the company’s overall
trade volume. Two natural approaches for using DP arise:
(1) Per-record DP: A typical DP algorithm [23] would add
zero-mean noise (e.g., Laplace noise) to each histogram bin in
Fig. 2. This prevents the adversary from inferring whether any
individual record was in the dataset, but allows the attacker
to derive an unbiased estimator of the mean from the released
data. In other words, the threat model of (this usage of)
DP and our framework are different: DP hides whether any
given sample contributed to the shared data, whereas we want
to hide functions of the underlying distribution. To show
this formally, one can construct counterexamples where a
data release mechanism is DP, but cannot protect a summary
statistic of a data distribution (or dataset). We construct such
a counterexample in Appendix A-A in the supplementary
material for the scenario of hiding the mean of a dataset of
scalar numbers. The example shows that if the data holder
applies a local DP mechanism [24] (Gaussian mechanism) to
their dataset, as the number of dataset samples n grows, the
released noisy mean concentrates around the original mean.
Hence, the adversary can guess the mean to within a tolerance
 > 0 with a probability that tends to 1 as n → ∞.
(2) Per-attribute-per-record DP: One can also design a local
DP mechanism that adds independent noise to each record of
the dataset, with independent noise of different scales used
for different attributes. Consider an example of hiding the
difference in mean salaries between males and females in a
gender-salary dataset. A data holder could use a local DP
mechanism that adds independent noise of different scales to
each of the gender and salary attributes. Since the mechanism
itself is locally DP, it provides privacy guarantees at the
level of each record, as well as each attribute of each record
(i.e., the DP privacy guarantee protects individual cells in the
dataset). However, such a class of mechanism still cannot
hide distributional properties (in our example, the mean salary
difference between males and females). In Appendix A-B
in the supplementary material, we precisely formulate and
LIN et al.: SUMMARY STATISTIC PRIVACY IN DATA SHARING
analyze this example, and show that there exists an attack
strategy such that the probability the adversary guesses the
secret to within tolerance  > 0 tends to 1 as dataset size
n → ∞.
(3) Per-dataset DP: A third natural alternative is to devise
a DP-like definition that explicitly protects the secret quan-
tity. For instance, we could ask that for any pair of input
distributions that differ in their secret quantity, the data
release mechanism outputs similar released data distributions.
Several per-dataset methods are listed below. Used naively,
such an approach provides strong privacy guarantees, but
may have poor utility.  For instance,
 consider
 two Gaussian
input distributions N μ1 , σ12 and N μ2 , σ22 with the secret
as the mean. The values of σ12 and σ22 could be arbitrarily
different. To make input distributions indistinguishable given
the released data, we must destroy information about the true
σ , which requires adding potentially unbounded noise. While
relaxations like metric differential privacy may help [25], they
may introduce new challenges, e.g., how to choose the metric
function to map dataset distance to a privacy parameter.
Attribute privacy [18] tackles these challenges in part
by constraining the space of distributions that should be
indistinguishable [11]. Attribute privacy protects a function
of a sensitive column in the dataset (named dataset attribute
privacy) or a sensitive parameter of the underlying distribution
from which the data is sampled (named distribution attribute
privacy). It addresses the previously-mentioned shortcomings
of vanilla DP under the pufferfish privacy framework [26].
Precisely, let X be the dataset, G be the possible range of a
secret g, and Ga , Gb ⊆ G be two non-overlapping subsets of
the secret range G. A mechanism M is (, δ)-attribute private
if for any dataset X , secret range pairs Ga , Gb , and any set
S ⊆ range(M):
P(M(X ) ∈ S|g(X ) ∈ Ga ) ≤ e P(M(X ) ∈ S|g(X ) ∈ Gb ) + δ.
Attribute privacy focuses on algorithms that output a statistical
query of the dataset instead of the entire dataset. Though
we may apply attribute privacy to analyze full-dataset-sharing
algorithms; it may need to add substantial noise due to the
high dimensionality of the dataset (Section VII).
Distribution privacy [27] is a closely related notion, which
releases a full data distribution under DP-style indistinguisha-
bility guarantees. Roughly, for any two input distributions
with parameters θ0 and θ1 from a pre-defined set of candi-
date distributions, a distribution-private mechanism outputs a
distribution M(θi ) for i ∈ {0, 1} such that for any set S in
the output space, we have P[M(θi ) ∈ S] ≤ e P[M(θ1−i ) ∈
S] + δ. By obfuscating the whole distribution, distribution
privacy inherently protects the private information. However
the required noise may be more than what is needed to protect
only select secret(s). For example, as mentioned above, two
datasets can have exactly the same secret statistic (e.g., mean),
while differing significantly in other respects (e.g., variance)—
this requires significant noise in general. A recent work [28]
proposes mechanisms for distribution privacy, and we observe
this trend experimentally in Section VII; the noise added by
the mechanisms in [28] is larger than what we require with
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
371
summary statistic privacy (though the privacy guarantees are
different, so it is difficult to do a fair comparison).
Distribution inference [7], [8] considers a hypothesis test
in which the adversary must choose whether released data
comes from one of two fixed input data distributions ω1 , ω2 .
Both distributions are assumed to be known to all parties.
By defining the attacker’s guessed  as ω̂ and
 distribution

the attacker’s advantage as |P ω̂|ω1 − P ω̂|ω2 |, distribution
inference requires that the attacker’s advantage be negligible.
However, it is unclear how to establish a reasonable pair of
candidate distributions; moreover, as with distribution privacy
and attribute privacy, distribution inference may require high
noise since it requires the data distributions to be indistin-
guishable.
B. Information-Theoretic Approaches
The second category of frameworks use information-
theoretic measures of privacy and utility [20], [22], [29], [30],
[31], [32], [33], [34], [35], [36], [37], [38], [39], [40], [41],
[42], [43], [44]. Such works often measure disclosure via
divergences, such as mutual information [19], [34], [45], [46],
[47], [48], [49], [50], [51], f -divergences [21], [52], or min-
entropy [22], [30], [31], [38], [39], [40], [53], [54], [55]. We
discuss a few examples here.
Privacy funnel [19], [29] is a well-known information-
theoretic privacy framework. Let X be the random variable
of the original data, containing sensitive information U,
and let Y represent the (random) released data. The pri-
vacy funnel framework evaluates privacy leakage with
the mutual information I(U; Y), and the utility of Y
with mutual information I(X; Y). To find a data release
mechanism PY|X , privacy funnel solves the optimization
minPY|X :I(X;Y)≥R I(U; Y), where R is a desired threshold on the
utility of Y. Adopting the same privacy and utility metrics,
Zamani et al. [46] instead analyze an upper bound on utility
under a privacy constraint, i.e., supPY|X :I(U;Y)≤ I(X; Y), where
 represents the privacy constraint. However, prior work
has argued that mutual information is not a good metric for
either privacy or utility [20]. On the privacy front, there exist
mechanisms that reduce I(U; Y) while allowing the attacker
to guess U correctly from Y with higher probability (see [20,
Example 1]). On the utility front, high mutual information
I(X; Y) does not mean that the released data Y is a useful
representation of X; for instance, Y could be an arbitrary one-
to-one transformation of X.
Rate-distortion formulations. Although rate-distortion the-
ory was originally proposed in the context of source
coding [56], it has more recently been used to model privacy
problems as follows. Let X be the random variable with finite
or countable alphabets X with prior distribution π , and M be
the mechanism that encodes X to Y. For a distortion d : X ×
Y → R≥0 and a threshold d̂, the problem is to find the optimal
mechanism that minimizes MI subject to distortion constraint
d̂: M∗ = arg minE[D(X,M,d)]≤d̂ I(X; YX,M ), where YX,M is
the encoding of X. Several papers have used this formulation
to model tradeoffs between privacy (mutual information) and
utility (distortion), particularly in the context of location
372
privacy [47], [48]. These works use the celebrated Blahut-
Arimoto algorithm [57], [58] to identify a mechanism that
Pareto-optimally trades off mutual information for average
distortion.
As mentioned earlier, mutual information has some
shortcomings as a privacy metric [20]. Nevertheless, the rate-
distortion formulation of privacy is related to our work in
that it uses distortion as the measure of utility. Whereas rate-
distortion-based formulations use average-case distortion as a
distortion metric, we use worst-case distortion (Section III). If
we replace the average distortion in rate-distortion theory by
the worst-case distortion, finding the Pareto-optimal mecha-
nism may be substantially more challenging since the objective
function M∗ = arg minmaxx∈X,y∈Y d(x,y)≤d̂ I(X; YX,M ) is no
x,M
longer a convex program in general.
Maximal leakage [20] is an information-theoretic frame-
work for quantifying the leakage of sensitive information.
Using the same notation as before, the adversary’s guess of
secret U is denoted by Û. Based on this setup, the Markov
chain U − X − Y − Û holds. Maximal leakage L from X to Y
is defined as
 
