Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 234 Able Quantity

Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 234 able quantity. Only a limited number of previous works which can provide a natural and interpretable guide- [29, 34, 35] have investigated the question of how to line for selecting proper privacy parameters by system select a proper value of ǫ, but these approaches ei- designers and researchers. Furthermore, we extend our ther require complicated economic models or lack the analysis on unbounded DP to bounded DP and the ap- analysis of adversaries with arbitrary auxiliary informa- proximate (ǫ, δ)-DP. tion (see Section 2.3 for more details). Our work is in- Impact of Auxiliary Information. The conjecture spired by the interpretation of differential privacy via that auxiliary information can influence the design of hypothesis testing, initially introduced by Wasserman DP mechanisms has been made in prior work [8, 28, 32, and Zhou [27, 30, 60]. However, this interpretation has 33, 39, 65]. We therefore investigate the adversary’s ca- not been systematically investigated before in the con- pability based on hypothesis testing under three types text of our research objective, i.e., reasoning about the of auxiliary information: the prior distribution of the in- choice of the privacy parameter ǫ (see Section 2.4 for put record, the correlation across records, and the corre- more details). lation across time. Our analysis demonstrates that the We consider hypothesis testing [2, 45, 61] as the tool auxiliary information indeed influences the appropriate used by the adversary to infer sensitive information of selection of ǫ. The results suggest that, when possible an individual record (e.g., the presence or absence of and available, the practitioners of DP should explicitly a record in the database for unbounded DP) from the incorporate adversary’s auxiliary information into the outputs of privacy mechanisms. In particular, we employ parameter design of their privacy frameworks. Hence, the precision-recall (PR) relation from the perspective our results provide a rigorous and systematic answer of hypothesis testing by the adversary as the measur- to the important question posted by Dwork and Smith able quantity of interest. The PR relation considers the [20]. trade-off between the precision (the fraction of exam- Comparison of Statistical Privacy Frameworks. In ples classified as input records that are truly existing in addition to the two primary questions regarding dif- the input data for unbounded DP) and the recall (the ferential privacy, we also extend our hypothesis testing fraction of truly existing input records that are correctly analysis to a comparative study of a range of state-of- detected for unbounded DP) from the adversary’s per- the-art privacy-preserving frameworks [10, 24, 28, 33, spective. 38, 39]. Some of these frameworks [8, 28, 32, 33, 65] have With this context of hypothesis testing, we con- considered adversaries with auxiliary knowledge in their sider three research questions in this work: how do we definitions, but no prior work has applied a common set the value of ǫ, how does auxiliary information af- technique to compare and understand their relationship fect the choice of ǫ, and can hypothesis testing be used among each other and with differential privacy. to systematically compare across heterogeneous privacy Overall, our work makes the following contributions. frameworks? We introduce our concrete approach to ad- We investigate differential privacy from the perspec- • dress these questions below. tive of hypothesis testing by the adversary who ob- Investigating Differential Privacy. To explore the serves the differentially private outputs. We com- choice of an appropriate value of ǫ, we consider an ad- prehensively analyze (i) the unbounded and (ii) versary who tries to infer the existence of a record di bounded scenarios of DP, and (iii) (ǫ, δ)-DP. in the database D from the output of a differentially We theoretically derive the PR-relation and the cor- • private mechanism (D). Our threat model is an ad- responding F as criteria for selecting the value A βscore versary who uses hypothesis testing with the Neyman- of ǫ that would limit (to the desired extent) the ad- Pearson criterion [47], which is one of the most powerful versary’s success in identifying a particular record, criteria in hypothesis testing, on the noisy query results in an interpretable and quantitative manner. obtained by DP mechanisms. We focus on using the We analyze the effect of three types of auxiliary in- • Neyman-Pearson criterion for the Laplace perturbation formation, namely, the prior distribution of the in- mechanism [17] in order to perform a concrete analysis. put record, the correlation across records, and the We also show how to generalize our approach to other correlation across time, on the appropriate choice of mechanisms such as the Gaussian perturbation mecha- ǫ via the hypothesis testing by the adversary. nism. Particularly, we leverage the PR-relation and the Furthermore, we systematically compare the state- • corresponding Fβscore (the weighted harmonic average of-the-art statistical privacy notions from the per- of precision and recall [56]) as effective metrics to quan- spective of the adversary’s hypothesis testing, in- tify the performance of adversaries’ hypothesis testing, cluding Pufferfish privacy [33], Blowfish privacy [28], Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 235

dependent differential privacy [39], membership ence between the values of the function when one input ′ privacy [38], inferential privacy [24] and mutual- changes, i.e. ∆Q = max ′ Q(D) Q(D ) . D,D k − k1 information based differential privacy [10]. Theorem 1. (Laplace Perturbation Mechanism) [17] For any query Q : Rq, the Laplace perturbation D → mechanism, denoted by , and any database D , A ∈ D 2 Background and Related Work (D) = Q(D) + (η , . . . , η ) achieves ǫ-differential pri- A 1 q vacy, where ηi are i.i.d random variables drawn from In this section, we briefly discuss the frameworks of dif- the Laplace distribution with a parameter ζ = ∆Q/ǫ, de- ferential privacy and hypothesis testing, as well as re- noted by Lap(ζ), that is Pr[η = z] ǫ exp ǫ|z| . lated works regarding these two topics. i ∝ 2∆Q − ∆Q In order to perform a concrete analysis, our work mainly focuses on the Laplace perturbation mechanism. How- 2.1 Differential Privacy ever, our approach also generalizes to other mechanisms such as the Gaussian perturbation mechanism (as dis- Differential privacy is a rigorous mathematical frame- cussed in Section 4.3). work aimed at protecting the privacy of the user’s record In the literature, several statistical privacy frame- in a statistical database [13–15, 17, 20]. The goal of DP works have also been proposed as important general- is to randomize the query results to ensure that the ization of DP, such as Pufferfish privacy [33], Blow- risk to the user’s privacy does not increase substantially fish privacy [28], dependent differential privacy [39], (bounded by a function of ǫ) as a result of participating membership privacy [38], inferential privacy [24] and in the statistical database. The notion of ǫ-differential mutual-information based differential privacy [10]. privacy is formally defined as follows. These privacy frameworks are important statistical privacy frameworks for releasing aggregate information of Definition 1. (ǫ-differential privacy [13]) A random- databases while ensuring provable guarantees, similar ized algorithm provides ǫ-differential privacy if for A to DP. We will systematically compare them with DP any two neighboring databases D and D′ such that D from the adversary’s perspective of hypothesis testing and D′ differ by adding/removing a record, and for any P (A(D)∈S) in Section 6. subset of outputs S S, max ′ exp(ǫ), ⊆ D,D P (A(D′)∈S) ≤ where (D) (resp. (D′)) is the output of on input A A A D (resp. D′) and ǫ is the privacy budget. 2.2 Hypothesis Testing It is worth noting that the smaller the privacy budget ǫ, the higher the privacy level. This privacy defini- Hypothesis testing [2, 45, 61] is the use of statistics on tion is also known as unbounded DP as the database the observed data to determine the probability that a size is unknown. When the database size is known, D given hypothesis is true. The common process of hy- and D′ are neighbors if D can be obtained from D′ by pothesis testing consists of four steps: 1) state the hy- replacing one record in D′ with another record. Def- potheses; 2) set the criterion for a decision; 3) compute inition 1 based on this notion of neighbors is known the test statistic; 4) make a decision. The binary hypoth- 1 as bounded DP [32]. Approximate DP is another vari- esis testing problem decides between a null hypothesis ant of DP, also named (ǫ, δ)-DP [16], and is defined as H = h0 and an alternative hypothesis H = h1 based on P ( (D) S) P ( (D′) S) exp(ǫ) + δ, which relaxes observation of a random variable O [2, 45]. Under hy- A ∈ ≤ A ∈ DP by ignoring noisy outputs with a certain probability pothesis h0, O follows the probability distribution P0, controlled by the parameter δ. In Section 4, we will ana- while under h1, O follows distribution P1. A decision ˆ lyze mechanisms that satisfy these DP guarantees from rule H is a criterion that maps every possible observa- the adversary’s perspective of hypothesis testing. tion O = o to either h0 or h1. The Laplace perturbation mechanism (LPM) [17] The most popularly used criteria for decision are is a classic and popular mechanism that achieves ǫ-DP, maximum likelihood [50], maximum posterior probabil- which makes use of the concept of global sensitivity. ity [25], minimum cost [43] and the Neyman-Pearson criterion [47]. Definition 2. (Global sensitivity) [17] The global sen- 1 We consider the binary hypothesis testing problem since the sitivity of a query Q : Rq is the maximum differ- adversary aims to distinguish two neighboring databases in DP. D → Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 236

