sign in sign up
<<
Home , Statistical parameter

A Model Approach to Statistical Privacy

Ehsan Nekouei, Henrik Sandberg, Mikael Skoglund, and Karl H. Johansson

Abstract

In this paper, we study a privacy filter design problem for a sequence of sensor measurements whose joint probability density function (p.d.f.) depends on a private parameter. To ensure parameter privacy, we propose a filter design framework which consists of two components: a randomizer and a nonlinear transformation. The randomizer takes the private parameter as input and randomly generates a pseudo parameter. The nonlinear mapping transforms the measurements such that the joint p.d.f. of the filter’s output depends on the pseudo parameter rather than the private parameter. It also ensures that the joint p.d.f. of the filter’s output belongs to the same family of distributions as that of the measurements. The nonlinear transformation has a feedforward-feedback structure that allows real-time and causal generation of the disguised measurements with low complexity using a recursive structure. The design of the randomizer is formulated as an optimization problem subject to a privacy constraint, in terms of mutual information, and it is shown that the optimal randomizer is the solution of a convex optimization problem. Using information-theoretic inequalities, we show that the performance of any of the private parameter, based on the output of the privacy filter, is limited by the privacy constraint. The structure of the nonlinear transformation is studied in the special cases of independent and identically distributed, Markovian, and Gauss-Markov measurements. Our results show that the privacy filter in the Gauss-Markov case can be implemented as two one-step ahead Kalman predictors and a set of minimum square error predictors. The Kalman predictors significantly reduce the

arXiv:2105.10664v1 [eess.SY] 22 May 2021 complexity of computing the disguised measurements. A numerical example on occupancy privacy in a building automation system illustrates the approach.

E. Nekouei is with the Department of Electrical Engineering, City University of Hong Kong. E-mail: [email protected]. H. Sandberg, M. Skoglund, and K. H. Johansson are with the School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology. E-mail: {hsan,skoglund,kallej}@kth.se. 2

I.INTRODUCTION

A. Motivation

Networked control systems are omnipresent in our daily lives by providing essential services such as intelligent transportation, smart grid, and intelligent buildings. Sensors are crucial com- ponents of any system as they provide critical information that can be used for control, diagnosis and monitoring purposes. However, sensor measurements in a networked system typically contain information about private variables. Thus, directly revealing the measurements to untrusted parties may expose the system to the risk of privacy loss. For example, the occupancy level of a building, which is a highly private variable, can be inferred from the CO2 and temperature measurements of the building [1]. Privacy breaches may have negative consequences such as reputation damage and financial losses due to lawsuits. The sheer importance of privacy has motivated numerous research efforts to develop privacy-preserving solutions for networked control systems.

B. Related Work

A variety of problems related to privacy and networked estimation and control have been studied in the literature. The privacy aspect of the hypothesis testing problem as well as various solutions for privacy-aware hypothesis testing have been studied in the literature, e.g., [2], [3], [4], [5]. The authors in [6] considered a multi-sensor hypothesis testing problem wherein a fusion center receives the decisions of a set of sensors and an adversary overhears the local decisions of a subset of sensors. They studied the optimal privacy-aware hypothesis testing rule that minimizes the Bayes risk subject to a privacy constraint at the adversary. In [7], the authors considered a similar set-up and investigated the optimal privacy-aware design of the Neyman-Pearson test. The authors in [8] studied the optimal privacy filter design problem for a public Markov chain that is correlated with a private Markov chain. Tanaka et al. in [9] considered a linear Gaussian plant in which the sensor measurements are communicated with an untrusted cloud controller. They studied the optimal privacy filter design problem subject to a constraint on the privacy of the states of the plant. The authors of [10] studied the optimal privacy-aware control law for a Markov decision process subject to a privacy constraint on an adversary which has access to the input and output of the Markov chain. We note that the information-theoretic approach to privacy has been extensively studied in the literature, e.g., [11], [12], [13], [14]. In such an approach, one observes a public which is correlated with a private variable. Here, the

May 25, 2021 DRAFT 3

objective is to generate a degraded version of the public variable such that the distortion due to the privacy filter is minimized subject to an information-theoretic constraint on the privacy. The interested reader is referred to [15] for an overview of information-theoretic approaches to privacy in estimation and control. Privacy-aware solutions to estimation, filtering, and average consensus problems have been developed in the literature based on the notion of differential privacy. The authors in [16] developed a framework for privacy-aware filtering of the measurements of a dynamical system using the concept of differential privacy. Sandberg et al. [17] studied the state estimation in an electricity distribution network subject to a constraint on the consumers’ privacy. Privacy-aware average consensus algorithms were developed in [18] and [19] to guarantee the privacy of agents’ initial states. The authors of [20] developed a framework based on differential privacy to address the privacy of the initial state as well as the way-points of each agent in a distributed control problem. The statistical parameter privacy problem has been studied in [21] and [22]. Bassi et al. in [21] studied the statistical parameter privacy of an independent and identically distributed (i.i.d.) sequence of random variables where their common p.d.f. depends on a private parameter. In their set-up, the privacy filter consists of a randomly selected stochastic kernel which generates a random output based on each observed random variable. They characterized the leakage level of private information under the Bayes statistical risk as the privacy measure. The authors in [22] studied the of controller and privacy filter for a linear Gaussian plant. The system dynamics should be kept private from an adversary interested in inferring the system dynamics based on the state measurements and control inputs. Assuming Fisher information as privacy metric, they showed that the optimal privacy filter is in the form of a state-dependent Gaussian stochastic kernel.

C. Contributions

In this paper, we consider a sequence of measurements, observed by a sensor, whose joint p.d.f. depends on a private parameter. To ensure parameter privacy of the measurements, we propose a filter design framework which consists of two parts: a randomizer and a nonlinear transformation. The randomizer takes the private parameter as input and randomly generates a pseudo parameter. The nonlinear transformation alters the measurements such that the joint p.d.f. of the filter’s output is characterized by the pseudo parameter rather than the private parameter.