P U = Û
L(X → Y) = sup log , (1)
U−X−Y−Û
maxu PU (u)
where the sup is taken over U (i.e., considering the worst-
case secret) and Û (i.e., considering the strongest attacker).
Intuitively, Eq. (1) evaluates the ratio (in nats) of the proba-
bilities of guessing the secret U correctly with and without
observing Y. Variants and generalizations of maximal leakage
have been proposed,
  modifying Eq. (1) to penalize different
values of P U = Û differently, using so-called gain func-
tions [33], [35], [36], [37]. Maximal leakage and its variants
assume that the secret U is unknown a priori and therefore
considers the worst-case leakage over all possible secrets.
However, in our problem, data holders know what secret they
want to protect.
Min-entropy metrics: Several papers have studied privacy
metrics related to min-entropy, or the probability of guessing
the secret correctly [22], [30], [31], [53], [54]. Among these,
the most closely related paper is by Asoodeh et al. [22],
which directly analyzes the probability of guessing the secret,
as we do (within a threshold). Adopting the same notation
as before (i.e., the Markov chain U − X − Y), [22] aims to
maximize the disclosure of X (i.e., maxf P(X = f (Y)), where
the max is taken over all functions f ) to ensure high utility.
This optimization is subject to a privacy constraint on the
sensitive information U: maxĝ P U = ĝ(Y) ≤ T, where the
max is taken over all attack strategies ĝ. However, the authors
assume that for random variables X and Y, the value of each
dimension can only be either 0 or 1 (i.e., each dimension of
the data distribution parameter is binary). Since their analysis
relies on the properties of Bernoulli distribution, the results
cannot be trivially extended to non-binary case, significantly
constraining the range of distribution settings this framework
can analyze. Furthermore, they assess utility based on the
probability of precisely guessing the original data. However,
in data-sharing contexts, this utility measure suffers from the
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY, VOL. 5, 2024
same shortcomings as mutual information, namely that any
random one-to-one mapping can achieve a high utility metric
without having practical utility.
Quantitative information flow: The concept of quantitative
information flow (QIF) was first introduced in [59], [60],
with the goal of quantitatively measuring the amount of
information leaked about a secret by observing the output data.
QIF broadly encompasses several of the privacy frameworks
we have mentioned previously. Early works mainly adopted
mutual information as the leakage definition [49], [50], [51],
while Smith [30] showed that it fails to capture vulnera-
bility: the probability of an attacker successfully guessing
the secret in one try. This led to the introduction of min-
entropy leakage, which is a normalized variant of our privacy
metric. Generalizations of min-entropy leakage have been
proposed [31], [53], [55]; in particular, g-leakage [53] intro-
duces a gain function that models partial guessing or multiple
guessing scenarios. Recently, g-leakage was used as a pri-
vacy metric to study a variety of applications, including the
combination of local DP and shuffling [38], average-case
utility in privacy-preserving pipelines [40], and cyber-attack
defense problems [39]. However, unlike our work, these works
consider the entire input dataset as the secret information that
needs to be protected, whereas we only need to protect the
sensitive information U contained in X, while maximizing
the disclosure of nonsensitive information in X. Because of
this, our goal is to minimize the information leakage of U
while maximizing the leakage of other information in X,
and to derive fundamental limits on tradeoffs between these
quantities. Although we could have used min-entropy leakage
in our privacy metric design, their analysis applies to discrete
alphabets and cannot be trivially extended to the continuous
case, as the probability density of an attacker guessing the
exact secret is zero. Moreover, the only utility analysis in these
works is average-case, whereas our paper adopts a worst-case
utility metric, which significantly changes the mechanisms
and conclusions we draw (e.g., leading to quantization-based
mechanisms).
Noiseless privacy-preserving policies: An interesting
property of the mechanism we study—the quantization
mechanism—is that it is deterministic. Several prior works
have studied noiseless privacy mechanisms under various
assumptions on the generative process for the data [41], [42],
[43], [44]. For example, adopting non-stochastic information
theoretic methods, Farokhi [42] use maximin information [61]
and non-stochastic information leakage as privacy metrics and
measure utility as the worst-case difference between the input
and output responses. For instance, maximin information is
defined as I(X ; Y) = log(|ϒ(X , Y)|); here X , Y represent
the original and released datasets, and ϒ(X , Y) represents
the unique taxicab partition of X , Y, where X , Y denotes
the set of all feasible input-output dataset pairs. Roughly,
a taxicab partition consists of a sequence of dataset pairs
such that any two consecutive pairs share the same X or
Y (formal definition in [42]). Reference [42] proves that
the quantization mechanism is the optimal privacy-preserving
policy over the set of deterministic piecewise differentiable
mechanisms (which quantizes the input X as several bins and
LIN et al.: SUMMARY STATISTIC PRIVACY IN DATA SHARING
the output Y is differentiable for each bin) that maximize
the privacy level subject to a utility constraint for maximin
information.
In our work, despite not constraining the mechanism space
to deterministic mechanisms, we also find that the quantization
mechanism is near-optimal. However, the proof in [42] is
based on the property of taxicab connectivity [61] from
non-stochastic information theory, which cannot be directly
adopted in our analysis. The similarities in our findings
(albeit over quite different problem formulations and analysis
techniques) suggest that quantization-based mechanisms may
be a universally good solution for private data release problems
subject to worst-case distortion constraints. This question may
be an interesting direction for future work.
III. P ROBLEM F ORMULATION
Notation: We denote random variables with uppercase English
letters or upright Greek letters (e.g., X, μ), and their realiza-
tions with italicized lowercase letters (e.g., x, μ). For a random
variable X, we denote its probability density function (PDF) as
fX , and its distribution measure as ωX . If a random variable X is
drawn from a parametric family (e.g., Gaussian with specified
mean and covariance), the parameters will be denoted with a
subscript of X, i.e., the above notations become Xθ , fXθ , ωXθ
respectively for parameters θ ∈ Rq , where q ≥ 1 denotes the
dimension of the parameters. In addition, we denote fX|Y as the
conditional PDF or PMF of X given another random variable
Y. We use Z, Z>0 , N, R, R>0 , to denote the set of integers,
positive integers, natural numbers, real numbers, and positive
real numbers, respectively.
Original data: Consider a data holder who possesses a dataset
of n samples X = {x1 , . . . , xn }, where for each i ∈ [n],
xi ∈ R is drawn i.i.d. from an underlying distribution. We
assume the distribution comes from a parametric family, and
the parameter vector θ ∈ Rq of the distribution fully specifies
the distribution. That is, xi ∼ ωXθ , where we further assume
that θ is itself a realization of random parameter vector ,
and ω is the probability measure for . We will discuss
how to relax the assumption on this prior distribution of θ in
Section VIII. We assume that the data holder knows θ (and
hence knows its full data distribution ωXθ ); our results and
mechanisms generalize to the case when the data holder only
possesses the dataset X (see Section VI).
For example, suppose the original data samples come from
a Gaussian distribution. We have θ = (μ, σ ), and Xθ ∼
N (μ, σ ). ω (or f ) describes the prior distribution over
(μ, σ ). For example, if we know a priori that the mean of the
Gaussian is drawn from a uniform distribution between 0 and
1, and σ is always 1, we could have f (μ, σ ) = I(μ ∈ [0, 1])·
δ(σ ), where I(·) is the indicator function, and δ is the Dirac
delta function.
Statistical secret to protect: We assume the data holder wants
to hide a secret quantity, which is defined as a function of
the original data distribution. Since the true data distribution
is fully specified by parameter vector θ , we define the secret
as a function of θ as follows: g(θ ):Rq → R. In the Gaussian
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
373
example Xθ ∼ N (μ, σ ), suppose the data holder wishes to
hide the mean; we thus have that g(μ, σ ) = μ.
Data release mechanism: The data holder releases data
by passing the private parameter θ through a data release
mechanism Mg . That is, for a given θ , the data holder
first draws internal randomness z ∼ ωZ , and then releases
another distribution parameter θ = Mg (θ, z), where Mg is
a deterministic function, and ωZ is a fixed distribution from
which z is sampled. Note that we assume both the input and
output of Mg are distribution parameters. It is straightforward
to generalize to the case when the input and/or output are
datasets of samples (see Section VI).
For example, in the Gaussian case discussed above, one
data release mechanism could be Mg ((μ, σ ), z) = (μ + z, σ )
where z ∼ N (0, 1). I.e., the mechanism shifts the mean by a
random amount drawn from a standard Gaussian distribution
and keeps the variance.
Threat model: We assume that the attacker knows the
parametric family from which the data is drawn, and has a
prior over the parameter realization, but does not know the
initial parameter θ . The attacker also knows the data release
mechanism Mg and output θ but not the realization of the
data holder’s internal randomness z. The attacker guesses the
 ) based on the released parameter θ according
initial secret g(θ
to estimate ĝ θ . ĝ can be either random or deterministic, and
we assume no computational bounds on the adversary. For
instance, in therunning Gaussian example, an attacker may
choose ĝ μ , σ = μ .
Privacy metric: The data holder wishes to prevent an attacker
from guessing its secret g(θ ).
Inspired by min-entropy, we define our privacy metric
privacy ,ω as the attacker’s probability of guessing the
secret(s) to within a tolerance , taken worst-case over all
attackers ĝ:
   
,ω  sup P |ĝ θ − g(θ )| ≤  . (2)
ĝ
The probability is taken over the randomness of the original
data distribution (θ ∼ ω ), the data release mechanism (z ∼
ωZ ), and the attacker strategy (ĝ).
Remark: This privacy metric is an average-case guarantee
over the prior distribution of the parameters ω . A natural
question is whether this can be converted into a worst-case
privacy guarantee, as is common in many privacy frame-
works [16], [18], [28]. However, a worst-case variant of the
metric (worst-case over prior distributions) is too stringent; no
mechanism can achieve meaningful privacy (< 1), as formally
stated below (proof in Appendix D-A in the supplementary
material).
Proposition 1: There is no data release mechanism whose
privacy value satisfies
sup ,ω < 1.
ω
Distortion metric: The main goal of data sharing is to provide
useful data; hence, we (and data holders and users) want to
understand how much the released data distorts the original
374 IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY, VOL. 5, 2024

data. We define the distortion of a mechanism as the worst- The proof is shown as below. From Theorem 1 we see
case distance between the original distribution and the released that the lower bound of distortion scales inversely with the
distribution: privacy budget and positively with the tolerance threshold .
  The dependent quantity γ in Eq. (5) can be thought of as a
 sup d ωXθ ωXθ , (3) conversion factor that bounds the translation from probability
θ∈Supp(ω ),θ ,
z∈Supp(ωZ ):Mg (θ,z)=θ of detection to distributional distance. Note that we have not
made γ exact as its form depends on the type of the secret and
where d is Wasserstein-1 distance. We use a worst-case prior distribution of data. We will instantiate it in the cases
definition of distortion because in data sharing settings, data studies in Section VI.
is typically released in one shot, so that data should be Proof: Our proof proceeds by constructing an ensemble of
useful even in the worst case. Wasserstein-1 distance is attackers, such that at least one of them will be correct by
commonly used as the distance metric in neural network construction. We do this by partitioning the space of possible
design (e.g., [62], [63]). Note that the definition in Eq. (3) can secret values, and having each attacker output the midpoint
be extended to data release mechanisms that take datasets as of one of the subsets of the partition. We then use the fact
inputs and/or outputs. that each attacker can be correct with probability at most
Formulation: To summarize, the data holder’s objective is to T, combined with γ , which intuitively relates the distance
choose a data release mechanism that minimizes distortion between distributions to the distance between their secrets, to
subject to a constraint on privacy ,ω : derive the claim. Recall that θ is the true private parameter
vector, θ is the released parameter vector as a result of the
min
Mg data release mechanism.
subject to ,ω ≤ T. (4) T ≥ ,ω
    