Definition 3. The Neyman-Pearson criterion aims to Other related works by Lee and Clifton [35, 36] de- maximize the true detection rate (the probability of cor- termine ǫ for LPM based on the posterior probability rectly accepting the alternative hypothesis) subject to a that the adversary can infer the value of a record. The maximum false alarm rate (the probability of mistakenly Neyman-Pearson criterion adopted in our approach has accepting the alternative hypothesis) [47, 61], i.e., an advantage over the maximum posterior probability analysis [25]. As stated in Section 2.2, the Neyman- max P s.t., P α (1) TD FA ≤ Pearson criterion in our work can be used to optimize a range of evaluation metrics by selecting a proper value where PTD and PFA denote the true detection rate and of the false alarm rate while maximizing the true detec- the false alarm rate, respectively. tion rate. In addition, their analysis [35] only assumes The Neyman-Pearson criterion has the highest statis- uniform distribution of the input data (equivalent to the tical power [37] since it maximizes the true detection scenarios without any prior distribution) in both their rate under a given requirement of the false alarm rate experiments and theoretical derivations. (as defined above). According to the Neyman-Pearson Finally, these previous works are noticeably differ- Lemma [46], an efficient way to solve Eq. 1 is to im- ent from our approach as they do not utilize the statis- plement the likelihood ratio test [49, 57]. In practice, tical tool of hypothesis testing (especially the Neyman- the likelihood ratio, or equivalently its logarithm, can Pearson criterion) by the adversary. Furthermore, our be used directly to construct test statistics to compare work is not limited to the selection of the ǫ value, but is the goodness of fit of the two hypotheses. Other criteria also extended to the analysis on the impact of the aux- such as maximum likelihood [50], maximum posterior iliary information possessed by the adversary and the probability [25] and minimum cost [43] cannot guaran- comparison across the state-of-the-art statistical privacy tee the highest statistical power in general, and they are frameworks, which has not been studied before. based on a fixed threshold on the likelihood ratio that cannot incorporate α. In contrast, the Neyman-Pearson criterion treats the testing performance as a function 2.4 Hypothesis Testing in DP of the threshold for the likelihood ratio controlled by α ([1], pp. 67). Therefore, the Neyman-Pearson crite- Previous work in [21, 48, 58] has investigated how to ac- rion can provide more flexibility to optimize a range of curately compute the test statistics in hypothesis test- evaluation metrics by setting different values of α [37]. ing while using DP to protect data. Ding et al. de- signed an algorithm to detect privacy violations of DP mechanisms from a hypothesis testing perspective [12]. 2.3 Setting the Privacy Budget ǫ Wasserman and Zhou [60], Hall et al. [27], and Kairouz et al. [30] are our inspiration for using hypothesis test- Setting the privacy budget ǫ in DP is a challenging task. ing on DP. These works propose a view of DP from the Prior work [29, 34–36] attempted to address this prob- perspective of hypothesis testing by the adversary who lem, but has several limitations. Hsu et al. [29] proposed observes the differentially private outputs. Specifically, an economic method to express the balance between the the observation is first made by Wasserman and Zhou accuracy of a DP release and the strength of privacy [60] for bounding the probability for the adversary to guarantee in terms of a cost function when bad events correctly reject a false hypothesis of the input database. happen. However, this work involves complicated eco- Hall et al. [27] later extend such analysis to (ǫ, δ)-DP. nomic models consisting of bad events and their cor- Kairouz et al. [30] then apply this concept in their proof responding cost functions. It is difficult to quantify the of composition of DP. However, these prior works have cost of a bad event for general applications. Krehbiel [34] not applied hypothesis testing to our objectives of de- takes each data owner’s privacy preference into consider- termining the appropriate value of ǫ. ation and aims to select a proper privacy parameter for In contrast, our work extensively analyzes the ad- achieving a good tradeoff between utility and privacy. versary’s capability of implementing hypothesis testing This mechanism focuses more on an economic perspec- using Neyman-Pearson’s criterion [47] on outputs of DP tive for collecting and distributing payments under a mechanisms, such as LPM and the Gaussian perturba- chosen level of privacy parameter and their privacy def- tion mechanism. We apply it to the problem of deter- inition is not the standard DP. mining ǫ, the analysis of the effect of auxiliary information on the choice of ǫ, and the comparative analysis

Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 238

From Eq. 3, we know that precision is the probabil- mation loss of the PR-relation which broadly covers the ity that hypothesis h1, which the adversary’s hypothe- adversary’s hypothesis testing in the entire space (more sis testing says is true, is indeed true; and recall is the discussions in Section 4.1.4). Note that every step of our probability that hypothesis h1, which is indeed true, is analysis in Figure 1 is accurate in quantifying the ad- detected as true by the adversary’s hypothesis testing. versary’s hypothesis testing under the Neyman-Pearson Note that the randomness in the process of comput- criterion using the metrics of PR-relation and Fβscore. ing precision and recall comes from the statistical noise Generalizing to Other Privacy Mechanisms and added in DP mechanisms. Therefore, our analysis aims Practical Adversaries: We further generalize our to quantify the capability of the adversary that lever- analysis of the conventional ǫ-DP to its variants such as ages the hypothesis testing technique in identifying any (ǫ, δ)-DP (adopting the Gaussian perturbation mecha- specific record from DP outputs. nism), more advanced privacy notions, and also adver- PR-relation quantifies the actual detection accuracy saries with auxiliary information. Our analysis shows of the adversary, which has a one-to-one correspondence that the adversary’s auxiliary information in the form with the false alarm rate P and the missed detection FA of prior distribution of the input database, the correla- rate 1 P [30]. Different from Kairouz et al. [30] that − TD tion across records and time can affect the relationship quantifies the relative relationship between P and FA between the two posterior probabilities (corresponding 1 P , we obtain explicit expression of the precision − TD to the two hypotheses made by the adversary), thus im- and recall of the adversary that exploits the Neyman- pacting the proper value of privacy parameter ǫ. Pearson criterion (in Sections 4.1.3, 5.1, 5.2, 5.3). It is also interesting to note that there exists a one-to- one correspondence between PR-relation and the re- ceiver operating characteristic (ROC) [11]. Therefore, 4 Quantification of DP from the our analysis in the domain of PR-relation can be di- Adversary’s Hypothesis Testing rectly transferred to the domain of ROC. Furthermore, we theoretically prove that the ad- In this section, we theoretically analyze the capability versary that implements Neyman-Pearson criterion of the adversary’s hypothesis testing for inferring sen- achieves the optimal PR-relation (in Theorem 2) and sitive information of a particular record from DP out- this optimality is generally applicable for correlated puts. Specifically, we implement our analysis on the un- records (in Corollary 1). The corresponding proofs are bounded and bounded scenarios of DP and (ǫ, δ)-DP. deferred to the appendix.

Theorem 2. The Neyman-Pearson criterion charac- 4.1 Quantiﬁcation of Unbounded DP terizes the optimal adversary that can achieve the best PR-relation. 4.1.1 Hypothesis Testing Problem

Corollary 1. The optimality of Neyman-Pearson cri- Recall that the Neyman-Pearson criterion [47] aims to terion given in Theorem 2 holds for correlated records maximize the true detection rate of the hypothesis test in the database. given a constrained false alarm rate (Definition 3). Fol- lowing our threat model and methodology in Section 3, In addition, we leverage Fβscore (weighted harmonic av- the adversary would assume the following two hypothe- erage of precision and recall), to further quantify the ses, corresponding to the presence or the absence of a relationship between the adversary’s hypothesis testing record d : and the privacy parameter ǫ, which also provides an i ′ interpretable guideline to practitioners and researchers h0 : di does not exists in , i.e., = D 1 H = D D (4) for selecting ǫ. Fβscore = 2 (for h : d exists in , i.e., = D 1 + β ( 1 i (1+β2)precision (1+β2)recall D D any real number β > 0) is an example for quantifying This is clearly the unbounded DP setting (we will ana- the PR-relation in order to understand the adversary’s lyze the bounded DP setting and other DP variations in power in a more convenient manner, since it combines the next subsections.). After observing the noisy query the two metrics, precision and recall, into a single met- result (D) = o, the adversary tries to distinguish the A ric. However, this combination has the potential of infor- two events = D and = D′ by analyzing the cor- D D responding posterior probabilities of P ( = D ( ) = D |A D Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 239 o, d ) and P ( = D′ ( ) = o, d ). Following the Under a given requirement of the false alarm rate α, −i D |A D −i Bayes’ rule of we can uniquely determine the threshold θ of the noisy output. Then, we can compute λ from θ. Next, let us P (A(D) = o|d−i, D = D)P (D = D) P (D = D|A(D) = o, d−i) = P (A(D) = o|d−i) discuss each step of this proof in detail. P (A(D) = o)P (D = D) = , Construct Likelihood Ratio Test: Given the noisy P (A(D) = o|d−i) (5) scalar output o = ( ) = Q( ) + Lap(ζ) = Q( ) + A D D D we know that distinguishing the two posterior probabil- Lap(∆Q/ǫ) from the LPM, we can compute the like- ities is equivalent to differentiating the two conditional lihood ratio Λ(o) corresponding to the two hypotheses probabilities of P ( (D) = o) and P ( (D′) = o),2 for defined in Eq. 4 as A A adversaries that have no access to the prior distribution ǫ ǫ|o−Q(D)| P (A(D) = o) 2∆Q exp − ∆Q of the input database and thus assume a uniform prior, Λ(o) = = ′ ′ P (A(D ) = o) ǫ exp − ǫ|o−Q(D )| i.e., P ( = D) = P ( = D′). 2∆Q ∆Q D D exp(ǫ) if o > Q(D) 2o − Q(D) − Q(D′) = exp ǫ if o ∈ [Q(D′),Q(D)]  ∆Q 4.1.2 Decision Rule  exp(−ǫ) if o < Q(D′) (7)  Adversary’s Hypothesis Testing for Scalar Assume the decision threshold for the likelihood ratio Query: We first consider the situation where the query is λ, then the corresponding decision rule in Neyman- output is a scalar and then generalize our analysis to h1 Pearson criterion is Λ(o) ≷ λ. vector output. It is worth noting that DP is defined in h0 terms of probability measures but likelihood is defined Uniquely Determine θ from α: Under a threshold in terms of probability densities. However, we use them θ on the noisy output o, PFA can be computed as ′ interchangeably in this paper (we can change the prob- ∞ ∞ ǫ|x−Q(D )| ′ ǫ − ∆Q 1 θ P (A(D ) = o)do = 1 θ 2∆Q e dx, ability densities to the probability measures through − ′ − ′ − (θ−Q(D ))ǫ (θ−Q(D ))ǫ quantizing over the query output for instance). With- whichR is 1 1 e ∆Q if θ

Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 241

Table 1. The Maximal ǫ under a Required Bound of Fβscore. 1 1 ǫ=0.01 β=0.5 0.9 0.9 ǫ=0.1 β=0.6 ǫ=0.4 0.8 0.8 β=0.8 Fβscore 0.55 0.58 0.62 0.67 0.76 0.83 0.9 0.95 score

ǫ=0.7 * β β=1 F = 0 5 0.7 0.7 β . 0.22 0.34 0.55 0.82 1.42 2.04 3 4.29 Precision ǫ=1 β=1.5 0.6 = 0 6 0.6 ǫ=2 β . — 0.33 0.54 0.83 1.45 2.11 3.11 4.43 β=2 ǫ=5 0.5 = 0 8 0.5 0 2 4 6 8 β . — — 0.49 0.8 1.46 2.16 3.21 4.58 0 0.5 1 Privacy Budget ǫ Recall β = 1 — — — 0.71 1.4 2.12 3.2 4.6 (a) (b) β = 1.5 — — — — 1.17 1.88 2.99 4.41 β = 2 — — — — — 1.61 2.69 4.12 Fig. 3. (a) PR-relation and (b) the highest Fβscore of detecting a particular record under unbounded DP.

ure 3(b) are accurate quantification of the adversary’s 4.1.4 Choosing Proper ǫ hypothesis testing from the perspective of Fβscore, from which we observe that the adversary’s capability of in- The privacy parameter ǫ can relatively measure the pri- ferring the existence of an individual record is generally vacy guarantees of DP mechanisms. However, choosing enhanced with an increasing value of ǫ. appropriate values for ǫ is non-trivial since its impact on Fβscore can be interpreted as a summary statistic for the privacy risks of the input data in practice are not the PR-relation, which provides a more convenient way well understood. Our method of choosing ǫ considers of quantifying the relationship between the adversary’ the capability of the adversary’s hypothesis testing to hypothesis testing and the privacy parameter ǫ. Under a ∗ identify any particular record as being in the database. desired bound of Fβscore that the adversary’s hypothesis Specifically, we provide guidelines for selecting proper testing can achieve, the privacy mechanism practition- values of ǫ using PR-relation and Fβscore, respectively. ers can refer to Eq. 12 and Figure 3(b) to choose an Guidelines under PR-relation: Our analysis by appropriate value of ǫ. Furthermore, we provide numer- leveraging PR-relation generally covers the adversary’s ical bounds of ǫ under different requirements of Fβscore trade-offs between precision and recall in the entire for commonly-used weights of β [0.5, 2] in Table 1, as ∈ space. Figure 3(a) demonstrates that, with sufficiently an easier way to look up for privacy practitioners. low privacy budget ǫ, an adversary’s ability to identify When the summary statistics of the precision and an individual record in the database is indeed limited. recall are used (as opposed to using the full PR-relation Under a given requirement of trade-offs between preci- information), such as the use of the Fβscore, there is sion and recall of the adversary’s hypothesis testing, the potential for information loss, especially in the regime privacy mechanism designer can refer to the PR-relation corresponding to smaller values of ǫ (Eq. 12 and Fig- ∗ obtained in Eqs. 9, 10, 11 and Figure 3(a) to choose an ure 3(b)). It is interesting to note that Fβscore keeps appropriate privacy budget ǫ. the same for ǫ < log(1 + β2), and then monotonically 2 Guidelines under Fβscore: Besides the PR-relation, increases with ǫ for ǫ log(1 + β ). This turning point 2 ≥ we also leverage the Fβscore, which is a weighted har- ǫ = log(1+β ) approaches 0 for smaller values of β, mak- ∗ monic average of precision and recall, as another appro- ing Fβscore closer to be monotonically increasing with ǫ priate metric for quantifying the effectiveness of the ad- thus capturing the privacy benefits of smaller values of versary’s hypothesis testing. Furthermore, we can theo- ǫ (as shown Figure 3(b)). retically derive the highest Fβscore (by selecting a proper Finally, we emphasize that the alternative approach threshold θ) that the adversary can achieve for arbitrary of using the entire PR-relation to guide the selection of ǫ real number β > 0 as does not suffer from the limitations discussed above, and

∗ 1 also shows privacy beneﬁts of using smaller ǫ (smaller Fβscore = max 2 θ 1 β precision for a given recall as shown in Figure 3(a)). (1+β2)precision + (1+β2)recall 2 1 + β 2 , ǫ < log(1 + β ) (12) 2 + β2 = 4.1.5 Plausible Deniability Property  (1 + β2)( 1 + 4β2eǫ 1)  − , ǫ log(1 + β2)  (1 + β2) 1 + 4β2eǫ 1 + β2 ≥ p − There are multiple ways to interpret semantics of DP  and the detailedp proof is deferred to the Appendix. guarantees such as hypothesis testing [27, 30, 60] and ∗ plausible deniability (Page 9 in Dwork [13], Page 2 in Next, we show Fβscore with varying privacy parameter ǫ in Figure 3(b). Our results in Eq. 12 and Fig- Dwork and Smith [20], Deﬁnition 1 in Dwork, McSherry, Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 242

Nissim and Smith [17], Section 2 in Kasiviswanathan size is the same. For simplicity, we first discuss a scenario and Smith [31], Section 4 in Li et al. [38]). The poten- where the i-th record of the input data di can only take tial of randomness providing plausible deniability was binary values di1, di2. Note that the hypothesis testing first recognized by Warner [59]. Bindschaedler et al. pro- by the adversary in the bounded scenario is different vide a formal definition of plausible deniability for data from the unbounded scenario in that the adversary is synthesis, compared to which DP is a stronger privacy no longer aiming to distinguish the absence/presence of guarantee [5]. a record, but to estimate the true value of a record. Thus, the adversary’s hypothesis testing now becomes: Definition 4. (Plausible Deniability) [5] For any h0 : di = di1 database D with D > k ( D is the number of records in H = (13) | | | | h : d = d D), and any record y generated by a perturbation mecha- 1 i i2 nism such that y = (d1) for d1 D, we state that y Comparing Eq. 4 and Eq. 13, we know that the two hy- M M ∈ is releasable with (k, γ)-plausible deniability, if there ex- potheses for unbounded and bounded cases are different. ist at least k 1 distinct records d2, , dk D d1 such However, according to Theorem 5, their corresponding P−(M(d )=y) ··· ∈ \ that γ−1 i γ for any i, j 1, 2, , k . PR-relation (and F ) are the same. This means, ≤ P (M(dj )=y) ≤ ∈ { ··· } βscore the hypothesis testing implemented by the adversary We interpret DP as hypothesis testing — how well for bounded DP with binary records is the same as that an adversary in DP can infer the existence of an indi- for unbounded DP. vidual record (unbounded DP) or the exact value of Next, we consider a more general scenario where di a record (bounded DP) in binary hypothesis testing takes multiple values d , d , , d . Without loss of i1 i2 ··· ik problem involving two neighboring databases (Dwork generality, we assume Q(d ) Q(d ) Q(d ). i1 ≤ i2 ≤ · · · ≤ ik [13], Dwork, McSherry, Nissim and Smith [17], Kifer Therefore, the distance between any two query results and Machanavajjhala [32]). Theorem 3 demonstrates computed over two different values of di is smaller than that the adversary implements the likelihood ratio test the sensitivity of the query ∆Q = max Q(d ) Q(d ) . P (A(D)=o) k ik − i1 k Λ(o) = P (A(D′)=o) to satisfy the Neyman-Pearson cri- Since the inserted noise for satisfying DP is calculated terion and the decision rule in Eq. 6 is equivalent to ∆Q based on ∆Q (i.e., Lap( ǫ )), we know that the hypoth- h1 Λ(o) ≷ λ. Combining Eq. 6 and Eq. 8, we know that esis testing achieved by the adversary in distinguishing h0 any two values of di is not worse than distinguishing e−ǫ e−ǫ λ = 2 if α [0, 0.5], or if α (0.5, 1]. Accord- 4α ∈ 4(1−α)2 ∈ di1 and dik. We thus conclude that the best hypothesis ing to Definition 4, the plausible deniability also quan- testing of the adversary for the bounded scenario is the tifies the likelihood ratio between two data (although it same as that for the unbounded scenario. only considers the scenario of privacy-preserving data synthesis [5]). Therefore, our analysis of using hypothesis testing to guide selection of proper privacy param- 4.3 Quantification of (ǫ, δ)-DP eters in DP has implicitly incorporated the plausible deniability of any individual records in the database Approximate DP, also named (ǫ, δ)-DP [16] is defined as (controlled by the maximum false alarm rate α in the P ( (D) S) exp(ǫ)P ( (D′) S) + δ for any neigh- A ∈ ≤ A ∈ Neyman-Person criterion). Furthermore, α determines boring databases D,D′. One of the most popular mecha- a trade-off between the false alarm rate PFA and the nisms to achieve (ǫ, δ)-DP is the Gaussian perturbation true detection rate PTD (Definition 3). Therefore, our mechanism, where a Gaussian noise with zero mean and analysis of using PR-relation (which has a one-to-one standard variant σ = 2 log(1.25/δ)∆Q/ǫ is added to correspondence with PFA, PTD) and Fβscore (summary the query output [16, 18]. p statistics of precision and recall) generated by varying Similar to Section 4.1, we first derive the mechanism α quantifies the randomness and the plausible deniabil- for the adversary’s hypothesis testing that satisfies the ity [59] [5] of any individual records in the database. Neyman-Pearson criterion based on the following theorem (detailed proof is deferred to the Appendix).