May 25, 2021 DRAFT 4

The nonlinear transformation also ensures that the joint p.d.f. of the filter’s output belongs to the same family of distributions as the measurements. The nonlinear transformation has a feedforward-feedback structure which enables real-time and causal computation of the disguised measurements with low complexity. In our set-up, the randomizer is designed by minimizing the average distortion due to the privacy filter subject to a privacy constraint in terms of the mutual information between the private and the pseudo . Using information-theoretic inequalities, we show that the performance of any estimator of the private parameter based on the output of the privacy filter is limited by the privacy constraint. We investigate the structure of the nonlinear transformation for independent and identically distributed (i.i.d.), Markovian and Gauss-Markov measurements. Our results show that the structure of the nonlinear transformation involves two one-step-ahead Kalman predictors in the Gauss-Markov case. The Kalman predictors significantly reduce the complexity of generating the disguised measurements. The result for i.i.d. measurements has appeared in [23]. Different from [23] and [21], the current paper develops a privacy filter design framework without imposing the i.i.d. assumption on the joint p.d.f. of the measurements. In our set-up, the sensor measurements are processed by a nonlinear transformation, rather than a stochastic kernel, which ensures that the distribution of the output of privacy filter belongs to the same family of distributions as the measurements. This requirement is not guaranteed by the frameworks in [21] and [22] since stochastic kernels significantly alter the distribution of the measurements. Our mutual information privacy metric is fundamentally different from the Fisher information metric in [22], in the sense that the mutual information provides a lower bound on the error probability of any arbitrary estimator of private variables whereas Fisher information provides a lower bound on the mean square error of any unbiased estimator of private parameters.

D. Outline

This paper is organized as follows. Section II describes our system model and standing assumptions. Section III introduces the model randomization approach to parameter privacy. Section IV investigates the structure of the nonlinear transformation in special cases. Section V presents the numerical results followed by the concluding remarks in Section VI.

May 25, 2021 DRAFT 5

Fig. 1. The information sharing with an untrusted user via a privacy filter.

2.5

2

1.5

1

0.5

0 10 20 30 40 50 60 70 80 90 100

Fig. 2. Estimates of occupancy (Θ) as a function of time for different levels of occupancy.

II.PROBLEM FORMULATION

A. System Model and Objectives

Consider a sensor that measures the stochastic process Yk over the time-horizon k = 1,...,T  1 d> where Yk = Yk ,...,Yk is a d-dimensional random vector. We assume that the joint p.d.f. of the measurements over the time-horizon 1,...,T is parameterized by Θ which takes values in

Θ = {θ1, . . . , θm} with probability mass function Pr (Θ = θi) = pi. The value of the parameter T Θ is fixed during the time-horizon k = 1,...,T . The joint p.d.f. of {Yk}k=1 is denoted by pθi (y1, . . . , yT ) when Θ is equal to θi. We refer to pθ (y1, . . . , yT ) as the of the measurements which belongs to the family of p.d.f.s

M = {pθ (y1, . . . , yT )}θ .

May 25, 2021 DRAFT 6

We assume that Θ carries private information and the sensor sequentially communicates its measurements with an untrusted party, hereafter named the “user”, for monitoring, control or storage purposes. Directly revealing the measurements to the user will result in the loss of private information since the true value of Θ can be inferred from the measurements. A common approach for ensuring privacy is to use a privacy filter that mediates the information sharing between the sensor and user as shown in Fig. 1. In this paper, we develop a privacy filter design framework that achieves the following three objectives: 1) It ensures that the output of the privacy filter accurately represents the sensor measurements. 2) It guarantees that an adversary with access to the output of the privacy filter cannot reliably infer the value of Θ. 3) The joint p.d.f. of the output of the privacy filter belongs to the family of distributions M. In general, the output distribution of a privacy filter might be arbitrarily complex. Objective 3 avoids this situation by ensuring that the joint p.d.f. of the privacy filter’s output belongs to the same family of distributions as that of the measurements. This is especially important when the filter’s output is used to perform computations, such as filtering, whose complexity depends on the underlying distribution of the . Note that adding noise to the measurements may not ensure the privacy of the parameter Θ.

To highlight this point, assume that the Yk’s are i.i.d. according to a Gaussian distribution with ˜ mean Θ and unit . Let Yk = Yk + Nk denote the shared information with the user where

{Nk}k is a sequence of zero mean independent and identically distributed random variables. Using the law of large numbers, we have

T 1 X Y˜ → Θ T k k=1 almost surely as T tends to infinity, which indicates that the user can reliably estimate the private parameter when T is large. Hence, the noise addition mechanism does not ensure the privacy of Θ. In this example, the statistical model of the measurements belongs to the family of distributions   1 1 (x−θ)2 M = √ e 2 2π θ∈R where θ takes values in the set of real numbers. If the additive noise terms Nks are Laplacian

May 25, 2021 DRAFT 7

distributed [24], objective 3 is not satisfied and the p.d.f. of the shared information with the user becomes intractable. Remark 1: Although, we assume that Θ is fixed, our results can be easily extended to the case

that Θ is time-varying, e.g., when the private parameter is given by Θ = [Θ1,..., ΘT ] where Θk

is the parameter that characterizes the conditional distribution of Yk given Y1,...,Yk−1.

B. Motivating Example: Building Automation

Consider a building automation application in which a sensor measures the CO2 level of a

room over the time horizon k = 1,...,T . The response of CO2 concentration to the presence of humans can be modeled as

Xk+1 = aXk + Wk + bΘ

Yk = Xk + Vk

where a ∈ (0, 1) and b are constants, Xk denotes the CO2 level at time-step k, Yk represents the

sensor measurement, Wk denotes the external disturbance, Vk denotes the measurement noise and Θ ∈ {0,...,L} denotes the occupancy level of the room, i.e., Θ = i indicates that there are i persons in the room during the horizon k = 1,...,T . In building automation, it is common to transmit the sensor measurements over communication networks for control or monitoring purposes. Note that Θ is the private statistical parameter of the T shared information {Yk}k=1. When the CO2 measurements are accessible by untrusted parties, e.g., a hacker or a “cloud”, the occupancy level, which carries private information, can be inferred from the measurements.