The reverse formulation, minMg ,ω subject to ≤ T is = sup P ĝ θ ∈ g(θ ) − , g(θ ) + 
analyzed in Appendix B in the supplementary material. ĝ
  
The optimal data release mechanisms for Eq. (4) depends   
= sup E P ĝ θ ∈ g(θ ) − , g(θ ) +  θ
on the secrets and the characteristics of the original data. Data ĝ
holders specify the secret function they want to protect and  
  
select the data release mechanism to process the raw data for = E sup P ĝ θ ∈ g(θ ) − , g(θ ) +  θ , (7)
sharing. ĝ
Our goal is to study: (1) What are fundamental limits on
where Eq. (7) is due to the following
   facts: 
the tradeoff between privacy and distortion? (2) Do there
• LHS ≤ RHS, as supĝ P ĝ θ ∈ g(θ ) − , g(θ ) +  |θ
exist data release mechanisms that can match or approach     
≥ P ĝ θ ∈ g(θ ) − , g(θ ) +  |θ for any θ .
these fundamental limits? In general, these questions can
• RHS ≤ LHS: Let us define
have different answers for different parametric families of  
data distributions and secret functions. In Sections IV and V,   
tθ  sup P ĝ θ ∈ g(θ ) − , g(θ ) +  θ .
we first present general results that do not depend on data ĝ
distribution or secret function. We then present case studies for
specific secret functions and data distributions in Section VI. RHS=
  θ f (θ )tθ dθ . We can define an attacker as
ĝ θ = tθ . In that case,
  
IV. G ENERAL L OWER B OUND ON P RIVACY -D ISTORTION   
T RADEOFFS E P ĝ θ ∈ g(θ ) − , g(θ ) +  θ

Given a privacy budget T, we first present a lower bound  
on distortion that applies regardless of the prior distribution = f θ tθ dθ .
θ
of data ω and regardless of the secret g. In other words, this
Therefore, LHS≥RHS.
applies for arbitrary correlations between parameters, which
Thus, there exists θ s.t.
are captured by the prior ω .  
Theorem 1 (Lower Bound 
 of Privacy-Distortion Tradeoff):   
  sup P ĝ θ ∈ g(θ ) − , g(θ ) +  θ ≤ T.
Let D Xθ1 , Xθ2  12 d ωXθ1 ωXθ2 , where d(· ·) denotes ĝ
 
Wasserstein-1 distance. Further, let R Xθ1 , Xθ2  Let
|g(θ1 ) − g(θ2 )| and
  Lθ  inf g(θ ),
D Xθ1 , Xθ2 θ∈Supp(ω ),z:Mg (θ,z)=θ
γ  inf  . (5)
θ1 ,θ2 ∈Supp(ω ) R Xθ1 , Xθ2 Rθ  sup g(θ ).
θ∈Supp(ω ),z:Mg (θ,z)=θ
For any T ∈ (0, 1), when ,ω ≤ T,
  We can define
 a sequence of attackers and a constant N such
1 that ĝi θ = Lθ + (i + 0.5) · 2 for i ∈ {0, 1, . . . , N − 1} and
>  − 1 · 2γ . (6)
T Lθ + 2N ≥ Rθ > Lθ + 2(N − 1) (Fig. 3). From the above,

Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
LIN et al.: SUMMARY STATISTIC PRIVACY IN DATA SHARING 375

Therefore, we have
   
sup D Xθ1 , Xθ2 = D Xθ1 , Xθ2
θi ∈Supp(ω ),zi :Mg (θi ,zi )=θ
   1 
≥ γ · R Xθ1 , Xθ2 >  − 1 · 2γ ,
T

Fig. 3. The construction of attackers for proof of Theorem 1. The  2 ranges of

where the last inequality utilizes the results from Eq. (8).
ĝ0 , . . . , ĝN−1 jointly cover the entire range of possible secret Lθ , Rθ . The
probability ofguessingthe secret correctly for any attacker is ≤ T. Therefore,
Rθ − Lθ > T1  − 1 · 2 (Eq. (8)).
V. DATA R ELEASE M ECHANISMS
We first present in Section V-A the quantization mechanism,
we have a template for data release mechanisms used in the case studies
     
of Section VI. The quantization mechanism can be instantiated
T ·N ≥ P ĝi θ ∈ g(θ ) − , g(θ ) +  θ ≥ 1, differently for different secret functions and data distributions.
i
We show in Section V-B techniques for instantiating the
Therefore, we have N ≥ T ,
1
and quantization mechanism, either based on theoretical insights
  or numerically. Finally, we give some intuition in Section V-C
1
Rθ − Lθ >  − 1 · 2. (8) about how to analyze the quantization mechanism. These
T insights will be used in our case studies (Section VI) to
Then we have show that we can sometimes match the lower bounds from
  Section IV up to small constant factors.
≥ sup d ωXθ ωXθ
θ∈Supp(ω ),z∈Supp(ωZ ):Mg (θ,z)=θ
 
≥ sup D Xθ1 , Xθ2 (9) A. The Quantization Mechanism
θi ∈Supp(ω ),zi :Mg (θi ,zi )=θ At a high level, the quantization mechanisms follow two
 
1 steps:
>  − 1 · 2γ . (10)
T 1) Offline Phase: Partition the space of parameters
Supp( ) into carefully-chosen bins.
where in Eq. (9), θi for i ∈ {1, 2} denotes two arbitrary
2) Online Phase: For an observed data distribution parame-
parameter vectors in the support space, and Eq. (9), Eq. (10)
ter θ , deterministically release the quantized parameters,
are derived as follows:
according to the partition from the Offline Phase.
• Eq. (9): Let
  More precisely, we first divide the set of possible distribu-
θ1 , θ2 = arg sup D Xθ1 , Xθ2 . tion parameters Supp( ) into subsets Si such that ∪i∈I Si ⊇
θi ∈Supp(ω ):∃zi s.t.Mg (θi ,zi )=θ Supp( ) and Si1 ∩Si2 = ∅ for i1 = i2 , where I is the (possibly
From the  triangle inequality, we know  that uncountable) set of indices of the subsets. For θ ∈ Supp( ),
  
d ωXθ ωXθ ≤ d ωXθ ωXθ + d ωXθ ωXθ . By I(θ ) is the index of the set that θ belongs to; in other words,
1 2 1 2 we have I(θ ) = i, where θ ∈ Si . The mechanism first looks
definition, we also know that for i = 1, 2,
  up which set θ belongs to (i.e., I(θ )), then deterministically
  ∗
d ωXθ ωXθ ≤ sup d ωXθ ωXθ . releases a parameter θI(θ) that corresponds to the set. Here,
i θ∈Supp(ω ),z∈Supp(ωZ ):Mg (θ,z)=θ ∗
θi for i ∈ I denotes another parameter. This data release
Therefore, we have mechanism has the form
1   1   ∗
Mg (θ, z) = θI(θ) .
RHS ≤ d ωXθ ωXθ + d ωXθ ωXθ = LHS.
2 1 2 2

• Eq. (10): Let Note that the policy is fully determined by Si and θi∗ .
  We will show different ways of instantiating the quantization
θ1 , θ2 = arg sup D Xθ1 , Xθ2 , mechanism to approach the lower bound in Section IV.
θi ∈Supp(ω ):∃zi s.t.Mg (θi ,zi )=θ
  Intuitively, quantization
 mechanisms
 will have a bounded
θ1 , θ2 = arg inf R Xθ1 , Xθ2 .
θi ∈Supp(ω ):∃zi s.t.Mg (θi ,zi )=θ distortion as long as d ωXθ ωXθ ∗ is bounded for all θ ∈
I(θ)
We have Supp( ). At the same time, they obfuscate the secret as
  different data distributions within the same set are mapped
D Xθ1 , Xθ2
γ  inf   to the same released parameter. This simple deterministic
θ1 ,θ2 ∈Supp(ω ) R Xθ1 , Xθ2
    mechanism is sufficient to achieve the (order) optimal privacy-
D Xθ1 , Xθ2 D Xθ1 , Xθ2 distortion trade-offs in many cases, as opposed to differential
≤   ≤  . privacy, which requires randomness to provide theoretical
R Xθ1 , Xθ2 R Xθ1 , Xθ2 guarantees [16] (examples in the case studies of Section VI).

Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
376 IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY, VOL. 5, 2024

B. Algorithms for Instantiating the Quantization Mechanism possible parameters is divided into infinitely many subsets
To implement the quantization mechanism, we need to Sμ,i , each consisting of a diagonal line segment (parallel blue
define the quantization bins Si and the released parameter per lines in Fig. 4). The space of possible σ values is divided
bin θi∗ . Depending on the data distribution, the secret function, into segments of length s, which correspond to the horizontal
and quantization mechanism parameters, the mechanism can bands in Fig. 4. Given this choice of intervals, the mechanism
have very different privacy-distortion tradeoffs. We present proceeds as follows: when the true distribution parameters fall
two methods for selecting quantization parameters: (1) an in one of these intervals, the mechanism releases the midpoint
analytical approach, and (2) a numeric approach. of the interval. The fact that the intervals Sμ,i are diagonal
1) Analytical Approach (Sketch): In some cases, outlined lines arises from choosing t(θ1 , θ2 ) = μσ11 −μ 2
−σ2 ; each interval
in the case studies of Section VI and the appendices, we can corresponds to a set of points (μ̃, σ̃ ) that satisfy t(θ1 , θ2 ) = t0 ,
find analytical expressions for Si and θi∗ while (near-)optimally i.e., with slope 1/t0 .
trading off privacy for distortion. This is usually possible when We show how to use this construction to upper bound
the lower bound depends on the problem parameters in a privacy-distortion tradeoffs in Section V-C.
specific way (see below). We will next illustrate the procedure 2) Numeric Approach: In some cases, the above procedure
through an example; precise analysis is given in Section VI. may not be possible. We next present a dynamic programming
For example, for the Gaussian distribution where θ = algorithm to numerically compute the quantization mechanism
(μ, σ ), when secret=standard deviation, we can work out the parameters. This algorithm achieves an optimal privacy-
lower bound from Theorem 1 (details in Appendix H in the distortion tradeoff [64] among quantization algorithms with
supplementary material). Note that the lower bound is tight if finite precision and continuous intervals Si . We use this
our mechanism minimizes algorithm (presented for univariate data distributions) in some
     of the case studies in Section VI.
D Xμ1 ,σ1 , Xμ2 ,σ2 −μ2 2
1 − 12 μσ1 −σ  
  = e 1 2 We assume Supp( ) = θ, θ , where θ , θ are lower
R Xμ1 ,σ1 , Xμ2 ,σ2 2π and upper bounds of θ , respectively. We consider  the