4.2 Quantification of Bounded DP Theorem 6. Applying Neyman-Pearson criterion in Definition 3 is equivalent to the following hypothesis Bounded DP corresponds to the setting where the neigh- testing which is of a simpler formulation: setting a boring databases differ in one (record’s) value and their threshold θ = Φ−1(1 α)σ +Q(D′) (where α is the max- − Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 243

1 0.9 δ=0.01 ǫ=0.01 δ=0.1 0.85 ǫ=0.1 5 Quantiﬁcation of DP under δ=0.2 0.9 ǫ=0.3 δ=0.6 0.8 δ=0.8 ǫ=0.5 δ=0.9 0.75 ǫ=0.7 0.8 δ=1 ǫ=0.9 Auxiliary Information from the 0.7 ǫ=1

Precision 0.7 Precision 0.65

0.6 0.6 Adversary’s Hypothesis Testing 0.55

0.5 0.5 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 Recall Recall We now demonstrate how to control the adversary’s suc- (a) (b) cess rate in identifying of a particular record with several Fig. 4. PR-relation of detecting a particular record from important variations of the adversary’s belief including (ǫ, δ)-DP results with varying (a) ǫ and (b) δ, respectively. the input data’s prior distribution, record correlation and temporal correlation. imum P and Φ( ) is the cumulative distribution func- FA · tion of the standard normal distribution) for the output of the Gaussian perturbation mechanism o, the decision 5.1 Quantification of DP under Prior h1 for the adversary’s hypothesis testing is o ≷ θ. Distribution h0 Let us first consider an adversary with known prior dis- According to Theorem 6 and Eq. 11, we can theoreti- tribution of the input data. Although such an adversary cally derive precision and recall of the adversary’s hy- is not explicitly considered in conventional DP frame- pothesis testing for the Gaussian mechanism as works5, we still analyze this adversary’s inference for − 1 Φ θ Q(D) sensitive information in a particular record as an inter- − σ precision = − − ′ 2 Φ θ Q(D) Φ θ Q(D ) esting and practical case study. In some scenarios, the − σ − σ (14) θ Q(D) adversary’s prior is non-uniform, which will result in a recall = 1 Φ − − σ different decision rule. Similar to our analysis in Sec- We further show the corresponding PR-relation of the tion 4.2, we still consider a binary hypothesis testing adversary’s hypothesis testing in Figure 4(a) and Fig- problem where the adversary aims to distinguish the ure 4(b) with varying ǫ and δ, respectively. We observe two neighboring databases in Eq. 13. that the adversary’s performance of hypothesis testing Next, we quantify the hypothesis testing of the ad- is enhanced with an increasing value of ǫ and δ. Com- versary to distinguish the two posterior distributions d paring Figure 3(a) and Figure 4, we know that different of P (di = di1 ( ) = o, −i),P (di = di2 ( ) = d |A D |A D mechanisms vary in their power of defending against o, −i). According to Bayes’ rule, we have P (di = P (A(D)=o|d−i,di=di1)P (di=di1) di1 ( ) = o, d−i) = d = adversaries’ hypothesis testing since their output dis- |A D P (A(D)=o| −i) tributions are different. Note that our approach can be P (A(D)=o)P (di=di1) . Then, we get P (A(D)=o|d−i) generally applied to any DP mechanism (Figure 1), al- P (di = di1|A(D) = o, d−i) P (A(D) = o)P (di = di1) = (16) though we focus on LPM and GPM. ′ P (d = di2|A(D) = o, d−i) P (A(D ) = o)P (di = di2) Next, the highest F of the adversary’s hypoth- βscore Based on Eq. 16, we know that the adversary’s hy- esis testing under different values of privacy parameters pothesis testing under prior distribution is equivalent ǫ, δ can be directly derived from Eq. 14 as to distinguishing the two probabilities of P ( (D) = − (1 + β2) 1 Φ θ Q(D) ′ A ∗ − σ o)P (di = di1) and P ( (D ) = o)P (di = di2). Figure 5(a) Fβscore = max − − ′ (15) A θ 2 + β2 Φ θ Q(D) Φ θ Q(D ) shows the hypothesis testing procedure of the adversary, − σ − σ where θ is the decision threshold on the noisy query Balle and Wang [4] developed the analytic Gaussian di1 outputs and the adversary’s decision rule is o ≷ θ. We mechanism whose variance is calibrated using the Gaus- di2 sian cumulative density function instead of a tail bound further define the coefficient of prior distribution ρp as P (di=di1) approximation. Other recent works also proposed tight ρp = 1 mind ,d , where ρp [0, 1]. ρp = 0 − i1 i2 P (di=di2) ∈ lower bounds for the variance of the added Gaussian corresponds to the scenario where the adversary has no noise while satisfying (ǫ, δ)-DP [23, 51]. How to adapt knowledge about the prior distribution and thus makes our analysis for the classical Gaussian mechanism in the assumption of uniform distribution (the same as in Theorem 6 and Eqs. 14, 15 to these improved Gaussian Section 4.1). Combining Eq. 11 with Eq. 16, we can de- mechanisms [4, 23, 51] is an interesting future direction. 5 DP guarantees are not influenced by the prior distribution of the input data.

Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 246

1 ing always reduces entropy (uncertainty) in information 0.95

0.9 theory [9]. Therefore, choosing a proper privacy bud-

0.85 ρ =0, ρ =0, ρ =0 p c t * score ρ =0, ρ =0.1, ρ =0 get ǫ needs more careful consideration when designing 0.8 p c t F1 ρ =0, ρ =0.1, ρ =0.2 p c t 0.75 ρ =0.5, ρ =0, ρ =0 p c t privacy-preserving mechanisms against adversaries who ρ =0.5, ρ =0.1, ρ =0 0.7 p c t ρ =0.5, ρ =0.1, ρ =0.2 p c t 0.65 have access to these auxiliary information. 0 2 4 6 8 10 Privacy Budget ǫ Fig. 8. The highest Fβscore achieved by the adversary under different auxiliary information (setting β = 1, i.e., F 1score). 5.3.1 Relating PR-relation to DP Guarantees recall for this adversary’s hypothesis testing as Since the computation of PR-relation involves a spe- t Pi1RSR cific adversary model, the connection between the PR- precision = t t Pi1RSR + Pi2GSR relation and privacy guarantees (DP) depend on what 1 assumptions we make for the adversaries. = GSR , 1 + (1 ρp (2 ρp)(ρc + ρt(1 ρc))) − − − − RSR Optimal Adversary: considering an optimal ad- recall = RSR. versary that implements the Neyman-Pearson criterion (23) t t and with full access to the possible auxiliary informa- Pi1 Pi1 Eq. 23 holds since max t = max t = tion of the data, under a specific mechanism, the PR- Pi2 1−Pi1 1 (1+ 1 )(1−ρ )(1−ρ ) 1−ρp 1−ρp c t 1 relation achieved by the adversary would be fixed (since 1 1 = = 1− (1+ )(1−ρ )(1−ρ ) (2−ρp)(1−ρc)(1−ρt)−1 1−ρp 1−ρp c t every step of our analysis in Figure 1 is exact) as shown 1 . From Eq. 23, we know that 1−ρp−(2−ρp)(ρc+ρt(1−ρc)) in Eqs. 9, 10, 11 for Laplacian mechanism, Eq. 14 for precision is increased under the same level of recall Gaussian mechanism, and Eqs. 17, 20, 23 under aux- when the adversary has access to the temporal correla- iliary information. For a given PR-relation that follows tion of the input data, resulting in a better PR-relation this fixed pattern (named as PRoptimal), we thus can in- compared to the static scenario. We show the enhanced fer the values of privacy parameters in DP guarantees by PR-relation in Figure 7(b) by setting ρp = 0.2, ρc = computing them directly from the corresponding equa- 0.1, ρt = 0.1 for example. Furthermore, we theoretically tions (Eqs. 9, 10, 11, 14, 17, 20, 23) of PR-relation or compute the highest Fβscore under given values of pri- the corresponding Figures 3(a), 4, 5(b), 6(b), 7(b). vacy budget ǫ, coefficient of prior distribution ρp, coeffi- Realistic Adversary: considering a realistic ad- cient of record correlation ρc and coefficient of temporal versary that may not have access to the full auxiliary correlation ρ as t information, the PR-relation (named as PRrealistic)