We examine the privacy of the occupancy information in two cases: (i) when CO2 measure- ments are directly shared with the user, (ii) when a noise addition mechanism is employed to ensure occupancy privacy. To this end, we first construct an estimator of the occupancy level ˜ based on the shared information with the user. Let Yk denote the shared information at time-step ¯ ¯ k and define the averages Yk and Yk as

k ¯ 1 X ˜ Yk = Yi (1) Th i=k−(Th−1) k−1 ¯ 1 X ˜ Yk = Yi Th i=k−Th

May 25, 2021 DRAFT 8

ˆ for k ≥ Th + 1 where Th is the window size. Let Θk denote the estimator of occupancy based ˜ ˜ on the shared information up to time-step k, Y1,..., Yk, which is defined as

Y¯ − Y¯ Θˆ = k k . (2) k a

Fig. 2 shows the output of the occupancy estimator, as a function of time, when the true occupancy level is equal to 1 or 2. The solid lines in Fig. 2 show the occupancy estimates when ˜ the estimator has access to the CO2 measurements, i.e., Yk = Yk. The dashed lines in this figure represent the occupancy estimates under a noise addition privacy mechanism wherein Gaussian ˜ noise is added to the measurements. In this case, the estimator has access to Yk = Yk + Nk

where {Nk}k is a sequence of independent and identically distributed (i.i.d.) Gaussian random

variables with zero mean and unit variance. In our simulations, {Wk,Vk}k is assumed to be a sequence of i.i.d. Gaussian random variables with zero mean and variance 0.1. According to Fig. 2, the occupancy estimator in (2) can reliably infer the occupancy level even if the noise addition privacy mechanism is employed. This observation confirms that directly sharing sensor measurements with an entrusted party might result in the loss of private information. Moreover, based on Fig. 2, noise addition mechanisms may not be capable of ensuring statistical parameter privacy.

C. Notations and Assumptions

The shorthand notation Y1:k is used to represent the sequence of random variables Y1,...,Yk. 1:l The realization of Y1:k is denoted by y1:k. The shorthand notation Yk denotes the collection of l the first l components of Yk. The lth component of Yk is denoted by Yk . When Θ is equal to

θ, the joint p.d.f. of Y1:k is denoted by pθ (y1, . . . , yk) which is assumed to be non-zero almost everywhere in Rk×d. l  1:l−1 1:l−1 The conditional p.d.f. of Yk given Yk = yk ,Y1:k−1 = y1:k−1, Θ = θi is represented by

1:l−1  pθi x yk , y1:k−1 ,

where its corresponding cumulative distribution function (c.d.f.) is assumed to be absolutely l continuous with respect to the Lebesgue measure. The conditional c.d.f. of Yk given

May 25, 2021 DRAFT 9

 1:l−1 1:l−1 Yk = yk ,Y1:k−1 = y1:k−1, Θ = θi is defined as Z z 1:l−1  1:l−1  Fl,k,θi z yk , y1:k−1 = pθi x yk , y1:k−1 dx. (3) −∞

The inverse function of F · y1:l−1, y  is denoted by F −1 · y1:l−1, y . Note that, l,k,θi k 1:k−1 l,k,θi k 1:k−1 l+(k−1)d for all θi, the transformation Fl,k,θi (· |·) is a mapping from R to [0, 1] which is increasing in its first argument when its second argument is fixed. The following conventions are adopted in the rest of this paper:

1:0  F1,1,θi z yk , y1:0 = F1,1,θi (z) ,

1:l−1  1:l−1  Fl,1,θi z y1 , y1:0 = Fl,1,θi z y1 ,

1:0  F1,k,θi z yk , y1:k−1 = F1,k,θi (z |y1:k−1 ) ,

1 1:l−1  where F1,1,θi (z) is the conditional c.d.f. of Y1 given Θ = θi, Fl,1,θi z y1 is the conditional l  1:l−1 1:l−1 1 c.d.f. of Y1 given Y1 = y1 , Θ = θi and Fl,k,θi (z |y1:k−1 ) is the conditional c.d.f. of Yk

given {Y1:k−1 = y1:k−1, Θ = θi}.

III.THE MODEL RANDOMIZATION APPROACH

In this section, we discuss the model randomization framework for ensuring the statistical parameter privacy of the sensor measurements. In this framework, the privacy filter consists of two components: a randomizer and a nonlinear transformation, as shown in Fig. 3, which collectively attain the objectives 1, 2, and 3 in Section II. The randomizer takes the value of the private variable Θ as input and generates a realization of the pseudo parameter Θ˜ which remains n˜ ˜ o constant during the horizon. The pseudo parameter takes values in the set Θ˜ = θ1,..., θm˜ . ˜ At each time-step k, the nonlinear transformation generates Yk based on the sensor measurement ˜ ˜ at time-step k and the values of Θ and Θ. Then, Yk is revealed to the user. In this section, the design of the privacy filter is studied without imposing any special structure on the joint p.d.f. of the sensor measurements. We start by discussing the structure of the nonlinear transformation in the next subsection. Then, the optimal design of the randomizer is discussed, followed by the privacy analysis of Θ under the proposed framework.

May 25, 2021 DRAFT 10

Fig. 3. The structure of the proposed privacy filter.

A. Nonlinear Transformation

 1 d> Let y˜k = y˜k,..., y˜k denote the realization of the output of the privacy filter at time k. ˜ ˜ l Assuming Θ = θi and Θ = θj, the nonlinear transformation at time-step k generates y˜k, i.e., the

lth entry of y˜k, according to

l −1 l 1:l−1  y˜k = F uk y˜ , y˜1:k−1 , (4) l,k,θ˜j k

l where uk is given by

l l 1:l−1  uk = Fl,k,θi yk yk , y1:k−1 , (5)