   
μ1 − μ2 1 μ1 − μ2 class of quantization mechanisms such that Si = θ i , θ i ,
− − , (11)
σ1 − σ2 2 σ1 − σ2 i.e., each subset of parameters are in a continuous range.
    Furthermore, we explore mechanisms such that θ i , θ i , θi∗ ∈
where D Xθ1 , Xθ2 and R Xθ1 , Xθ2 are defined in Theorem 1, 
and denotes the CDF of the standard Gaussian distribution. θ , θ + κ, θ + 2κ, . . . , θ , where κ is a hyper-parameter that
That is, for any true parameters μ1 and σ1 , the mechanism encodes numeric precision (and therefore divides (θ − θ )).
should always choose to release μ2 and σ2 such that Eq. (11) For example, if we want to hide the mean of a Geometric
is as small as possible. The exact form of Eq. (11) is not random variable with θ = 0.1 and θ = 0.9, we could consider
important for now; notice instead that the problem parameters three-decimal-place precision, i.e., κ = 0.001 and θ i , θ i , θi∗ ∈
(σi , μi ) take the same form every time they appear in this {0.100, 0.101, 0.102, . . . , 0.900}.
equation. We define t(θ1 , θ2 ) = μσ11 −μ 2 2
−σ2 to be that form. Next,
Since (Eq. (3)) is defined as the worst-case distortion
we find the t(θ1 , θ2 ) that minimizes Eq. (11): whereas ,ω (Eq. (2)) is defined as a probability, which
  is related to the original data distribution, optimizing ,ω
D Xθ , Xθ2 given bounded (Eq. (15)) is easier to solve than the final
t0  arg inf  1 
t(θ1 ,θ2 ) R Xθ1 , Xθ2 goal of optimizing given bounded ,ω (Eq. (4)).
For instance, in our Gaussian example, we can write t0 as min ,ω subject to ≤ T. (15)
   Mg
1 − 1 (t(θ1 ,θ2 ))2 1
t0 = arg inf e 2 − (t(θ1 , θ2 )) − (t(θ1 , θ2 )) , Observing that in Eq. (4) the optimal value of minMg is
t(θ1 ,θ2 ) 2π 2
a monotonic decreasing function w.r.t. the threshold T, we
which can be solved numerically.
 Finally, we can choose Si can use a binary search algorithm (shown in Appendix C
and θi∗ to be sets for which t θ, θi∗ = t0 , ∀θ ∈ Si . Using this in the supplementary material) to reduce problem Eq. (4)
rule, we derive the mechanism: to problem Eq. (15). It calls an algorithm that finds the
   s s 
Sμ,i = μ + t0 · t, σ + (i + 0.5) · s + t |t ∈ − , ,(12) optimal quantization mechanism with numerical precision over
  2 2 continuous intervals under a distortion budget T (i.e., solving
∗
θμ,i = μ, σ + (i + 0.5) · s , (13) Eq. (15)). This problem can be solved  by a dynamic program- 
I = {(μ, i)|i ∈ N, μ ∈ supp(ωV)}, (14) ming algorithm. Let pri(t∗ ) (t∗ ∈ θ , θ + κ, θ + 2κ, . . . , θ )
be
 the minimal
  privacy ,ω we can get for Supp( ) =
where
 s is a hyper-parameter of the mechanism that divides Xθ :θ ∈ θ , t∗ such that ≤ T. Denote D(θ1 , θ2 ) as the
σ − σ , and σ , σ are upper and lower bounds on σ , deter- minimal distortion a quantization mechanism can achieve
mined by the adversary’s prior. under the quantization bin [θ1 , θ2 ), we have
For our Gaussian example, the resulting sets Sμ,i for the  
quantization mechanism are shown in Fig. 4; the space of D(θ1 , θ2 ) = infq sup d ωXθ ωXθ ,
θ∈R θ ∈[θ1 ,θ2 )
2 Indeed, for many of the case studies in Section VI, t(θ ) takes an analogous
form; we will see the implications of this in the analysis of the upper bound where d(· ·) is defined in Eq. (3). We also  denote
in Section V-C. D∗ (θ1 , θ2 ) = arg infθ∈[θ1 ,θ2 ) supθ ∈[θ1 ,θ2 ) d ωXθ ωXθ . If the

Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
LIN et al.: SUMMARY STATISTIC PRIVACY IN DATA SHARING 377

prior over parameters is f , we have the Bellman equation Algorithm 1: Dynamic-Programming-Based Data Release
θ Mechanism for Single-Parameter Distributions
  θ f (t)dt
pri t∗ = min pri(θ )  
t∗ Input: Parameter range: θ, θ
θ∈[ θ,t∗ −κ ],D(θ,t∗ )≤T θ f (t)dt
Prior over parameter: f
t∗
θ f (t)dt  ∗  Distortion budget: T
+ t∗
P θ, t Step size: κ (which divides θ − θ )
θ f (t)dt
  1
  ←0
pri(θ)
with the initial state pri θ = 0, where 2 I θ ←∅
        for t∗ ← θ + κ, θ + 2κ, . . . , θ do
P θ, t∗ = P ĝ∗ θ ∈ g(θ0 ) − , g(θ0 ) +  |θ0 ∈ θ, t∗ , θ 3

min {t2 ,t∗ }

4 pri(t∗ ) ← ∞
max {t1 ,θ} f (t)dt 5 min_t ← NULL
= sup t∗
. 6 for θ ← t∗ − κ, . . . , θ do
t1 ,t2 : supt ,t ∈[t ,t ] |g(t )−g(t )|=2
1 2 θ f (t)dt 7 if D(θ, t∗ ) > T then
θ is the released parameter when the private parameter
8 break
θ0 ∈ θ, t∗ and ĝ∗ is the optimal attack strategy. The full θ
θ f (t)dt t∗
f (t)dt
algorithm is listed 9 p← t∗ · pri(θ ) + θ
t∗ · P(θ, t∗ )
 in Algorithm
2
1. The time complexity of this
θ f (t)dt θ f (t)dt
algorithm is O θ −θ/κ · CD · CP · CI , where CD is the time 10 if p < pri(t∗ ) then
complexity for computing D and D∗ , CP is the time complexity 11 pri(t∗ ) ← p
for computing P, and CI is the time complexity for computing 12 min_t ← θ
the integrals in the Bellman equation. In our cases
 studies,
D and D∗ can be computed in CD = O θ −θ/κ , and P and 13 if min_t is not NULL then
the integrals can be computed in closed forms within constant 14 St∗ ← min_t, t∗ )
time, i.e., CP = CI = O(1). 15 θt∗ ← D∗ (min_t, t∗ )
When dynamic programming is not practical (e.g., in high- 16 I(t∗ ) ← I(min_t) ∪ {t∗ }
dimensional problems), we also provide a greedy algorithm in
17 if pri(θ ) = ∞ then
Appendix C in the supplementary material as a baseline and
18 ERROR: No answer
show the empirical comparison between these two algorithms      
in the case studies (Appendices F, H and I in the supplementary 19 return pri(θ), Si :i ∈ I θ , θi :i ∈ I θ
material).

C. Technique for Analyzing the Quantization Mechanism

We next provide an overview of techniques for analyzing the
quantization mechanism, both for privacy and for distortion.
We use these techniques for the analysis in our case studies,
where we will make the expressions and claims more precise.
For concreteness, we will recall the Gaussian example from
Section V-B, for which we have already derived a mechanism.
The mechanism presented in Section V-B can geometrically
be interpreted as follows. Over the square of possible param-
eter values μ and σ (Fig. 4), the mechanism selects intervals
Fig. 4. We separate the space of possible parameters into two regions (yellow
Sμ,i that consist of short diagonal line segments (e.g., blue line and green) and bound the attacker’s success rate on each region separately.
segments in Fig. 4). When the true distribution parameters fall The blue lines represent examples of Sμ,i .
in one of these intervals, the mechanism releases the midpoint
of the interval.
∗
 
We find that many of our case studies naturally give θμ,i = μ, σ + (i + 0.5) · s ,
rise to the same form of t(θ ). As a result, all of the case I = {(μ, i)|i ∈ N, μ ∈ R},
studies we analyze theoretically (with multiple parameters)
have mechanisms that instantiate intervals Sμ,i as diagonal where s is a hyper-parameter of
lines, as shown in Fig. 4. The sawtooth technique, which we the mechanism
 that denotes
quantization bin size and divides σ − σ and t0 is a constant
present next, can be used to analyze the privacy of all such that can be determined by the mechanism design strategy
mechanism instantiations. More precisely, the following pat- described in Section V-B.
tern of quantization mechanism admits diagonal line intervals,
and can be analyzed with the sawtooth technique (Section VI (1) Privacy analysis: For ease of illustration, we
assume
 that
 the support of parameters is Supp( ) =
and Appendices F and H in the supplementary material):  
   s s  (a, b)|a ∈ μ, μ , b ∈ σ , σ , but the analysis can be gen-
Sμ,i = μ + t0 · t, σ + (i + 0.5) · s + t |t ∈ − , , eralized to any case.
2 2
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
378 IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY, VOL. 5, 2024

In Fig. 4, we separate the space of possible data parameters

into two regions represented by yellow and green colors. The
yellow regions Syellow constitute right triangles with height
s and width |t0 |s. The green region Sgreen is the rest of
the parameter space. The high-level idea of our proof is as
follows. Note that for any parameter θ ∈ Sgreen , there exists
a quantization bin Sμ,i s.t. θ ∈ Sμ,i and Sμ,i ⊂ Sgreen . This
occurs because the mechanism intervals (blue lines in Fig. 4)
all have the same slope and a length of at most s for σ . As
such, each interval is either fully in the green region, or fully
Fig. 5. Illustration of the data release mechanism for continuous distributions
in the yellow region. Since we know the length of each bin, when secret=mean.
we can upper bound the attack success rate if θ ∈ Sgreen . While
the attacker can be more successful in the yellow region, the
probability of θ ∈ Syellow is small. Hence, we upper bound the A. Secret = Mean
overall attacker’s success rate (i.e., ,ω ). More specifically,
In this section, we discuss how to protect the mean of a
let the optimal attacker be ĝ∗ . We have
distribution for general continuous distributions. We start with
     a lower bound.
,ω = P ĝ∗ θ ∈ g(θ ) − , g(θ ) +  Corollary 1 (Privacy lower bound, secret = mean of
 a continuous distribution): Consider the secret function g(θ ) =
    
= p(θ )P ĝ∗ θ ∈ g(θ ) − , g(θ ) +  dθ
θ∈Sgreen x xfX  any T ∈ (0, 1), when ,ω ≤ T, we have
θ (x)dx. For
 > T1  − 1 · .
    