∗ Fβscore may be different. Nevertheless, we can still obtain a 1 + β2 lower bound for the corresponding privacy parameters, , ǫ < ǫ(ρp , ρc , ρt ) 2 2 + β − ρp − (2 − ρp )(ρc + ρt (1 − ρc )) by finding a lower bound of PRrealistic, denoted as 2 ǫ =  (1 + β2 )( 1 + 4β e − 1) 1−ρp −(2−ρp )(ρc +ρt (1−ρc )) PRoptimalLow, within all possible PRoptimal relations  , ǫ ≥ ǫ(ρp , ρc , ρt )  4β2 eǫ  (1 + β2 ) 1 + − 1 + β2 p 1−ρp −(2−ρp )(ρc +ρt (1−ρc )) (corresponding to different privacy parameters). Since (24)  β2 the best PR-relation achieved by the optimal adversary where ǫ(ρp, ρpc, ρt) = log(1 + ) 1−ρp−(2−ρp)(ρc+ρt(1−ρc)) under this mechanism should be better than PRrealistic, and the corresponding proof is deferred to the Ap- we know that the values of privacy parameters cor- pendix. From Eq. 24, we know that the temporal corresponding to the given PRrealistic should be larger relation can benefit the adversary’s hypothesis testing than the privacy parameters corresponding to the lower- ∗ to achieve an enhanced Fβscore. Therefore, the correla- bound optimal PR-relation PRoptimalLow. tion of the input data across time should be considered in selecting appropriate privacy parameters of privacy preserving mechanisms. Summary for the Quantification of DP under 6 Quantification of Other Privacy Auxiliary Information: Figure 8 shows the highest Notions from the Adversary’s Fβscore (setting β = 1) varying with ǫ under different auxiliary information. We can observe that the adver- Hypothesis Testing sary can infer more information of the input data with more auxiliary information (higher values of ρp, ρc, ρt). In this section, we systematically compare several exist- This property can also be explained by using condition- ing statistical privacy frameworks from the perspective

Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 248

PR-relation that can be achieved by the adversary. A rics such as the exponential mechanism, randomized re- privacy notion with a smaller ǫ in Theorem 7 is weaker sponse, local DP and geo-indistinguishability [3] could in restricting an adversary’s capability of performing hy- be interesting future directions. pothesis testing to infer an individual record. Combining In our work, we consider the adversary who aims the qualitative analysis in Section 6.1 and the quantita- to infer the presence/absence of any particular record tive comparison shown in Theorem 7, we know that un- (for unbounded DP) or the true value of a record (for der the same level of PR-relation, a larger value of ǫ can bounded DP), which is the standard adversary consid- be selected for a privacy notion with less restrictions in ered in DP framework. In practice, the adversary may the definition of neighboring databases. Based on The- be more interested in some aggregate statistics of the orem 7, we further compare these privacy notions under record, for instance, whether the value of the record di two special data distributions: 1) independent records is higher than a given value γ. Under this scenario, the and 2) independent and uniform records, as shown in two hypotheses of the adversary can be constructed as the following propositions. h : d > γ, h : d γ and then similar analysis in 0 i 1 i ≤ Sections 4, 5 can be conducted for implementing hy- Proposition 1. Privacy Comparison under Inde- pothesis testing. We will study the hypothesis testing of pendent Records: If the individual records in the these adversaries in the future. database are independent of each other, we have Our analysis considers adversaries with accurate auxiliary information of the prior distribution and cor- ǫBP (ht) = ǫDDP (ht) = ǫIP (ht) = ǫDP (ht) relation across records/time of the input database. In ǫDDP (ht) 2ǫMP (ht) ≤ practice, it can be challenging for defenders to have an ǫMIDP (ht) ǫMP (ht) ≤ accurate estimate of the adversary’s auxiliary informa- Proposition 2. Privacy Comparison under Inde- tion. Therefore, investigating the capability of adver- pendent and Uniform Records: If the individual sary’s hypothesis testing with approximate auxiliary in- records in the database are independent of each other, formation could be another interesting future work. and each record is uniformly distributed, we have Motivated by composition properties of DP [22, 30, 41], it is interesting to investigate the composability of ǫ (ht) = ǫ (ht) = ǫ (ht) = ǫ (ht) BP DDP IP DP our analysis across different privacy mechanisms and ǫ (ht) 2ǫ (ht) DDP ≤ MP explore tighter composition properties under specific ǫ (ht) ǫ (ht) MIDP ≤ MP mechanisms similar to [30] in the future.

7 Discussions, Limitations and 8 Conclusion Future Works In this paper, we investigate the state-of-the-art statis- Differential privacy provides a stability condition to the tical privacy frameworks (focusing on DP) from the per- perturbation mechanism towards changes to the input, spective of hypothesis testing of the adversary. We rigor- and there are ways to interpret its semantic privacy ously analyze the capability of an adversary for inferring guarantee, such as hypothesis testing [27, 30, 60] and a particular record of the input data using hypothesis plausible deniability [59][5]. In our work, we focus on testing. Our analysis provides a useful and interpretable leveraging hypothesis testing to provide a privacy in- guideline for how to select the privacy parameter ǫ in terpretation for DP mechanisms, which has implicitly DP, which is an important question for practitioners and taken the plausible deniability of any individual records researchers in the community. Our findings show that in the database into consideration (recall Section 3). an adversary’s auxiliary information – in the form of Our analysis focuses on the popular LPM-based DP prior distribution of the database, and correlation across mechanisms, based on which we illustrate how hypoth- records and time – indeed influences the proper choice esis testing can be used for the selection of privacy pa- of ǫ. Finally, our work systematically compares several rameters. We have shown the generality of our approach state-of-the-art privacy notions from the perspective of by applying it to the Gaussian perturbation mechanism adversary’s hypothesis testing and showcases their rela- in Section 4.3. Investigating how to generalize our anal- tionship with each other and with DP. ysis to a broader range of privacy mechanisms and met- Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 249

[8] Rui Chen, Benjamin C Fung, Philip S Yu, and Bipin C De- 9 Acknowledgement sai. Correlated network data publication via differential privacy. volume 23, pages 653–676. Springer-Verlag New The authors would like to thank Esfandiar Mohammadi York, Inc., 2014. for shepherding the paper, the anonymous reviewers for [9] Thomas M Cover and Joy A Thomas. Elements of informa- their valuable feedback. This work is supported in part tion theory. John Wiley & Sons, 2012. [10] Paul Cuff and Lanqing Yu. Differential privacy as a mutual by the National Science Foundation (NSF) under the information constraint. In Proceedings of the 2016 ACM grant CNS-1553437 and CCF-1617286, an Army Re- SIGSAC Conference on Computer and Communications search Office YIP Award, and faculty research awards Security, pages 43–54. ACM, 2016. from Google, Cisco, Intel, and IBM. This work is also [11] Jesse Davis and Mark Goadrich. The relationship between partly sponsored by the U.S. Army Research Labora- precision-recall and roc curves. In Proceedings of the 23rd tory and the U.K. Ministry of Defence under Agree- international conference on Machine learning, pages 233– 240. ACM, 2006. ment Number W911NF-16-3-0001. The views and con- [12] Zeyu Ding, Yuxin Wang, Guanhong Wang, Danfeng Zhang, clusions contained in this document are those of the au- and Daniel Kifer. Detecting violations of differential privacy. thors and should not be interpreted as representing the In Proceedings of the 2018 ACM SIGSAC Conference on official policies, either expressed or implied, of the U.S. Computer and Communications Security, pages 475–489. Army Research Laboratory, the U.S. Government, the ACM, 2018. [13] Cynthia Dwork. Differential privacy. In Automata, languages U.K. Ministry of Defence or the U.K. Government. The and programming. 2006. U.S. and U.K. Governments are authorized to repro- [14] Cynthia Dwork. Differential privacy: A survey of results. In duce and distribute reprints for Government purposes Theory and Applications of Models of Computation. 2008. notwithstanding any copyright notation hereon. [15] Cynthia Dwork. A firm foundation for private data analysis. Communications of the ACM, 2011. [16] Cynthia Dwork, Krishnaram Kenthapadi, Frank McSherry, Ilya Mironov, and Moni Naor. Our data, ourselves: Privacy References via distributed noise generation. In Annual International Conference on the Theory and Applications of Cryptographic [1] Detection, decision, and hypothesis testing. Techniques, pages 486–503. Springer, 2006. http://web.mit.edu/gallager/www/papers/chap3.pdf. [17] Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam [2] David R Anderson, Kenneth P Burnham, and William L Smith. Calibrating noise to sensitivity in private data analy- Thompson. Null hypothesis testing: problems, prevalence, sis. In Springer Theory of cryptography. 2006. and an alternative. The journal of wildlife management, [18] Cynthia Dwork, Aaron Roth, et al. The algorithmic foun- pages 912–923, 2000. dations of differential privacy. Foundations and Trends® in [3] Miguel E Andrés, Nicolás E Bordenabe, Konstanti- Theoretical Computer Science, 9(3–4):211–407, 2014. nos Chatzikokolakis, and Catuscia Palamidessi. Geo- [19] Cynthia Dwork and Guy N Rothblum. Concentrated differ- indistinguishability: Differential privacy for location-based ential privacy. arXiv preprint arXiv:1603.01887, 2016. systems. In Proceedings of the 2013 ACM SIGSAC con- [20] Cynthia Dwork and Adam Smith. Differential privacy for ference on Computer & communications security, pages statistics: What we know and what we want to learn. Jour- 901–914. ACM, 2013. nal of Privacy and Confidentiality, 2010. [4] Borja Balle and Yu-Xiang Wang. Improving the gaussian [21] Marco Gaboardi, Hyun-Woo Lim, Ryan M Rogers, and mechanism for differential privacy: Analytical calibration and Salil P Vadhan. Differentially private chi-squared hypoth- optimal denoising. In International Conference on Machine esis testing: Goodness of fit and independence testing. In Learning (ICML), 2018. ICML’16 Proceedings of the 33rd International Conference [5] Vincent Bindschaedler, Reza Shokri, and Carl A Gunter. on International Conference on Machine Learning-Volume Plausible deniability for privacy-preserving data synthe- 48. JMLR, 2016. sis. Proceedings of the VLDB Endowment, 10(5):481–492, [22] Srivatsava Ranjit Ganta, Shiva Prasad Kasiviswanathan, and 2017. Adam Smith. Composition attacks and auxiliary information [6] Yang Cao, Masatoshi Yoshikawa, Yonghui Xiao, and in data privacy. In Proceedings of the 14th ACM SIGKDD Li Xiong. Quantifying differential privacy under temporal international conference on Knowledge discovery and data correlations. In Data Engineering (ICDE), 2017 IEEE 33rd mining, pages 265–273. ACM, 2008. International Conference on, pages 821–832. IEEE, 2017. [23] Quan Geng, Wei Ding, Ruiqi Guo, and Sanjiv Kumar. Op- [7] Thee Chanyaswad, Alex Dytso, H Vincent Poor, and Prateek timal Noise-Adding Mechanism in Additive Differential Pri- Mittal. Mvg mechanism: Differential privacy under matrix- vacy. In Proceedings of the 22th International Conference on valued query. In Proceedings of the 25nd ACM SIGSAC Artificial Intelligence and Statistics (AISTATS), 2019. Conference on Computer and Communications Security. [24] Arpita Ghosh and Robert Kleinberg. Inferential privacy guar- ACM, 2018. antees for differentially private mechanisms. arXiv preprint arXiv:1603.01508, 2016. Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 250