1:l−1  l  1:l−1 1:l−1 and Fl,k,θi · yk , y1:k−1 is the c.d.f. of Yk given Yk = yk ,Y1:k−1 = y1:k−1, Θ = θi defined in (3). According to (4) and (5), the output of the privacy filter at time-step k is generated

based on the history of the measurements up to time-step k. Moreover, the lth entry of y˜k is 1:l−1 generated using its first l − 1 entries, i.e., y˜k , which implies that the entries of the filter’s output are generated sequentially. The structure of the nonlinear transformation at time-step k is illustrated in Fig. 4. The feedforward-feedback structure of the nonlinear transformation, in Fig. 4, is a unique i aspect of the proposed privacy filter. The feedforward component computes uk’s whereas the i feedback component computes y˜k’s based on the past outputs of the filter. This structure allows us to cast the proposed privacy filter as a dynamical system enabling recursive computation

of the p.d.f.s pθi (yk |y1:k−1 ) and pθj (˜yk |y˜1:k−1 ). Under the proposed scheme, pθi (yk |y1:k−1 )

and pθj (˜yk |y˜1:k−1 ) can be computed recursively over time to reduce the computational cost of generating the disguised measurements. The recursive structure significantly reduces the

May 25, 2021 DRAFT 11

Fig. 4. The structure of the nonlinear transformation at time-step k.

computational cost when the measurements are generated by a linear Gaussian system (see Subsection IV-C for more details). In certain applications, it is important to generate the disguised measurements in real-time,

i.e., y˜k must be causally generated using the sensor measurements up to time k rather than all the

sensor measurements Y1,...,YT . The recursive structure of the proposed privacy filter enables the causal (real-time) generation of the disguised measurements. The next theorem studies the joint probability density function (p.d.f.) of the output of the nonlinear transformation. Theorem 1: Consider the nonlinear transformation above and assume that the joint p.d.f. of

the measurements belongs to the family of distributions M = {pθ (y1, . . . , yT )}θ. Given Θ = θi and Θ˜ = θ˜ , the joint p.d.f. of the filter’s output is p (˜y ,..., y˜ ) for all i, j. j θ˜j 1 T Proof: See Appendix A. According to Theorem 1, the joint p.d.f. of the output of the privacy filter over the horizon 1,...,T is characterized by the value of the pseudo parameter Θ˜ rather than the value of the private parameter Θ. Moreover, the nonlinear transformation ensures that the joint p.d.f. of the filter’s output also belongs to the family of probability distributions M. Under the proposed

framework, the statistical model of the filter’s output, i.e., pθ˜ (˜y1,..., y˜T ), is randomly chosen ˜ n˜ ˜ o from the set of probability distributions {pθ˜ (˜y1,..., y˜T )}θ˜∈Θ˜ where Θ = θ1,..., θm˜ is the support set of the randomizer’s output. Hence, we refer to this framework as the model randomization approach to the parameter privacy.

May 25, 2021 DRAFT 12

B. Randomizer ˜ n˜ ˜ o The parameter Θ is selected from the set Θ˜ = θ1,..., θm˜ using a randomized mapping. ˜ More precisely, given Θ = θi, the value of Θ is randomly generated according to  ˜  θ1 w.p. P1i,  ˜ . . Θ = . . if Θ = θi   ˜  θm˜ w.p. Pmi˜ ,

P ˜ where j Pji = 1 for all i. Thus, the randomizer with probability Pji selects θj as the value ˜ of Θ when Θ is equal to θi. The set of randomization probabilities {Pji}ji are designed such that the accuracy of the output of the privacy filter is maximized and simultaneously a desired privacy level is achieved. Due to the nonlinear transformation, the output of the privacy filter might be different from its input. To quantify the difference between the input and the output of the filter, we define the ˜ average distortion between Y1:T and Y1:T as

T 1 X h  i E d Y , Y˜ T k k k=1

d d where the distortion function d (·, ·): R × R → R+ captures the deviation of the output of the privacy filter from its input. We consider the mutual information between the private parameter and pseudo parameter as h i the privacy metric. Let I Θ; Θ˜ denote the mutual information between Θ and Θ˜ which can be written as

h i I Θ; Θ˜  ˜ ˜  Pr Θ = θi, Θ = θj X  ˜ ˜  = Pr Θ = θi, Θ = θj log .  ˜ ˜  i,j Pr (Θ = θi) Pr Θ = θj

h i Note that I Θ; Θ˜ captures the amount of information that can be inferred about the private parameter by observing the pseudo parameter. When the mutual information between Θ and Θ˜ is zero, the pseudo parameter has no information about the private parameter. Also, the mutual information between Θ and Θ˜ achieves its maximum level when Θ can be correctly inferred by h i observing Θ˜ . Thus, a relatively large level of I Θ; Θ˜ indicates that Θ can be reliably inferred

May 25, 2021 DRAFT 13 from Θ˜ . The optimal randomization probabilities are obtained by minimizing the average distortion subject to a privacy constraint. More precisely, the optimal randomization probabilities are the solution of the following optimization problem

T 1 X h  ˜ i minimize E d Yk, Yk {Pji} T j,i k=1

Pji ≥ 0, ∀i, j X Pji = 1, ∀i j h ˜ i I Θ; Θ ≤ I0. (6) where the second constraint enforces the law of total probability and the last constraint imposes an upper bound on the mutual information between the private parameter and the pseudo parameter. We refer to the last constraint as the privacy constraint since it limits the amount of information ˜ that can be inferred about Θ based on Θ. In what follows, we refer to I0 as the leakage level of private information. Next theorem investigates the structural properties of the optimization problem (6). Theorem 2: The objective function in (6) is linear in the randomization probabilities. Also, the privacy constraint is a convex constraint. Proof: See Appendix C. Theorem 2 shows that the optimization problem (6) is a convex optimization problem. Hence, the optimal randomization probabilities can be computed efficiently. Remark 2: In practice, the elements of Θ˜ can be selected using a nested optimization problem where the optimal elements of Θ˜ and the optimal randomization probabilities are computed recursively such that the total distortion is minimized while the privacy constraint is met. Although this results in a non-convex optimization problem, one can obtain a locally optimal solution by alternating between the nested optimization problems. Remark 3: It may not be always possible to find a closed-form expression for the total distortion due to the structure of the distortion function and the distribution of the sensor measurements. However, it is straightforward to approximate the total distortion accurately using Monte-Carlo simulations.