+ p(θ )P ĝ∗ θ ∈ g(θ ) − , g(θ ) +  dθ The proof is in Appendix D-B in the supplementary mate-
θ∈Syellow
     rial. We next design a data release mechanism that achieves a
< sup P ĝ∗ θ ∈ g(θ ) − , g(θ ) +  tradeoff close to this bound.
θ∈Sgreen
 Data release mechanism. To begin, we restrict ourselves
+ p(θ )dθ to continuous distributions that can be parameterized with a
θ∈Syellow
location parameter, where the prior distribution of the location
parameter is uniform and independent of other factors:
The first term can be bounded away from 1 due to the Assumption 1: The distribution parameter vector θ can be
carefully chosen t0 . The second term is bounded away from written as (u, v), where u ∈ R, v ∈ Rq−1 , and for any u =

1 because the size of Syellow is relatively small. The formal u , fXu,v (x) = fXu ,v x − u + u . The prior over distribution
justification is given in Theorem 3 and Appendices D-E2, G-B parameters fU,V (a, b) = fU (a) · fV (b), where fU (a) =
  is 
and H-D in the supplementary material. 1
I a ∈ u, u .
u−u
(2) Distortion analysis. For the distortion performance, it is Examples include the Gaussian, Laplace, and uniform
straightforward to show that distributions, as well as shifted distributions (e.g., shifted
 
∗ exponential, shifted log-logistic). We relax this assumption
= supθ∈Supp( ) d ωXθ ωXθ ∗ , where θI(θ) is the to Lipschitz-continuous priors in Appendix E-A in the sup-
I(θ)
released parameter when the original parameter is θ . This plementary material, which can capture some degree of
quantity can often be derived directly from the mechanism and correlations between U and V. Using the strategy from
parameter support. Section V-B, we derive the following quantization mechanism.
Mechanism 1 (For secret = mean of a continuous distribu-
tion): The parameters of the data release mechanism are
  
Si,v = (t, v)|t ∈ u + i · s, u + (i + 1) · s ,
VI. C ASE S TUDIES
∗ = u + (i + 0.5) · s, v,
θi,v
In this section, we instantiate the general results on concrete
distributions and secrets (mean Section VI-A, quantile Section I = {(i, v):i ∈ {0, 1, . . . , N − 1}, v ∈ suppωV },
VI-B, and we defer standard deviation and discrete distribu-
where
 s is a hyper-parameter of the mechanism that divides
tion fractions to Appendices H and I in the supplementary u−u
u − u and N = s ∈ N.
material). See Table I for a summary of each setting we
Fig. 5 shows an example when the original  data  distribution
consider, and a pointer to any theoretical results. Our results
in each setting generally include a privacy lower bound, a is Gaussian, i.e., Xθ ∼ N (u, v), and u ∈ μ, μ . Intuitively,
concrete instantiation of the quantization mechanism, and our data release mechanism “quantizes” the range of possible
privacy-distortion analysis of the data release mechanisms. In mean values into segments of length s. It then shifts the mean
Section VI-C, we will discuss how to extend the data release of private distribution fXu,v to the midpoint of its corresponding
mechanisms to the cases when data holders only have data segment, and releases the resulting distribution. This simple
samples and do not know the parameters of the underlying deterministic mechanism is able to achieve order-optimal
distributions. privacy-distortion tradeoff in some cases, as shown below.

Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
LIN et al.: SUMMARY STATISTIC PRIVACY IN DATA SHARING 379

TABLE I
S UMMARY OF THE C ASE S TUDIES W E C OVER , AND L INKS TO THE C ORRESPONDING R ESULTS

 
Proposition 2: Under Assumption 1, Mechanism 1 has the operator to divide λ − λ , where λ and λ are upper and
privacy ,ω ≤ 2s and distortion = 2s < 2 opt ( ,ω ), lower bounds of λ.
where opt ( ,ω ) is the minimal distortion any data release • Exponential:
mechanism can achieve given privacy level ,ω .  
The proof is in Appendix D-C in the supplementary mate- Si = λ + i · s, λ + (i + 1) · s ,
rial. The two takeaways from this proposition are that: (1) the θi∗ = λ + (i + 0.5) · s,
data holder can use s to control the trade-off between distortion
I = N.
and privacy, and (2) the mechanism achieves an order-optimal
distortion with multiplicative factor 2. • Shifted exponential:
   s s 
B. Secret = Quantiles Si,h = λ + (i + 0.5)s + t, h − t0 · t |t ∈ − , ,
  2 2
In this section, we show how to protect the α-quantile of ∗
θi,h = λ + (i + 0.5)s, h ,
the exponential distribution and the shifted exponential distri-
bution. We analyze the Gaussian and uniform distributions in I = {(i, h)|i ∈ N, h ∈ R},
Appendix G in the supplementary material. We choose these
distributions as the starting point of our analysis as many where
⎧    
distributions in real-world data can be approximated by one ⎨ −1 − ln(1 − α) − W−1 − ln(1−α)+1 α ∈ [0, 1 − e−1 )
of these distributions. t0 =  2(1−α)e  .
⎩ −1 − ln(1 − α) − W0 − ln(1−α)+1 α ∈ [1 − e−1 , 1)
In our analysis, the parameters of (shifted) exponential 2(1−α)e
distributions are denoted by:
• Exponential distribution: θ = λ, where λ is the scale
For the privacy-distortion trade-off analysis of
parameter: fXλ (x) = λ1 e−x/λ . Mechanism 2, we assume that the parameters of the original
• Shifted exponential distribution generalizes the exponen-
data are drawn from a uniform distribution with lower and
tial distribution with an additional shift parameter h: θ = upper bounds. Again, we relax this assumption to Lipschitz
(λ, h). In other words, fXλ,h (x) = λ1 e−(x−h)/λ . priors in Appendix E-B in the supplementary material.
As before, we first present a lower bound. Precisely,
Corollary 2 (Privacy lower bound, secret = α-quantile of a Assumption 2: The prior over distribution parameters is:
• Exponential: λ follows the uniform distribution over
continuous distribution): Consider the secret function g(θ ) =  
α-quantile of fXθ . For λ, λ .
 any T ∈ (0, 1), when ,ω ≤ T, we • Shifted exponential: (λ, h) follows the uniform distribu-
have > T1  − 1 · 2γ , where γ is defined as follows:     
tion over (a, b)|a ∈ λ, λ , b ∈ h, h .
• Exponential:
We relax Assumption 2 and analyze the privacy-distortion
1 trade-off of Mechanism 2 in Appendix E-B in the supplemen-
γ =− . tary material.
2 ln(1 − α)
Proposition 3: Under Assumption 2, Mechanism 2 has the
• Shifted exponential: following ,ω and value/bound.
⎧
• Exponential:
⎪
⎪
⎪ ln(1−α)+1 −1
⎨ 2 1 + W−1 − ln(1−α)+1  α ∈ [0, 1 − e )
1
⎪
2 1
= , = s<2 opt .
2(1−α)e
γ = , ,ω
⎪
⎪ − ln(1 − α)s 2
⎪ 1 1 + ln(1−α)+1
⎪   α ∈ [1 − e−1 , 1)
⎩2 W0 − ln(1−α)+1
2(1−α)e • Shifted exponential:
where W−1 and W0 are Lambert W functions. 2 |t0 |s
The proof is given in Appendix D-D in the supplementary ,ω < + ,
|ln(1 − α) + t0 |s h − h
material. Next, we provide data release mechanisms for each of s
the distributions that achieve trade-offs close to these bounds. (t0 − 1) + se−t0
=
2
Mechanism 2 (For secret = α-quantile of a continuous dis-
tribution): We design mechanisms for each of the distributions. |t0 | · |ln(1 − α) + t0 |s2
< 2+   opt .
In both cases, s > 0 is the quantization bin size chosen by  h−h

Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
380
s2
Under the high-precision regime where
h−h
s, (h − h) → ∞, when α ∈ [0.01, 0.25] ∪ [0.75, 0.99],
satisfies
lim sup <3 opt .
s2
→0
h−h
opt is the optimal achievable distortion given the privacy
achieved by Mechanism 2, and t0 is a constant defined in
Mechanism 2.
The proof is in Appendix D-E in the supplementary mate-
rial. Note that the quantization bin size s cannot be too small,
or the attacker can always successfully guess the secret within
a tolerance  (i.e., ,ω = 1). Therefore, for the “high-
precision” regime, we consider the asymptotic scaling as both
2
s and h − h grow. When s > 1, the scaling condition s → 0
h−h
implies a more interpretable condition of s → 0, which says
h−h
that the bin size is small relative to the parameter space. For
example, this condition is required when the secret tolerance
 > 1/2 (i.e., we need a bin size s > 1 to achieve non-trivial
privacy guarantees).
Proposition 3 shows that the quantization mechanism is
order-optimal with multiplicative factor 2 for the expo-
nential distribution. For shifted exponential distribution,
order-optimality holds asymptotically in the high-precision
regime.
C. Extending Data Release Mechanisms for Dataset Inputs
and Outputs
The data release mechanisms discussed in previous sec-
tions assume that data holders know the distribution parameter
of the original data. In practice, data holders often only have a
dataset of samples from the data distribution and do not know
the parameters of the underlying distributions. Quantization
data release mechanisms can be easily adapted to handle
dataset inputs and outputs.
The high-level idea is that the data holders can estimate
the distribution parameters θ from the data samples and
find the corresponding quantization bins Si according to the
estimated parameters, and then modify the original samples
as if they were sampled according to the released parameter
θi∗ . This may be infeasible for high-dimensional parameter
vectors θ ; we did not explore this question in the current
work. For brevity, we only present the concrete procedure for
secret=mean in continuous distributions as an example. For a
dataset of X = {x1 , . . . , xn }, the procedure is the following.
1) Estimate the mean from the data samples: μ̂ =
1
n i∈[n] xi .
2) According to Eq. (16), compute the index of the corre-
μ̂−μ
sponding set i =  s .
3) According to Eq. (13), change the mean of the data
samples to μtarget = μ + (i + 0.5) · s. This can be done
by a sample-wise operation xi = xi −μ̂ + μtarget.
4) The released dataset is Mg (X , z) = x1 , . . . , xn .
Note that this mechanism applies to samples. Therefore,
it can be applied either to the original data, or as an add-
on to existing data sharing tools [15], [65], [66], [67], [68].
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY, VOL. 5, 2024
→ 0 as For example, it can be used to modify synthetically-generated
samples after they are generated, or to modify the training
dataset for a generative model, or to directly modify the
original data for releasing.
VII. E XPERIMENTS
In the previous sections, we theoretically demonstrated the
privacy-distortion tradeoffs of our data release mechanisms
in some special case studies. In this section, we focus on
orthogonal questions through real-world experiments: (1) how
well our data release mechanisms perform in practice when
the assumptions do not hold, and (2) how summary statistic
privacy quantitatively compares with existing privacy frame-
works (which we explained qualitatively in Section II).3
Datasets. We use two real-world datasets to simulate the
motivating scenarios.
1) Wikipedia Web Traffic Dataset (WWT) [69] contains
the daily page views of 145,063 Wikipedia web pages
in 2015-2016. To preprocess it for our experiments, we
remove the web pages with empty page view record
on any day (117,277 left), and compute the mean page
views across all dates for each web page. Our goal is
to release the page views (i.e., a 117,277-dimensional
vector) while protecting the mean of the distribution
(which reveals the business scales of the company).
2) Measuring Broadband America Dataset (MBA) [70]
contains network statistics (including network traf-
fic counters) collected by United States Federal
Communications Commission from homes across
United States. We select the average network traffic
(GB/measurement) from AT&T clients as our data. Our
goal is to release a copy of this data while hiding the
0.95-quantile (which reveals the network capability).
Baselines. We compare our mechanisms discussed in
Section VI with three popular mechanisms proposed in prior
work (Section II): differentially-private density estimation [23]
(shortened to DP), attribute-private Gaussian mechanism [18]
(shortened to AP), and Wasserstein mechanism for distribution
privacy [28] (shortened to DistP). As these mechanisms
provide different privacy guarantees than summary statistic
privacy, it is difficult to do a fair comparison between these
baselines and our quantization mechanism. We include them to
quantitatively show the differences (and similarities) between
various privacy frameworks.
For a dataset of samples X = {x1 , . . . , xn }, DP works
by: (1) Dividing the space into  m bins:
 B1, . . . , Bm . (2)
Computing the histogram Ci = nj=1 I xj ∈ Bi . (3) Adding
  
noise to the histograms
  Di = max 0, Ci + Laplace 0, β 2 ,
where Laplace 0, β 2 means a random noise from Laplace
distribution with mean 0 and variance β 2 . (4) Normalizing
the histogram pi = mDi D . We can then draw yi
j=1 j
according to the histogram and release Y = {y1 , . . . , yn }
with differential
  privacy
n guarantees. AP works by releasing
Y = xi + N 0, β 2 i=1 . DistP works by releasing Y =
3 Code available at https://github.com/fjxmlzn/summary_statistic_privacy.
LIN et al.: SUMMARY STATISTIC PRIVACY IN DATA SHARING
  n
xi + Laplace 0, β 2 i=1 . Note that for each of these mecha-
nisms, normally their noise parameters would be set carefully
to match the desired privacy guarantees (e.g., differential
privacy). In our case, since our privacy metric is different, it
is unclear how to set the noise parameters for a fair privacy
comparison. For this reason, we evaluate different settings of
the noise parameters, and measure the empirical tradeoffs.
Metrics. Our privacy and distortion metrics depend on the
prior distribution of the original data θ ∼ ω (though
the mechanism does not). In practice (and also in these
experiments), the data holder only has one dataset. Therefore,
we cannot empirically evaluate the proposed privacy and
distortion metrics, and resort to surrogate metrics to bound our
true privacy and distortion.
Surrogate privacy metric. For an original dataset X =
{x1 , . . . , xn } and the released dataset Y = {y1 , . . . , yn }, we
define the surrogate privacy metric ˜  as the error of an
attacker who guesses the secret of the released dataset as
the true secret: ˜   −|g(X ) − g(Y)|, where g(D) = mean
of D and 0.95-quantile of D in WWT and MBA datasets
respectively. Note that in the definition of ˜  , a minus sign
is added so that a smaller value indicates stronger privacy, as
in privacy metric Eq. (2). This simple attacker strategy is in
fact a good proxy for evaluating the privacy ,ω due to the
following facts. (1) For our data release mechanisms for these
secrets Mechanism 1,Mechanism 2, when the prior distribution
is uniform, this strategy is actually optimal, so there is a direct
mapping between ˜  and ,ω .
(2) For AP applied on protecting mean of the data (i.e.,
Wikipedia Web Traffic Dataset experiments), this strategy
gives an unbiased estimator of the secret. (3) For DP and
AP on other cases, this mechanism may not be an unbiased
estimator of the secret, but it gives an upper bound on the
attacker’s error.
Surrogate distortion metric. We define our surrogate distortion
metric as the Wasserstein-1 distance between the two datasets:

˜  d pX pY where pD denotes the empirical distribution of
a dataset D. This metric evaluates how much the mechanism
distorts the dataset.
In fact, we can deduce a theoretical lower bound for the
surrogate privacy and distortion metrics for secret = mean
(shown later in Fig. 6) using similar techniques as the proofs
in the main paper (see Appendix D-F in the supplementary
material).
A. Results
We enumerate the hyper-parameters of each method (bin
size and β for DP, β for AP and DistP, and s for ours). For each
method and each hyper-parameter, we compute their surrogate
privacy and distortion metrics. The results are shown in Fig. 6
(bottom left is best); each data point represents one realization
of mechanism Mg under a distinct hyperparameter setting.
Two takeaways are below.
(1) The proposed quantization data release mechanisms has
a good surrogate privacy-distortion trade-off, even when the
assumptions do not hold. The data distributions analyzed
in Section VI and in the Appendices may not always match
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
381
real data exactly. Our data release mechanism for mean (i.e.,
Mechanism 1 used in WWT) supports general continuous
distributions. Indeed, even for our surrogate metrics, our
Mechanism 1 is also optimal (see Appendix D-F in the
supplementary material, Fig. 6(a)). However, the quantization
data release mechanisms for quantiles (i.e., Mechanism 2
used in Fig. 6(b)) are order-optimal only when the dis-
tributions are within certain classes (Section VI-B). Since
network traffic in MBA is one-sided and heavy-tailed, we
use the data release mechanism for exponential distributions
(Mechanism 2), which is not heavy-tailed. Despite the dis-
tribution mismatch, the quantization data release mechanism
still achieves a good (surrogate) privacy-distortion compared
to DP, AP, and DistP (Fig. 6(b)).
(2) The quantization data release mechanisms achieve better
privacy-distortion trade-off than DP, AP, and DistP. AP and
DistP directly add Gaussian/Laplace noise to each sample.
This process does not change the mean of the distribution on
expectation. Therefore, Figure 6 shows that AP and DistP have
a bad privacy-distortion tradeoff. DP quantizes (bins) the sam-
ples before adding noise. Quantization has a better property in
terms of protecting the mean of the distribution, and therefore
we see that DP has a better privacy-distortion tradeoff than AP
and DistP, but still worse than the quantization mechanism.
Note that in Fig. 6(b), a few of the DP instances have better
privacy-distortion trade-offs than ours. This is not an indication
that DP is fundamentally better. Due to the randomness in DP
(from the added Laplace noise), some realizations of the noise
in this experiment give a better trade-off. Another instance
of the DP algorithm could give a worse trade-off, so DP’s
achievable trade-off points are widespread.
In summary, these empirical results confirm the intuition
in Section II that DP, AP, and DistP may not achieve good
privacy-utility tradeoffs for our problem. This is expected—
they are designed for a different objective. Additional results
on downstream tasks are in Appendix J in the supplementary
material.
VIII. D ISCUSSION AND F UTURE W ORK
This work introduces a framework for summary statistic
privacy concerns in data sharing applications. This framework
can be used to analyze the leakage of statistical information
and the privacy-distortion trade-offs of data release mecha-
nisms (Sections III and IV). The quantization data release
mechanisms can be used to protect statistical information
(Sections V and VI). However, many interesting open ques-
tions for future work remain.
Number of secrets. In this work, we studied the case where
the data holder only wishes to hide a single secret. In practice,
data holders often want to hide multiple properties of their
underlying data. The challenges of studying this setting are
twofold. The first is metric design. Although we can adopt
the same high level ideas of designing privacy and distortion
metrics in this paper, the data holders’ tolerances ( in the
current work) can differ for different secrets (e.g., from not
allowing any secret to be disclosed, to tolerating at most a
small subset of secrets being revealed). It is not clear which
382
Fig. 6. Privacy (lower is better) and distortion (lower is better) of AP, DP, DistP, and ours. Each point represents one instance of data release mechanism with
one hyper-parameter. “Lower bound” is the theoretical lower bound of the achievable region. Our data release mechanisms achieve better privacy-distortion
tradeoff than AP, DP, and DistP.
of these operating points is most practically relevant and
analytically tractable. Another challenge is tradeoff analysis.
With multivariate secrets and different data release goals, the
analysis of theoretical privacy-distortion tradeoff lower bounds
may require different analysis techniques.
The dimension and the type of data distributions. Although
the proof for the lower bound in Section IV applies to general
prior distributions, we analyze the quantization mechanism
under a limited set of one-dimensional distributions (Table I),
assuming different parameters of the distribution are drawn
independently (Section VI) or follow a Lipschitz-continuous
prior, (Appendices E, G-C and H-E in the supplementary
material), which can capture some degree of correlation. An
interesting direction for future work is to design mechanisms
that have good tradeoffs under prior distributions with arbi-
trarily correlated parameters.
Relation to Differential Privacy Figure 6 suggests that despite
being designed for a different threat model, the DP mechanism
does fairly well. As mentioned, this is because the mecha-
nism first bins data points, which is similar to quantization.
However, this raises an important question: under what condi-
tions on the true data, the secret quantity, and the mechanism
do differentially-private mechanisms achieve a good privacy-
utility tradeoff for our problem?
Robustness to practical factors. Our privacy metric ,ω
requires knowledge of the prior distribution of the parameters
ω . In practice, however, the data holders’ estimated prior ω̂
may not match the ground truth. A natural question is how
this mismatch affects the data holder’s privacy guarantees. To
this end, we first define a notion of robustness for our privacy
metric, and show that Mechanism 1 is not robust.
Definition 1 (Robustness to Prior Misspecification): Let ω
be the true prior distribution of the parameters, ω̂ be the
data holders’ estimated prior, and dω ,ω̂ be the Wasserstein-
1 distance between ω and ω̂ . For a mechanism Mg , the
privacy of it is ,ω , while the data holder miscalculate the
privacy as ,ω̂ . Mg is r-robust if for any  > 0, ω , and
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY, VOL. 5, 2024
ω̂ ,
,ω
≤ 1 + rdω ,ω̂ .
,ω̂
Proposition 4: There is no constant r < ∞ for which
Mechanism 1 is r-robust.
The proof is in Appendix D-G in the supplementary
material. This result shows a weakness of the quantization
mechanism, but more importantly, it highlights the fragility
of the privacy metric studied in this work. Min-entropy (and
variants thereof), while a natural and interpretable privacy
metric in some respects, admits solutions like the quantization
mechanism that are fragile to prior misspecification.
A related type of fragility is that the privacy metric we study
does not provide composition guarantees; in other words, if
one applies a summary statistic-private mechanism υ times,
we cannot easily bound the privacy parameter of the υ-fold
composed mechanism. In contrast, composition is an important
and desirable property exhibited by differential privacy [16].
The lack of composition can be problematic in situations
where a data holder wants to release a dataset (or correlated
datasets) multiple times.
Future direction: New privacy metrics. Several of the
previously-discussed challenges, especially related to robust-
ness, stem from our choice of privacy metric. It remains
an open problem to design privacy metrics that can protect
trade secrets while (a) not requiring knowledge of the data
prior, (b) providing composition guarantees, and (c) not adding
excessive noise. Motivated by maximal leakage [20], one could
consider a normalized variant of the studied privacy metric:
,ω
,ω  sup log   ,
ω supĝ P ĝ(ω ) ∈ g(θ ) − , g(θ ) + 
where ĝ(ω ) is an attacker that knows the prior distribution
but does not see the released data, and the denominator is the
probability that the strongest attacker guesses the secret within
tolerance . Similar to maximal leakage, we consider the
worst-case leakage among all possible priors. This normalized
LIN et al.: SUMMARY STATISTIC PRIVACY IN DATA SHARING
,ω considers how much additional “information” that the
released data provides to the attacker in the worst-case (see
also inferential privacy [71]).
R EFERENCES
[1] H. L. Lee and S. Whang, “Information sharing in a supply chain,” Int.
J. Manuf. Technol. Manage., vol. 1, no. 1, pp. 79–93, 2000.
[2] N. Choucri, S. Madnick, and P. Koepke, Institutions for Cyber Security:
International Responses and Data Sharing Initiatives. Cambridge, MA,
USA: Massachusetts Inst. Technol., 2016.
[3] J. B. Jacobs and D. Blitsa, “Sharing criminal records: The United States,
the european union and interpol compared,” Loyola Los Angeles Int.
Comput. Law Rev., vol. 30, p. 125, Jan. 2008.
[4] J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, “Imagenet:
A large-scale hierarchical image database,” in Proc. IEEE CVPR, 2009,
pp. 248–255.
[5] C. Reiss, J. Wilkes, and J. L. Hellerstein, “Google cluster-usage traces:
Format+ schema,” Google Inc., Mountain View, CA, USA, White Paper,
pp. 1–14, 2011.
[6] S. Luo et al., “Characterizing microservice dependency and
performance: Alibaba trace analysis,” in Proc. ACM SoCC, 2021,
pp. 412–426.
[7] A. Suri and D. Evans, “Formalizing and estimating distribution inference
risks,” 2021, arXiv:2109.06024.
[8] A. Suri, Y. Lu, Y. Chen, and D. Evans, “Dissecting distribution
inference,” in Proc. 1st IEEE Conf. Secure Trustworthy Mach. Learn.,
2023, pp. 1–16.
[9] G. Ateniese, L. V. Mancini, A. Spognardi, A. Villani, D. Vitali, and
G. Felici, “Hacking smart machines with smarter ones: How to extract
meaningful data from machine learning classifiers,” Int. J. Security
Netw., vol. 10, no. 3, pp. 137–150, 2015.
[10] K. Ganju, Q. Wang, W. Yang, C. A. Gunter, and N. Borisov, “Property
inference attacks on fully connected neural networks using permuta-
tion invariant representations,” in Proc. ACM SIGSAC Conf. Comput.
Commun. Security, 2018, pp. 619–633.
[11] W. Zhang, S. Tople, and O. Ohrimenko, “Leakage of Dataset properties
in multi-party machine learning,” in Proc. USENIX Security Symp., 2021,
pp. 2687–2704.
[12] S. Mahloujifar, E. Ghosh, and M. Chase, “Property inference from
poisoning,” in Proc. Security Privacy, 2022, pp. 1–18.
[13] H. Chaudhari, J. Abascal, A. Oprea, M. Jagielski, F. Tramèr, and
J. Ullman, “SNAP: Efficient extraction of private properties with
poisoning,” in Proc. IEEE SP, 2022, pp. 1935–1952.
[14] B. Imana, A. Korolova, and J. Heidemann, “Institutional privacy risks
in sharing DNS data,” in Proc. ANRW, 2021, pp. 69–75.
[15] Z. Lin, A. Jain, C. Wang, G. Fanti, and V. Sekar, “Using GANs for
sharing networked time series data: Challenges, initial promise, and open
questions,” in Proc. ACM IMC, 2020, pp. 464–483.
[16] C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating noise to
sensitivity in private data analysis,” in Proc. TCC, New York, NY, USA,
Mar. 2006, pp. 265–284.
[17] C. Reiss, J. Wilkes, and J. L. Hellerstein, “Obfuscatory obscanturism:
Making workload traces of commercially-sensitive systems safe to
release,” in Proc. IEEE NOMS, 2012, pp. 1279–1286.
[18] W. Zhang, O. Ohrimenko, and R. Cummings, “Attribute privacy:
Framework and mechanisms,” in Proc. FACCT, 2022, pp. 1–20.
[19] A. Makhdoumi, S. Salamatian, N. Fawaz, and M. Médard, “From the
information bottleneck to the privacy funnel,” in Proc. IEEE ITW, 2014,
pp. 501–505.
[20] I. Issa, A. B. Wagner, and S. Kamath, “An operational approach
to information leakage,” IEEE Trans. Inf. Theory, vol. 66, no. 3,
pp. 1625–1657, Mar. 2020.
[21] H. Wang, L. Vo, F. P. Calmon, M. Médard, K. R. Duffy, and M. Varia,
“Privacy with estimation guarantees,” IEEE Trans. Inf. Theory, vol. 65,
no. 12, pp. 8025–8042, Dec. 2019.
[22] S. Asoodeh, M. Diaz, F. Alajaji, and T. Linder, “Privacy-aware guessing
efficiency,” in Proc. ISIT, 2017, pp. 1–5.
[23] L. Wasserman and S. Zhou, “A statistical framework for differential
privacy,” J. Amer. Stat. Assoc., vol. 105, no. 489, pp. 375–389, 2010.
[24] B. Bebensee, “Local differential privacy: A tutorial,” 2019,
arXiv:1907.11908.
[25] K. Chatzikokolakis, M. E. Andrés, N. E. Bordenabe, and C. Palamidessi,
“Broadening the scope of differential privacy using metrics,” in Proc.
PETS, Bloomington, IN, USA, Jul. 2013, pp. 82–102.
Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.
383
[26] D. Kifer and A. Machanavajjhala, “Pufferfish: A framework for mathe-
matical privacy definitions,” ACM Trans. Database Syst., vol. 39, no. 1,
pp. 1–36, 2014.
[27] Y. Kawamoto and T. Murakami, “Local obfuscation mechanisms for
hiding probability distributions,” in Proc. Comput. Security, 2019,
pp. 128–148.
[28] M. Chen and O. Ohrimenko, “Protecting global properties of datasets
with distribution privacy mechanisms,” in Proc. AISTATS, 2023,
pp. 1–20.
[29] H. Yamamoto, “A source coding problem for sources with additional
outputs to keep secret from the receiver or wiretappers (corresp.),” IEEE
Trans. Inf. Theory, vol. 29, no. 6, pp. 918–923, Nov. 1983.
[30] G. Smith, “On the foundations of quantitative information flow,” in Proc.
FoSSaCS, 2009, pp. 288–302.
[31] M. S. Alvim, K. Chatzikokolakis, A. McIver, C. Morgan, C. Palamidessi,
and G. Smith, “Additive and multiplicative notions of leakage, and their
capacities,” in Proc. IEEE CSF, 2014, pp. 308–322.
[32] S. Asoodeh, M. Diaz, F. Alajaji, and T. Linder, “Information extraction
under privacy constraints,” Information, vol. 7, no. 1, p. 15, 2016.
[33] J. Liao, O. Kosut, L. Sankar, and F. du Pin Calmon, “Tunable measures
for information leakage and applications to privacy-utility tradeoffs,”
IEEE Trans. Inf. Theory, vol. 65, no. 12, pp. 8043–8066, Dec. 2019.
[34] F. P. Calmon, A. Makhdoumi, and M. Médard, “Fundamental limits of
perfect privacy,” in Porc. ISIT, 2015, pp. 1796–1800.
[35] S. Saeidian, G. Cervia, T. J. Oechtering, and M. Skoglund, “Pointwise
maximal leakage,” in Proc. IEEE ISIT, 2022, pp. 626–631.
[36] G. R. Kurri, L. Sankar, and O. Kosut, “An operational approach
to information leakage via generalized gain functions,” 2022,
arXiv:2209.13862.
[37] A. Gilani, G. R. Kurri, O. Kosut, and L. Sankar, “Unifying privacy
measures via maximal (α, β)-leakage (MαbeL),” IEEE Trans. Inf.
Theory, vol. 70, no. 6, pp. 4368–4395, Jun. 2024.
[38] M. Jurado, R. G. Gonze, M. S. Alvim, and C. Palamidessi, “Analyzing
the shuffle model through the lens of quantitative information flow,”
2023, arXiv:2305.13075.
[39] R. Jin, X. He, and H. Dai, “On the security-privacy tradeoff in collabo-
rative security: A quantitative information flow game perspective,” IEEE
Trans. Inf. Forensics Security, vol. 14, pp. 3273–3286, 2019.
[40] M. S. Alvim, N. Fernandes, A. McIver, C. Morgan, and G. H. Nunes,
“A novel analysis of utility in privacy pipelines, using Kronecker
products and quantitative information flow,” in Proc. ACM CCS, 2023,
pp. 1718–1731.
[41] R. Bhaskar, A. Bhowmick, V. Goyal, S. Laxman, and A. Thakurta,
“Noiseless database privacy,” in Proc. ASIACRYPT, Seoul, South Korea,
Dec. 2011, pp. 215–232.
[42] F. Farokhi, “Development and analysis of deterministic privacy-
preserving policies using non-stochastic information theory,” IEEE
Trans. Inf. Forensics Security, vol. 14, pp. 2567–2576, 2019.
[43] F. Farokhi, “Noiseless privacy: Definition, guarantees, and applications,”
IEEE Trans. Big Data, vol. 9, no. 1, pp. 51–62, Feb. 2023.
[44] F. Farokhi and G. Nair, “Non-stochastic private function evaluation,” in
Proc. IEEE ITW, 2021, pp. 1–5.
[45] B. Rassouli and D. Gündüz, “On perfect privacy,” IEEE J. Sel. Areas
Inf. Theory, vol. 2, no. 1, pp. 177–191, Mar. 2021.
[46] A. Zamani, T. J. Oechtering, and M. Skoglund, “Bounds for privacy-
utility trade-off with non-zero leakage,” in Proc. IEEE ISIT, 2022,
pp. 620–625.
[47] S. Biswas and C. Palamidessi, “PRIVIC: A privacy-preserving method
for incremental collection of location data,” in Proc. Privacy Enhanc.
Technol., 2024, pp. 1–15.
[48] S. Oya, C. Troncoso, and F. Pérez-González, “Back to the drawing
board: Revisiting the design of optimal location privacy-preserving
mechanisms,” in Proc. ACM CCS, 2017, pp. 1959–1972.
[49] D. Clark, S. Hunt, and P. Malacaria, “Quantitative analysis of the leakage
of confidential data,” Electron. Notes Theor. Comput. Sci., vol. 59, no. 3,
pp. 238–251, 2002.
[50] D. Clark, S. Hunt, and P. Malacaria, “A static analysis for quantifying
information flow in a simple imperative language,” J. Comput. Security,
vol. 15, no. 3, pp. 321–371, 2007.
[51] P. Malacaria, “Assessing security threats of looping constructs,” in Proc.
ACM POPL, 2007, pp. 225–235.
[52] B. Rassouli and D. Gündüz, “Optimal utility-privacy trade-off with total
variation distance as a privacy measure,” IEEE Trans. Inf. Forensics
Security, vol. 15, pp. 594–603, 2019.
[53] S. A. Mario, K. Chatzikokolakis, C. Palamidessi, and G. Smith,
“Measuring information leakage using generalized gain functions,” in
Proc. CSF, 2012, pp. 265–279.
384 IEEE JOURNAL ON SELECTED AREAS IN INFORMATION THEORY, VOL. 5, 2024