[25] Dorothy M Greig, Bruce T Porteous, and Allan H Seheult. of the 2009 ACM SIGMOD International Conference on Exact maximum a posteriori estimation for binary images. Management of data, pages 19–30. ACM, 2009. Journal of the Royal Statistical Society. Series B (Method- [42] Sebastian Meiser and Esfandiar Mohammadi. Tight on ological), pages 271–279, 1989. budget?: Tight bounds for r-fold approximate differential pri- [26] Andreas Haeberlen, Benjamin C Pierce, and Arjun Narayan. vacy. In Proceedings of the 2018 ACM SIGSAC Conference Differential privacy under fire. In USENIX Security Sympo- on Computer and Communications Security, pages 247–264. sium, 2011. ACM, 2018. [27] Rob Hall, Alessandro Rinaldo, and Larry Wasserman. Differ- [43] Deepak K Merchant and George L Nemhauser. Optimality ential privacy for functions and functional data. Journal of conditions for a dynamic traffic assignment model. Trans- Machine Learning Research, 14(Feb):703–727, 2013. portation Science, 12(3):200–207, 1978. [28] Xi He, Ashwin Machanavajjhala, and Bolin Ding. Blowfish [44] Ilya Mironov. Renyi differential privacy. In Computer Secu- privacy: Tuning privacy-utility trade-offs using policies. In rity Foundations Symposium (CSF), 2017 IEEE 30th, pages Proceedings of the 2014 ACM SIGMOD international con- 263–275. IEEE, 2017. ference on Management of data, pages 1447–1458. ACM, [45] Whitney K Newey and Daniel McFadden. Large sample es- 2014. timation and hypothesis testing. Handbook of econometrics, [29] Justin Hsu, Marco Gaboardi, Andreas Haeberlen, Sanjeev 4:2111–2245, 1994. Khanna, Arjun Narayan, Benjamin C Pierce, and Aaron [46] J Neyman and ES Pearson. On the problem of the most Roth. Differential privacy: An economic method for choosing efficient tests of statistical hypotheses. Phil. Trans. R. Soc. epsilon. In Computer Security Foundations Symposium Lond, pages 289–337, 1933. (CSF), 2014 IEEE 27th, pages 398–410. IEEE, 2014. [47] Jerzy Neyman and Egon S Pearson. On the use and inter- [30] Peter Kairouz, Sewoong Oh, and Pramod Viswanath. The pretation of certain test criteria for purposes of statistical composition theorem for differential privacy. IEEE Transac- inference: Part i. Biometrika, pages 175–240, 1928. tions on Information Theory, 63(6):4037–4049, 2017. [48] Ryan Rogers, Aaron Roth, Adam Smith, and Om Thakkar. [31] Shiva P Kasiviswanathan and Adam Smith. On Max-information, differential privacy, and post-selection the’semantics’ of differential privacy: A bayesian formula- hypothesis testing. arXiv preprint arXiv:1604.03924, 2016. tion. Journal of Privacy and Confidentiality, 6(1), 2014. [49] Albert Satorra and Willem E Saris. Power of the likelihood [32] Daniel Kifer and Ashwin Machanavajjhala. No free lunch ratio test in covariance structure analysis. Psychometrika, in data privacy. In Proceedings of the 2011 ACM SIGMOD 50(1):83–90, 1985. International Conference on Management of data, pages [50] Lawrence A Shepp and Yehuda Vardi. Maximum likelihood 193–204. ACM, 2011. reconstruction for emission tomography. IEEE transactions [33] Daniel Kifer and Ashwin Machanavajjhala. A rigorous and on medical imaging, 1(2):113–122, 1982. customizable framework for privacy. In Proceedings of the [51] David Sommer, Sebastian Meiser, and Esfandiar Moham- 31st ACM SIGMOD-SIGACT-SIGAI symposium on Princi- madi. Privacy loss classes: The central limit theorem in ples of Database Systems, pages 77–88. ACM, 2012. differential privacy. Proceedings on privacy enhancing tech- [34] Sara Krehbiel. Markets for database privacy. 2014. nologies, 2019. [35] Jaewoo Lee and Chris Clifton. How much is enough? choos- [52] Shuang Song, Yizhen Wang, and Kamalika Chaudhuri. ing ε for differential privacy. In International Conference on Pufferfish privacy mechanisms for correlated data. In Pro- Information Security, pages 325–340. Springer, 2011. ceedings of the 2017 ACM International Conference on [36] Jaewoo Lee and Chris Clifton. Differential identifiability. Management of Data, pages 1291–1306. ACM, 2017. In Proceedings of the 18th ACM SIGKDD international [53] Jun Tang, Aleksandra Korolova, Xiaolong Bai, Xueqiang conference on Knowledge discovery and data mining, pages Wang, and Xiaofeng Wang. Privacy loss in apple’s imple- 1041–1049. ACM, 2012. mentation of differential privacy on macos 10.12. arXiv [37] Erich L Lehmann and Joseph P Romano. Testing statistical preprint arXiv:1709.02753, 2017. hypotheses. Springer Science & Business Media, 2006. [54] Michael Carl Tschantz, Shayak Sen, and Anupam Datta. [38] Ninghui Li, Wahbeh Qardaji, Dong Su, Yi Wu, and Weining Differential privacy as a causal property. arXiv preprint Yang. Membership privacy: a unifying framework for pri- arXiv:1710.05899, 2017. vacy definitions. In Proceedings of the 2013 ACM SIGSAC [55] Yiannis Tsiounis and Moti Yung. On the security of elgamal conference on Computer & communications security, pages based encryption. In International Workshop on Public Key 889–900. ACM, 2013. Cryptography, pages 117–134. Springer, 1998. [39] Changchang Liu, Supriyo Chakraborty, and Prateek Mittal. [56] Cornelis Joost van Rijsbergen. Information retrieval. In Dependence makes you vulnerable: Differential privacy under Butterworth-Heinemann Newton, MA, USA, 1979. dependent tuples. In The Network and Distributed System [57] Quang H Vuong. Likelihood ratio tests for model selection Security Symposium (NDSS), 2016. and non-nested hypotheses. Econometrica: Journal of the [40] Ashwin Machanavajjhala, Xi He, and Michael Hay. Differ- Econometric Society, pages 307–333, 1989. ential privacy in the wild: A tutorial on current practices & [58] Yue Wang, Jaewoo Lee, and Daniel Kifer. Differentially open challenges. In Proceedings of the 2017 ACM Inter- private hypothesis testing, revisited. ArXiv e-prints, 2015. national Conference on Management of Data, pages 1727– [59] Stanley L Warner. Randomized response: A survey technique 1730. ACM, 2017. for eliminating evasive answer bias. Journal of the American [41] Frank D McSherry. Privacy integrated queries: an extensible Statistical Association, 60(309):63–69, 1965. platform for privacy-preserving data analysis. In Proceedings Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 251