May 25, 2021 DRAFT 14

C. Privacy level of Θ

In this subsection, we study the privacy level of the parameter Θ under the proposed frame- ˆ  ˜  work. To this end, let Θ Y1:T denote an arbitrary estimator of Θ, based on the output of the privacy filter over the horizon 1,...,T , which is defined as a mapping from RT ×d to

Θ = {θ1, . . . , θm}. Next theorem establishes a lower bound on the error probability of the ˆ  ˜  estimator Θ Y1:T .  ˆ  ˜  ˆ  ˜  Theorem 3: Let Pr Θ 6= Θ Y1:T denote the error probability of the estimator Θ Y1:T . Then, we have

   H [Θ] − I − 1 Pr Θ 6= Θˆ Y˜ ≥ 0 , 1:T log |Θ|

where H [Θ] is the discrete entropy of Θ, I0 is the leakage level of private information in (6) and |Θ| denotes the cardinality of the set Θ. Proof: See Appendix D. According to Theorem 3, the error probability of any estimator of the private parameter based

on the output of the privacy filter is limited by the leakage level of private information I0. The lower bound in Theorem (3) increases as the leakage level of private information becomes small.

Thus, for a relatively small value of I0, no estimator can reliably infer the private parameter Θ which implies that the proposed framework is capable of ensuring the privacy of Θ. ˜ In Appendix D, we show that the mutual information between Θ and Y1:T can be upper bounded as

h ˜ i h ˜ i I Θ; Y1:T ≤ I Θ; Θ . (7)

h ˜ i Note that I Θ; Y1:T quantifies the amount of information that can be inferred about Θ by ˜ observing Y1:T . Thus, the inequality above implies that the leakage of information about the private parameter via the output of the privacy filter is limited by the mutual information between the input and the output of the randomizer. Hence, the upper bound on the mutual information between Θ and Θ˜ in (6) ensures the privacy of Θ. ˜ ˜ Remark 4: To prove Theorem 3, we first show that the Markov chain Θ −→ Θ −→ Y1:T holds (see Appendix A for more details). This Markov chain along with the data processing inequality [25] allow us to establish the inequality in (7). Finally, the lower bound in Theorem 3 is obtained by combining Fano’s inequality with the inequality (7).

May 25, 2021 DRAFT 15

IV. SPECIAL CASES

In section III, we studied the structure of the nonlinear transformation without imposing any restriction on the joint probability density function (p.d.f.) of the measurements. In this section, we study the structure of the nonlinear transformation in the special cases of independent and identically distributed (i.i.d.), Markovian and Gauss-Markov measurements.

A. Independent and Identically Distributed Measurements

In this subsection, we assume that Y1,...,YT is a sequence of independent and identically 1 d distributed (i.i.d.) random variables with the common p.d.f. pθi y , . . . , y when Θ is equal to ˜ ˜ l θi. Given Θ = θi and Θ = θj, the privacy filter at time-step k generates yk according to

l −1 l 1:l−1  y˜k = F uk y˜ , l,θ˜j k l l 1:l−1  uk = Fl,θi yk yk ,

where

Z z 1:l−1  l 1:l−1  l Fl,θi z yk = pθi y yk dy . −∞ ˜ Note that Yk is generated only using Yk when the measurements are independent and identically distributed.

B. Markovian Measurements

When measurements are Markovian, the conditional joint p.d.f. of Y1,...,YT given Θ = θi factorizes as

T −1 Y pθi (y1, . . . , yT ) = p1,θi (y1) pk+1,θi (yk+1 |yk ) . k=1

l In this case, the privacy filter at time-step k generates y˜k according to

l −1 l 1:l−1  y˜k = F uk y˜ , y˜k−1 , l,k,θ˜j k l l 1:l−1  uk = Fl,k,θi yk yk , yk−1 ,

May 25, 2021 DRAFT 16

where

Z z 1:l−1  l 1:l−1  l Fl,k,θi z yk , yk−1 = pk,θi y yk , yk−1 dy . −∞ ˜ Note that, different from the general case, Yk is generated using Yk−1 and Yk in the Markovian case.

C. Gauss-Markov Measurements

Given Θ = θi in the Gauss-Markov case, the measurements are generated by the following model:

Xk+1 = AiXk + Wk

Yk = CiXk + Vk, (8)

where {Wk}k and {Vk}k are sequences of i.i.d. zero mean Gaussian random vectors with the i i matrices Qw and Qv, respectively. We assume that X0 is a zero mean Gaussian i random vector with the Q0. We also assume {Wk}k and {Vk}k are mutually independent and X0 is independent of {Wk,Vk}k. For all i, we assume that Ai is Schur stable, i i i (Ai,Ci) is observable and the matrices Qw,Qv,Q0 are positive definite. i i i In the Gauss-Markov case, the parameter θi = (Ai,Ci,Qw,Qv,Q0) characterizes the joint ˜ ˜ j j j  p.d.f. of the measurements. Given Θ = θj = Aj,Cj,Qw,Qv,Q0 , the objective of the nonlinear ˜ ˜ transformation is to sequentially generate Y1,..., YT such that their joint p.d.f. is the same as the joint p.d.f. of a sequence generated by a Gauss-Markov model with the parameters j j j  Aj,Cj,Qw,Qv,Q0 . Before proceeding with the structure of the nonlinear transformation in the Gauss-Markov case, we introduce the structure of the optimal output predictor of the model in (8). Let xˆk|k denote the Kalman estimate of Xk based on {Y1 = y1,...,Yk = yk, Θ = θi} which is given by i (9) with xˆ1|0 = 0 where Σk|k−1 is the one-step ahead prediction error covariance which satisfies the algebraic Riccati recursion in (10). Let yˆk|k−1 denote the one-step ahead Kalman predictor of Yk based on {Y1 = y1,...,Yk−1 = yk−1, Θ = θi} which is given by

yˆk|k−1 = Cixˆk|k−1 ,

May 25, 2021 DRAFT 17

i > i > i −1  xˆk|k =x ˆk|k−1 + Σk|k−1 Ci CiΣk|k−1 Ci + Qv yk − Cixˆk|k−1 .

xˆk|k−1 = Aixˆk−1|k−1 . (9)

i i > i i > i > i −1 i > Σk+1|k = AiΣk|k−1 Ai + Qw − AiΣk|k−1 Ci CiΣk|k−1 Ci + Qv CiΣk|k−1 Ai . (10)

y˜ˆk|k−1 = Cjx˜ˆk|k−1 ,  −1   ˆ ˆ j > j > j ˆ x˜k|k = x˜k|k−1 + Σk|k−1 Cj CjΣk|k−1 Cj + Qv y˜k − Cjx˜k|k−1 .

x˜ˆk|k−1 = Ajx˜ˆk−1|k−1 . (11)

−1 j j > j j >  j > j  j > Σk+1|k = AjΣk|k−1 Aj + Qw − AjΣk|k−1 Cj CjΣk|k−1 Cj + Qv CjΣk|k−1 Aj . (12)

o,i with the output prediction error covariance matrix Σk|k−1 defined as

o,i i > i Σk|k−1 = CiΣk|k−1 Ci + Qv.