[54] S. Asoodeh, M. Diaz, F. Alajaji, and T. Linder, “Estimation efficiency Shuaiqi Wang (Graduate Student Member, IEEE)
under privacy constraints,” IEEE Trans. Inf. Theory, vol. 65, no. 3, received the B.E. degree from Shanghai Jiao Tong
pp. 1512–1534, Mar. 2019. University in 2020. He is currently pursuing the
[55] N. E. Bordenabe and G. Smith, “Correlated secrets in quantitative Ph.D. degree with Carnegie Mellon University. His
information flow,” in Proc. CSF, 2016, pp. 93–104. work has been recognized by the Carnegie Institute
[56] C. E. Shannon, “Coding theorems for a discrete source with a fidelity of Technology Dean’s Fellow. His research interests
criterion,” IRE Int. Conv. Rec., vol. 4, nos. 142–163, p. 1, 1959. are data privacy and security in machine learning.
[57] S. Arimoto, “An algorithm for computing the capacity of arbitrary
discrete memoryless channels,” IEEE Trans. Inf. Theory, vol. IT-18,
no. 1, pp. 14–20, Jan. 1972.
[58] R. Blahut, “Computation of channel capacity and rate-distortion func-
tions,” IEEE Trans. Inf. Theory, vol. 18, no. 4, pp. 460–473, Jan. 1972.
[59] D. E. R. Denning, Cryptography and Data Security, vol. 112. Reading,
MA, USA: Addison-Wesley, 1982.
[60] J. W. Gray, III, “Toward a mathematical foundation for information flow
security,” J. Comput. Security, vol. 1, nos. 3–4, pp. 255–294, 1992.
[61] G. N. Nair, “A nonstochastic information theory for communication
and state estimation,” IEEE Trans. Autom. Control, vol. 58, no. 6,
pp. 1497–1510, Jun. 2013.
[62] M. Arjovsky, S. Chintala, and L. Bottou, “Wasserstein generative
adversarial networks,” in Proc. ICML, 2017, pp. 214–223.
Vyas Sekar received the B.Tech. degree from
[63] Z. Lin, A. Khetan, G. Fanti, and S. Oh, “PacGAN: The power of two
the Indian Institute of Technology Madras (IIT
samples in generative adversarial networks,” in Proc. NeurIPS, 2018,
Madras), and the Ph.D. degree from Carnegie
pp. 1–10.
Mellon University, Pittsburgh, where he is a Tan
[64] R. Bellman, “Dynamic programming,” Science, vol. 153, no. 3731,
Family Professor with the ECE Department. He
pp. 34–37, 1966.
also serves as the Chief Scientist with Conviva,
[65] C. Esteban, S. L. Hyland, and G. Rätsch, “Real-valued (medi-
and as a Cofounder with Rockfish Data, a startup
cal) time series generation with recurrent conditional GANs,” 2017,
commercializing his academic research on synthetic
arXiv:1706.02633.
data. His work has been recognized with numer-
[66] Y. Yin, Z. Lin, M. Jin, G. Fanti, and V. Sekar, “Practical GAN-based
ous awards, including the SIGCOMM Rising Star
synthetic IP header trace generation using NetShare,” in Proc. ACM
Award, the SIGCOMM Test of Time Award, the
SIGCOMM, 2022, pp. 458–472.
NSA Science of Security Prize, the NSF CAREER Award, the Internet
[67] J. Jordon, J. Yoon, and M. Van Der Schaar, “PATE-GAN: Generating
Research Task Force Applied Networking Research Award, the Intel
synthetic data with differential privacy guarantees,” in Proc. ICLR, 2018,
Outstanding Researcher Award, and the IIT Madras Young Alumni Achiever
pp. 1–21.
Award. He was awarded the President of India Gold Medal from IIT Madras.
[68] J. Yoon, D. Jarrett, and M. Van der Schaar, “Time-series generative
adversarial networks,” in Proc. NeurIPS, vol. 32, 2019, pp. 1–11.
[69] “Web traffic time series forecasting,” Google. 2018. [Online]. Available:
https://www.kaggle.com/c/web-traffic-time-series-forecasting
[70] (Federal Commun. Comm., Washington, DC, USA). Raw Data—
Measuring Broadband America—Seventh Report. (2018). [Online].
Available: https://www.fcc.gov/reports-research/reports/measuring-
broadband-america/raw-data-measuring-broadband-america-seventh
[71] A. Ghosh and R. Kleinberg, “Inferential privacy guarantees for differ-
entially private mechanisms,” in Proc. ITCS, 2017, pp. 1–31.
Giulia Fanti (Member, IEEE) received the B.S.
degree in ECE from the Olin College of Engineering,
and the Ph.D. degree in EECS from the University
of California at Berkeley. She is an Assistant
Zinan Lin received the B.E. degree from Tsinghua
Professor of Electrical and Computer Engineering
University in 2017, and the Ph.D. degree from
with Carnegie Mellon University. Her research
Carnegie Mellon University in 2023. He is a Senior
interests span the security, privacy, and efficiency of
Researcher with Microsoft Research. His research
distributed systems. She is a two-time Fellow of the
interests are generative modeling and privacy. His
World Economic Forum’s Global Future Council on
work has been recognized with several awards,
Cybersecurity and a member of NIST’s Information
including the Outstand Paper/Oral/Spotlight Awards
Security and Privacy Advisory Board. Her work has
at NeurIPS and the Best Paper Finalist at IMC.
been recognized with several awards, including the best paper awards, a Sloan
Fellowship, an Intel Rising Star Faculty Award, and an ACM SIGMETRICS
Rising Star Award.

Authorized licensed use limited to: California State University Fullerton. Downloaded on November 11,2024 at 16:09:30 UTC from IEEE Xplore. Restrictions apply.