[60] Larry Wasserman and Shuheng Zhou. A statistical frame- 10.2 Proof for Corollary 1 work for differential privacy. Journal of the American Statis- tical Association, 105(489):375–389, 2010. Proof. This optimality is generally applicable for ad- [61] Rand R Wilcox. Introduction to robust estimation and hy- versaries implementing the Neyman-Pearson criterion, pothesis testing. Academic press, 2011. [62] Xiaotong Wu, Taotao Wu, Maqbool Khan, Qiang Ni, and under any distribution of the input data. This is be- Wanchun Dou. Game theory based correlated privacy pre- cause the proof in Theorem 2 demonstrates the inher- serving analysis in big data. IEEE Transactions on Big Data, ent relationship among these quantification metrics (i.e., 2017. the maximization of PTD under a given level of PFA is [63] Yonghui Xiao and Li Xiong. Protecting locations with dif- equivalent to maximizing precision under a given level of ferential privacy under temporal correlations. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and recall), regardless of the distribution of the data. There- Communications Security, pages 1298–1309. ACM, 2015. fore, the optimality of Neyman-Pearson criterion (max- [64] Bin Yang, Issei Sato, and Hiroshi Nakagawa. Bayesian differ- imizing PTD under a given level of PFA) to achieve the ential privacy on correlated data. In Proceedings of the 2015 best PR-relation holds for correlated records. where the ACM SIGMOD international conference on Management of correlation relationships are naturally incorporated in Data, pages 747–762. ACM, 2015. the likelihood ratio detection process of the Neyman- [65] Tianqing Zhu, Ping Xiong, Gang Li, and Wanlei Zhou. Cor- related differential privacy: Hiding information in non-iid Pearson criterion. dataset. Information Forensics and Security, IEEE Transac- tions on, 2013. ∗ 10.3 Fβscore for Unbounded DP 10 Appendix According to the definition of F , we know 10.1 Proof for Theorem 2 βscore that maximizing Fβscore is equivalent to minimizing GSR+β2 1 since Fβscore = 2 = RSR 1 + β Proof. Achieve the minimal PFA under a given (1+β2)precision (1+β2)recall level of P : For a given false alarm rate P , the 1+β2 GSR+β2 TD FA 2 . Then, we define f = and ana- 1+ GSR+β RSR maximal true detection rate P can be achieved ac- RSR TD lyze f by considering three different intervals of θ in cording to the Neyman-Pearson criterion (Definition 3). ( ,Q(D′)], (Q(D′),Q(D)), [Q(D), + ), respectively. Furthermore, note that the maximal P is not decreas- −∞ ∞ TD 1) For the first interval of ( ,Q(D′)], we have ing with the increasing of P . Thus, under a given level θ−Q(D′) −∞ FA ǫ ˆ GSR+β2 1+β2−0.5e ∆Q of the true detection rate PTD = P ( = D = D) = f = = θ−Q(D) . Then, we take the D |D RSR ǫ P ( ˆ = D, = D)/P ( = D), the adversary imple- 1−0.5e ∆Q D D D derivative of f with respect to θ as menting the Neyman-Pearson criterion can achieve the θ−Q(D′) θ−Q(D) ˆ ′ ǫ ǫ minimal false alarm rate PFA = P ( = D = D ) = 0.5ǫ ∆Q ∆Q ∂f ∆Q e (1 0.5e ) ′ ′ D |D = − − P ( ˆ = D, = D )/P ( = D ). As a direct result of θ−Q(D) ∂θ ǫ D D D ′ (1 0.5e ∆Q )2 this, we obtain a minimal P ( ˆ = D, = D ) under a − θ−Q(D) θ−Q(D′) D D ǫ ǫ fixed P ( ˆ = D, = D). 0.5ǫ e ∆Q (1 + β2 0.5e ∆Q ) D D ∆Q − (26) + θ−Q(D) Achieve the maximal precision under a given ǫ (1 0.5e ∆Q )2 level of recall: Since both PTD and recall correspond − θ−Q(D′) ǫ − to P ( ˆ = D = D), we know that a given level of 0.5ǫ e ∆Q ((1 + β2)e ǫ 1) D |D ∆Q − = θ−Q(D) recall is equivalent to the same level of P . Therefore, ǫ TD (1 0.5e ∆Q )2 under a given level of recall (i.e., PTD), the precision − can be computed as P ( = D ˆ = D) = P ( ˆ = D, = Therefore, we have ∂f > 0, i.e., the function D |D D D ∂θ θ=Q(D′) D)/ P ( ˆ = D, = D) + P ( ˆ = D, = D′) , which is f increases monotonically with θ ( ,Q(D′)], if ǫ < D D D D ∈ −∞ maximized under the Neyman-Pearson criterion (with log(1 + β2). Otherwise, it decreases monotonically. a minimal P ( ˆ = D, = D′) under a fixed P ( ˆ = 2) For the second interval of (Q(D′),Q(D)), we have D D D θ−Q(D′) − ǫ D, = D)). GSR+β2 0.5e ∆Q +β2 D f = = θ−Q(D) . We then compute the RSR ǫ Therefore, the Neyman-Pearson criterion can 1−0.5e ∆Q achieve the maximal precision under any given level of recall, thus characterizing the optimal adversary that can achieve the best PR-relation. Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 252 derivative of f with respect to θ as in Eq. 4 as

′ − θ−Q(D ) θ−Q(D) (o h ) P(A(D) = o) 0.5ǫ ∆Q ǫ ∆Q ǫ 1 ∂f ∆Q e (1 0.5e ) Λ(o) = L | = ′ − − (o h0) P(A(D ) = o) = θ−Q(D) ∂θ ǫ L | (1 0.5e ∆Q )2 (o−Q(D))2 − 1 exp ′ 2 log(1.25/δ)∆Q/ǫ 4 log(1.25/δ)∆Q/ǫ θ−Q(D) − θ−Q(D ) √ − 0.5ǫ ∆Q ǫ ∆Q ǫ 2 = e (0.5e + β ) − ′ 2 (29) ∆Q (27) 1 exp (o Q(D )) + θ−Q(D) 4 log(1.25/δ)∆Q/ǫ ǫ √2 log(1.25/δ)∆Q/ǫ − (1 0.5e ∆Q )2 − ∆Q(2o Q(D) Q(D′)) θ−Q(D′) θ−Q(D) − − ǫ ǫ = exp − − 0.5ǫ (e ǫ e ∆Q + β2e ∆Q ) 4 log(1.25/δ)∆Q/ǫ ∆Q − = θ−Q(D) ǫ (1 0.5e ∆Q )2 − Then, we can compute the false alarm rate ∂f 0.5ǫ ∞ When θ = Q(D), we have = (e−ǫ α according to 1 P(A(D′) = o)do = 1 ∂θ θ=Q(D) ∆Q − θ −ǫ 2 ′ ∞ − ′ 2 − e + β ) > 0. When θ = Q(D ), we have 1 1 exp (o−Q(D )) do, ∂f 0.5ǫ 2 −ǫ θ √2 log(1.25/δ)∆Q/ǫ R− − 4 log(1.25/δ)∆Q/ǫ ′ = ((1 + β )e 1). Therefore, we know ′ ∂θ θ=Q(D ) ∆Q − θ−Q(D ) −1 ∂f Rwhich is 1 Φ( ), i.e., θ = Φ (1 2 log(1.25/δ)∆Q/ǫ that ∂θ θ=Q(D′) > 0. i.e., the function f increases mono- − √ − tonically with ǫ [Q(D′),Q(D)], if ǫ < log(1 + β2). α) 2 log(1.25/δ)∆Q/ǫ + Q(D′), where Φ( ) is the · ∈ cumulative distribution probability (CDF) of the Otherwise, it decreases and then increases thus there is p standard normal distribution. Then, the thresh- a mininum within this interval. To solve for this min-′ − θ−Q(D ) ǫ inum, we set the derivative to 0, i.e., e−ǫ e ∆Q + old λ for the likelihood ratio can be computed ′ θ−Q(D) −−1+ 1+4β2eǫ ∆Q(2θ−Q(D)−Q(D )) 2 ∆Q ǫ ∆Q √ as exp and the true detection β e = 0 to obtain θ = ǫ log 2β2 + 4 log(1.25/δ)∆Q/ǫ ′ Q(D ). The corresponding minimum value for Fβscore rate can be computed according to PTD = 1 ∞ θ−Q(D) − (1+β2)(1+4β2eǫ−√1+4β2eǫ) P(A(D) = o)do = 1 Φ( ). can be computed as . θ √2 log(1.25/δ)∆Q/ǫ 2 2 ǫ 2 2 ǫ − (1+β )(1+4β e )−(1−β )√1+4β e For a given false alarm rate α, we can uniquely 3) For the third interval [Q(D), + ), we have f = R −(θ−Q(D′)ǫ) ∞ determine the threshold of the likelihood ratio λ, the 2 2 GSR+β 0.5e ∆Q +β threshold of the output θ and the true detection rate RSR = −(θ−Q(D)ǫ) . We then take the deriva- 0.5e ∆Q P . Since θ can be any possible value of the private tive of f with respect to θ as TD query result, we know that the Neyman-Pearson crite- θ−Q(D′) θ−Q(D) 2 − ǫ − ǫ 0.25ǫ ∆Q ∆Q rion is equivalent to setting a threshold θ for the Gaus- ∂f ∆Q e e = − θ−Q(D) sian mechanism which is of a simpler formulation. ∂θ − ǫ (0.5e ∆Q )2