The next lemma studies the p.d.f. of the lth component of Yk given  1:l−1 1:l−1 Yk = yk ,Y1:k−1 = y1:k−1, Θ = θi . This result will be used to study the structure of the nonlinear transformation in the Gauss-Markov case. l  1:l−1 1:l−1 Lemma 1: The conditional p.d.f. of Yk given Yk = yk ,Y1:k−1 = y1:k−1, Θ = θi is a li l,i Gaussian p.d.f. with mean µˆk and variance σk given by

−1 l,i l l,i h o,i i  1:l−1 1:l−1  µˆk =y ˆk|k−1 − ∆k Σk|k−1 yk − yˆk|k−1 l−1 −1 > l,i l,o,i l,i h o,i i  l,i σk = Σk|k−1 − ∆k Σk|k−1 ∆k . (13) l−1

l 1:l−1 where yˆk|k−1 is the lth element of yˆk|k−1 , yˆk|k−1 is the vector of the first l−1 elements of yˆk|k−1 , h o,i i Σk|k−1 is a matrix formed by the elements in the first l − 1 rows and the first l − 1 columns l−1 −1 o,i h o,i i l,o,i o,i l,i of Σk|k−1 with Σk|k−1 = 0, Σk|k−1 is the lth diagonal entry of Σk|k−1 and ∆k is the vector 0 o,i of the first l − 1 elements in the lth row of Σk|k−1 . Proof: See Appendix E. l,i Lemma 1 implies that µˆk is the minimum mean square error (MMSE) predictor of Yk given  1:l−1 1:l−1 l,i l,i Yk = yk ,Y1:k−1 = y1:k−1, Θ = θi and σk is the error variance associated with µˆk . The next theorem studies the structure of the nonlinear transformation in the Gauss-Markov case.

May 25, 2021 DRAFT 18

˜ ˜ Theorem 4: Consider the Gauss-Markov model with Θ = θi and Θ = θj. Then, for 1 ≤ l ≤ d, ˜ l the lth component of the Yk is generated according to

l −1  l l,j l,j y˜k = F uk, µˆk , σk

l  l l,i l,i uk = F yk, µˆk , σk ,

where F (·, µ,ˆ σ) is the cumulative distribution function of a Gaussian random variable with −1 ˆ o,j mean µˆ and variance σ, F (·, µ,ˆ σ) is the inverse function of F (·, µ,ˆ σ), y˜k|k−1 and Σk|k−1 ˆ l,i l,i l,j l,j are given by (11) and (12) with x˜1|0 = 0, µˆk and σk are defined in (13), and σk and µˆk are defined in a similar way. l Proof: According to Lemma 1, the conditional p.d.f. of Yk given  1:l−1 1:l−1 li l,i Yk = yk ,Y1:k−1 = y1:k−1, Θ = θi is a Gaussian p.d.f. with mean µˆk and variance σk . Thus, we have

1 li 2 − l,i (x−µˆk ) 1:l−1 1 2σ  k pθi x yk , y1:k−1 = e . q l,i 2πσk

1:l−1   l,i l,i This implies that Fl,k,θi z yk , y1:k−1 = F z, µˆk , σk where F (·, µ,ˆ σ) is the cumulative distribution function of a Gaussian random variable with mean µˆ and variance σ. Using a −1 1:l−1  −1  l,j l,j similar argument, it is straightforward to show F z y˜ , y˜1:k−1 = F z, µˆ , σ l,k,θ˜j k k k where F −1 (·, µ,ˆ σ) is the inverse function of F (·, µ,ˆ σ). Using these observations and Theorem l 1, y˜k, in the Gauss-Markov case, is generated according to

l −1  l l,j l,j y˜k = F uk, µˆk , σk ,

l  l l,i l,i uk = F yk, µˆk , σk ,

which completes the proof. According to Theorem 4, the structure of the nonlinear transformation in the Gauss-Markov case is characterized by two types of predictors: one-step ahead Kalman predictors and one-

component ahead predictors. At time-step k, the Kalman predictors compute yˆk|k−1 and y˜ˆk|k−1 which, respectively, are the optimal prediction of Yk given {Y1:k−1 = y1:k−1, Θ = θi} and the ˜ n ˜ ˜ ˜ o optimal prediction of Yk given Y1:k−1 =y ˜1:k−1, Θ = θj . At time-step k, the optimal one- l,i l,j component ahead predictors use yˆk|k−1 and y˜ˆk|k−1 to compute µˆ and µˆ which are the MMSE l  1:l−1 1:l−1 prediction of Yk given Yk = yk ,Y1:k−1 = y1:k−1, Θ = θi and the MMSE prediction of

May 25, 2021 DRAFT 19

Fig. 5. The structure of the nonlinear transformation in the Gauss-Markov case.

n o ˜ l ˜ 1:l−1 1:l−1 ˜ ˜ ˜ Yk given Yk =y ˜k , Y1:k−1 =y ˜1:k−1, Θ = θj , respectively. The outputs of these predictors are used to compute the parameters of the nonlinear transformation in the Gauss-Markov case as shown in Fig. 5. Remark 5: The Kalman predictors significantly reduce the computational complexity of gen- erating the disguised measurements. In the Gauss-Markov case, the proposed filtering scheme requires the conditional p.d.f.s pθi (yk |y1:k−1 ) and pθi (˜yk |y˜1:k−1 ) which can be computed (re- cursively) with low computational costs using the filtering equations in (9)-(12). Note that the direct computation of these p.d.f.s becomes prohibitive when k is large.

V. NUMERICAL RESULTS

In this section, we numerically evaluate the performance of the proposed framework in ensuring the occupancy privacy of the CO2 measurements in a building automation application. To this end, let Yk denote the CO2 measurement inside a room at time-step k which evolves according

May 25, 2021 DRAFT 20

to

Xk+1 = 0.95Xk + Wk + 10Θ,

Yk = Xk + Vk,

where Θ denotes the number of occupants in the room, {Wk,Vk}k is a sequence of i.i.d. Gaussian −1 random variables with zero mean and variance 10 and X0 is a Gaussian random variable, independent of {Wk,Vk}k, with mean 100 and variance 1. The occupancy parameter Θ is assumed to take values in {0, 1} with the probabilities Pr (Θ = 1) = Pr (Θ = 0) = 0.5. We also assume that the pseudo occupancy parameter Θ˜ takes values in {0, 0.2, 0.4, 0.6, 0.8, 1}. The horizon length T was set to 50 in our simulations. Fig. 6 shows the percentage of the relative distortion, due to the privacy filter, as a function of the leakage level of private information I0. The relative distortion is defined as the ratio of the average distortion between the input and output of the filter over the average CO2. According to Fig. 6, the relative distortion increases as the leakage of private information becomes small since the privacy constraint in (6) becomes tight in this case. The maximum distortion and maximum privacy level are achieved when leakage of private information is equal to zero. Note that Θ ˜ and Θ are independent when I0 = 0 which results in a high level of relative distortion. The minimum distortion and minimum privacy levels are achieved for I0 = 0.69. In this case, the privacy constraint is relaxed and however Θ can be correctly inferred from Θ˜ . ˜ To study the performance of an adversary in estimating the occupancy using Yk, we consider the following estimator of the occupancy

  Y¯ − Y¯ ˆ ˜ Θ Y = arg min − θ , θ∈{0,1} 0.95 where Y¯ and Y¯ are given by

50 1 X Y¯ = Y˜ , 10 i i=41 49 1 X Y¯ = Y˜ . 10 i i=40 Fig. 7 shows the error probability of the proposed occupancy estimator as a function of the leakage level of private information I0. Based on this figure, the proposed estimator can reliably

May 25, 2021 DRAFT 21

35

30

25

20

15

10

5

0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7

Fig. 6. The percentage of relative distortion versus the leakage level of private information I0.

100

10-1

-2

r 10 P

10-3

0.1 0.2 0.3 0.4 0.5 0.6 0.7

Fig. 7. The error probability of the occupancy estimator versus the leakage level of private information I0.

estimate the occupancy information when the leakage of private information is high. However, as

I0 decreases from 0.68 to 0.3, the performance of the occupancy estimator degrades by more than two orders of magnitude while the distortion due to the privacy filter at I0 = 0.3 is approximately 0.8 percent. This is due to the fact that the output of the filter ceases to be a reliable source of information for estimating the occupancy as the leakage of private information decreases.

May 25, 2021 DRAFT 22

Fig. 8. Realizations of the true and disguised sensor measurements as a function of time for Θ = 1, and Θ˜ = 0.6.

1.2

1

0.8

0.6

0.4

0.2

0 10 20 30 40 50 60 70 80 90 100

Fig. 9. The output of the occupancy estimator, based on the disguised measurements, as a function of time.

Fig. 8 shows realizations of the true and disguised sensor measurements as a function of time for Θ = 1 and Θ˜ = 0.6. According to this figure, the privacy filter results in a certain level of distortion between the true and disguised measurements. Fig. 9 shows the output of the occupancy estimator in (2) when the output of the nonlinear transformation is used as the input to the estimator. According to this figure, the occupancy estimator cannot accurately infer the occupancy based on the disguised measurements.

May 25, 2021 DRAFT 23

VI.CONCLUSIONS

In this paper, we proposed a privacy filter design framework to ensure the statistical parameter privacy of a sequence of sensor measurements. Under the proposed framework, the privacy filter has two components: a randomizer and a nonlinear transformation. The optimal design of randomizer was studied under a privacy constraint and it was shown than the optimal randomizer is the solution of a convex optimization problem. The privacy level of the proposed framework was examined using information-theoretic inequalities. We also studied the structure of the nonlinear transformation in special cases. An important direction for our future research is to investigate the optimal design of the ran- domization probabilities and nonlinear transformation for the privacy-aware closed-loop control problem. The optimal design of the randomizer when the private parameter is time-varying and the randomizer has the causal knowledge of the private parameter is another important avenue for our future work.

APPENDIX A

PROOFOF THEOREM 1 ˜ ˜ To prove this result, we first show that the Markov chain Θ −→ Θ −→ Y1:T holds. To this ˜ l end, we derive an expression for the conditional p.d.f. of Yk given the event n o ˜ 1:l−1 1:l−1 ˜ ˜ ˜ Yk =y ˜k , Y1:k−1 =y ˜1:k−1, Θ = θi, Θ = θj in the next lemma.   l 1:l−1 ˜ ˜ ˜ l Lemma 2: Let p ˜ l y˜ y˜ , y˜1:k−1, Θ = θi, Θ = θj denote the conditional p.d.f. of Y given Yk k k k n o ˜ 1:l−1 1:l−1 ˜ ˜ ˜ the event Yk =y ˜k , Y1:k−1 =y ˜1:k−1, Θ = θi, Θ = θj . Then, we have   l 1:l−1 ˜ ˜ p ˜ l y˜k y˜ , y˜1:k−1, Θ = θi, Θ = θj Yk k = p y˜l y˜1:l−1, y˜  , θ˜j k k 1:k−1 where p y˜l y˜1:l−1, y˜  is obtained from p (˜y ,..., y˜ ) using the Bayes’ rule and marginal- θ˜j k k 1:k−1 θ˜j 1 T ization. Proof: See Appendix B  ˜ ˜  ˜ n ˜ ˜ o Let p ˜ y˜1:T Θ = θi, Θ = θj denote the conditional p.d.f. of Y1:T given Θ = θi, Θ = θj Y1:T which can be written as (14) where (a) and (c) follow from the Bayes’ rule and (b) follows from