θ−Q(D) θ−Q(D′) − ǫ − ǫ 0.5ǫ e ∆Q (0.5e ∆Q + β2) ∆Q (28) ∗ + θ−Q(D) 10.5 F under Auxiliary Information − ǫ βscore (0.5e ∆Q )2 ∗ 10.5.1 Fβscore under Prior Distribution 2 − θ−Q(D) 0.5β ǫ ∆Q ǫ ∆Q e = θ−Q(D) − ǫ Consider an adversary with access to the prior dis- (0.5e ∆Q )2 tribution of the input database. Since Fβscore = Therefore, we know that f increases monotonically with 2 1 = 1+β , we know 1 β2 (1−ρp)GSR+β2 θ [Q(D), + ). Combining all the three intervals 1)-3), 2 + 2 1+ ∈ ∞ (1+β )precision (1+β )recall RSR we obtain the highest Fβscore as in Eq. 12. that maximizing Fβscore is equivalent to minimizing 2 2 (1−ρp)GSR+β (1−ρp)GSR+β RSR . Next, we define f = RSR and 10.4 Proof for Theorem 6 analyze its property under three intervals. 1) For the first interval of ( ,Q(D′)], we have f = −∞ θ−Q(D′) ǫ 2 2 ∆Q Proof. According to the Neyman-Pearson Lemma [46], (1−ρp)GSR+β 1−ρp+β −0.5(1−ρp)e = θ−Q(D) . Next, we RSR ǫ the likelihood ratio test [49, 57] can be utilized to 1−0.5e ∆Q achieve the Neyman-Pearson criterion. For an adversary with access to the noisy scalar output o = ( ) = A D Q( )+ (2 log(1.25/δ)∆Q/ǫ), we can compute the likeli- D N hood ratio corresponding to the two hypotheses defined Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 253 take the derivative of f as take the derivative of f as

θ−Q(D′) θ−Q(D) θ−Q(D′) θ−Q(D) 0.5(1−ρ )ǫ ǫ ǫ 0.25(1−ρ )ǫ2 − ǫ − ǫ p e ∆Q (1 0.5e ∆Q ) p e ∆Q e ∆Q ∂f − ∆Q − ∂f − ∆Q = θ−Q(D) = θ−Q(D) ∂θ ǫ ∂θ − ǫ (1 0.5e ∆Q )2 (0.5e ∆Q )2 − ′ ′ θ−Q(D) θ−Q(D ) − θ−Q(D) − θ−Q(D ) 0.5ǫ ǫ 2 ǫ 0.5ǫ ǫ ǫ 2 e ∆Q (1 ρp + β 0.5(1 ρp)e ∆Q ) e ∆Q (0.5(1 ρp)e ∆Q + β ) ∆Q − − − ∆Q − (32) + θ−Q(D) + θ−Q(D) ǫ − ǫ (1 0.5e ∆Q )2 (0.5e ∆Q )2 − ′ θ−Q(D) θ−Q(D ) 0.5β2ǫ − ǫ 0.5ǫ ∆Q ǫ 2 −ǫ ∆Q e ((1 ρp + β )e (1 ρp)) ∆Q e ∆Q − − − = = θ−Q(D) θ−Q(D) ǫ − ǫ (1 0.5e ∆Q )2 (0.5e ∆Q )2 − (30) ∂f Therefore, f increases monotonically for θ Therefore, we have ′ > 0, i.e., the function ∈ ∂θ θ=Q(D ) ( ,Q(D′)]. Combining the analysis for all the three f increases monotonically for θ ( ,Q(D′)], if ǫ < −∞ 2 ∈ −∞ intervals, we can achieve F ∗ as in Eq. 12. log(1 + β ). Otherwise, it decreases monotonically. βscore 1−ρp 2) For the second interval of (Q(D′),Q(D)), we have θ−Q(D′) ∗ − ǫ F 2 ∆Q 2 10.5.2 βscore under Record Correlation (1−ρp)GSR+β 0.5(1−ρp)e +β f = = θ−Q(D) . Next, we RSR ǫ 1−0.5e ∆Q take the derivative of f as The computation of the highest Fβscore for adversaries under record correlation is similar to that of adver- θ−Q(D′) θ−Q(D) 0.5(1−ρ )ǫ − ǫ ǫ p e ∆Q (1 0.5e ∆Q ) saries with prior distribution. By comparing Eq. 17 and ∂f − ∆Q − = θ−Q(D) ∂θ ǫ Eq. 20, we can also simply replace ρp in Eq. 18 with (1 0.5e ∆Q )2 − ′ ρp + ρc(2 ρp) to obtain Eq. 21. θ−Q(D) − θ−Q(D ) 0.5ǫ ǫ ǫ 2 − e ∆Q (0.5(1 ρp)e ∆Q + β ) ∆Q − (31) + θ−Q(D) ǫ ∗ (1 0.5e ∆Q )2 10.5.3 F under Temporal Correlation − βscore θ−Q(D′) θ−Q(D) 0.5(1−ρ )ǫ − − ǫ 2 ǫ p (e ǫ e ∆Q + β e ∆Q ) ∆Q 1−ρp − The computation of the highest Fβscore for adversaries = θ−Q(D) ǫ (1 0.5e ∆Q )2 under temporal correlation is similar to that of adver- − saries with prior distribution and record correlation. By For θ = Q(D), we have ∂f = 0.5(1−ρp)ǫ (e−ǫ ∂θ θ=Q(D) ∆Q comparing Eq. 17 with Eq. 23, we can also simply re- 2 − e−ǫ + β ) > 0. For θ = Q(D′), we have ∂f = 1−ρp ∂θ θ=Q(D′) place ρp in Eq. 18 with ρp + (2 ρp)(ρc + ρt(1 ρc)) to 2 − − 0.5(1−ρp)ǫ ((1 + β )e−ǫ 1). Therefore, we have obtain Eq. 24. ∆Q 1−ρp − ∂f ∂θ θ=Q(D′) > 0, i.e., the function f increases monotonically for ǫ (Q(D′),Q(D)), if ǫ < log(1 + 10.6 Proof for Theorem 7 2 ∈ β ). Otherwise, it decreases and then increases thus 1−ρp there is a mininum within this interval. To solve for Proof. The Blowfish framework [28], which is a sub- the mininum, we set the derivative to 0, i.e., e−ǫ class of the Pufferfish framework, allows user to specify θ−Q(D′) θ−Q(D) − − ǫ β2 ǫ adversarial knowledge about the database in the form e ∆Q + e ∆Q = 0 to obtain θ = 1−ρp · of deterministic policy constraints. In the presence of ∆Q 1−ρp 4β2eǫ ′ log( 2 ( 1 + 1))+Q(D ). The correspond- ǫ 2β 1−ρp − general deterministic constraints, pairs of neighboring 2 ǫ q(1+β2)( 1+ 4β e −1) databases can differ in any number of tuples. The neigh- 1−ρp ing Fβscore = . boring databases of dependent differential privacy differ 2 ǫ (1+β2) q1+ 4β e −1+β2 1−ρp in tuples caused by one direct modification of one tu- L 3) For the third intervalq of [Q(D′), + , we have f = ple. Therefore, under the same performance achieved by −(θ−Q(D′)ǫ∞) 2 ∆Q 2 the adversary’s hypothesis testing (the same amount of (1−ρp)GSR+β = 0.5(1−ρp)e +β . Then, we RSR −(θ−Q(D)ǫ) perturbation), we know that ǫ (ht) ǫ (ht). 0.5e ∆Q DDP ≤ BP From the definition of inferential privacy, we P (D=D|A(D)=o) ǫ P (D=D) have maxD,D′ P (D=D′|A(D)=o) e P (D=D′) ≤ ′ ⇐⇒ P (D=D|A(D)=o) ǫ P (D=D |A(D)=o) maxD,D′ P (D=D) e P (D=D′) ≤ ′ ⇐⇒ P (D=D,A(D)=o) ǫ P (D=D ,A(D)=o) maxD,D′ A(D)=o),P (D=D) e A(D)=o),P (D=D′) ≤ ǫ ′ ⇐⇒ max ′ P ( (D) = o) e P ( (D ) = o), which is D,D A ≤ A Investigating Statistical Privacy Frameworks from the Perspective of Hypothesis Testing 254 equivalent to dependent differential privacy that re- P (A(D)=o) ǫ quires max ′ e . Therefore, we have D,D P (A(D′)=o) ≤ ǫDDP (ht) = ǫIP (ht) under the same hypothesis testing performance achieved by the adversary. Since the neighboring databases in DP only differ in one tuple, we know that ǫ (ht) ǫ (ht) under DP ≤ DDP the same hypothesis testing achieved by the adversary. Next, we consider membership privacy whose mathematical form is different from other privacy metrics. Membership privacy does not consider two neighboring databases, but only bounds the ratio between the posterior probability and the prior probability for any data record. Based on the definition of membership privacy and inferential privacy, we know that the membership privacy satisfying exp( ǫ) P (D=D|A(D)=o) − ≤ P (D=D) ≤ P (Di=di1|A(D)=o) exp(ǫ) would lead to maxd ,d i1 i2 P (Di=di2|A(D)=o) ≤ exp(2ǫ) P (Di=di1) in inferential privacy (and thus depen- P (Di=di2) dent differential privacy). That is to say, ǫ-membership privacy would lead to 2ǫ-dependent differential privacy. Therefore, we have ǫ (ht) 2ǫ (ht) under the DDP ≤ MP same performance of the adversary’s hypothesis testing. Furthermore, membership privacy considers the worst-case difference between posterior probability and prior probability, and the mutual information based differential privacy considers the average difference between posterior probability and prior probability. There- fore, we have that ǫ-membership privacy would lead to ǫ- mutual information based differential privacy. Under the same performance of the adversary’s hypothesis testing, we have ǫ (ht) ǫ (ht). MIDP ≤ MP