May 25, 2021 DRAFT 24

  T d   ˜ ˜ (a) Y Y l 1:l−1 ˜ ˜ p ˜ y˜1:T Θ = θi, Θ = θj = p ˜ l y˜k y˜ , y˜1:k−1, Θ = θi, Θ = θj Y1:T Yk k k=1 l=1 T d (b) Y Y = p y˜l y˜1:l−1, y˜  θ˜j k 1:k−1 k=1 l=1 (c) = p (˜y ,..., y˜ ) . (14) θ˜j 1 T

˜ ˜ ˜ Lemma 2. This implies that the conditional p.d.f. of Y1,..., YT given Θ and Θ only depends on ˜ ˜ ˜ Θ. Thus, the following Markov chain holds Θ −→ Θ −→ Y1:T and, for all i, j, we have

 ˜ ˜   ˜ ˜  p ˜ y˜1:T Θ = θj = p ˜ y˜1:T Θ = θi, Θ = θj Y1:T Y1:T = p (˜y ,..., y˜ ) , θ˜j 1 T which completes the proof.

APPENDIX B

PROOFOF LEMMA 2

˜ l Note that the conditional cumulative distribution function of Yk given the event n o ˜ 1:l−1 1:l−1 ˜ ˜ ˜ Yk =y ˜k , Y1:k−1 =y ˜1:k−1, Θ = θi, Θ = θj can be written as (15) where (a) follows from ˜ l the definition of Yk :   ˜ l −1 l ˜ 1:l−1 ˜ Yk = F ˜ Uk Y , Y1:k−1 l,k,θj k l l 1:l−1  Uk = Fl,k,θi Yk Yk ,Y1:k−1 and (b) follows from the fact that F (· |·) is invertible with respect to its first argument. l,k,θ˜j n o l ˜ 1:l−1 1:l−1 ˜ ˜ ˜ We next show that Uk given Yk =y ˜k , Y1:k−1 =y ˜1:k−1, Θ = θi, Θ = θj is a uniformly distributed random variable. To this end, let z denote a real number from the interval [0, 1]. 1:l−1 Then, we have (16) where (a) follows from the fact that yk , y1:k can be uniquely obtained 1:l−1 from y˜k , y˜1:k since each nonlinear mapping Fl,k,θ (· |·) is invertible with respect to its first ˜ 1:l−1  l argument and (b) follows from the Markov chain Θ −→ Θ,Yk ,Y1:k −→ Yk .

May 25, 2021 DRAFT 25

    ˜ l l 1:l−1 ˜ ˜ (a) −1 l 1:l−1  l 1:l−1 ˜ ˜ Pr Yk ≤ y˜k y˜ , y˜1:k−1, Θ = θi, Θ = θj = Pr F ˜ Uk y˜ , y˜1:k−1 ≤ y˜k y˜ , y˜1:k−1, Θ = θi, Θ = θj k l,k,θj k k   (b) l l 1:l−1  1:l−1 ˜ ˜ = Pr U ≤ F ˜ y˜ y˜ , y˜1:k−1 y˜ , y˜1:k−1, Θ = θi, Θ = θj k l,k,θj k k k (15)

  (a)   Pr U l ≤ z y˜1:l−1, y˜ , Θ = θ , Θ˜ = θ˜ = Pr Y l ≤ F −1 z| y1:l−1, y  y1:l−1, y , Θ = θ , Θ˜ = θ˜ k k 1:k−1 i j k θi k 1:k−1 k 1:k−1 i j

(b) = F F −1 z| y1:l−1, y  y1:l−1, y  θi θi k 1:k−1 k 1:k−1 = z (16)

Combining (15) and (16), we have

  Pr Y˜ l ≤ y˜l y˜1:l−1, y˜ , Θ = θ , Θ˜ = θ˜ k k k 1:k−1 i j = F y˜l y˜1:l−1, y˜  l,k,θ˜j k k 1:k−1

˜ l which implies that the conditional p.d.f. of Yk given the event n o Y˜ 1:l−1 =y ˜1:l−1, Y˜ =y ˜ , Θ = θ , Θ˜ = θ˜ is given by p y˜l y˜1:l−1, y˜ . k k 1:k−1 1:k−1 i j θ˜j k k 1:k

APPENDIX C

PROOFOF THEOREM 2

The objective function in (6) can be written as

T 1 X h  i E d Y , Y˜ T k k k=1 T 1 X X h   i = E d Y , Y˜ Θ = θ , Θ˜ = θ˜ P Pr (Θ = θ ) T k k i j ji i k=1 i,j T 1 X X h   i = E d Y , Φ Y , θ , θ˜ P p T k k 1:k i j ji i k=1 i,j T 1 X X   = L θ , θ˜ P p , (17) T k i j ji i k=1 i,j

 ˜ ˜  ˜  where Φk ·, θ, θ is the vector-valued transformation that generates Yk using Y1:k, Θ, Θ  ˜  h   ˜ i and Lk θi, θj = E d Yk, Φk Y1:k, θi, θj . Thus, the objective function is linear in the

May 25, 2021 DRAFT 26

randomization probabilities. Also, it can be shown that the privacy constraint is convex in the optimization variables [25]. Thus, the optimization problem in (6) is convex.

APPENDIX D

PROOFOF THEOREM 3

Using Fano’s inequality [25], we can lower bound the error probability of any estimator of ˜ Θ, based on Y1:T , as h i ˜    H Θ Y1:T − 1 Pr Θ 6= Θˆ Y˜ ≥ , 1:T log |Θ| h i H [Θ] − I Θ; Y˜ − 1 (a) 1:T = , (18) log |Θ| h i ˜ ˜ where H Θ Y1:T denotes the conditional entropy of Θ given Y1:T and (a) follows from the definition of the mutual information. In Appendix A, we show that the following Markov chain holds

˜ ˜ Θ −→ Θ −→ Y1:T .

Hence, using the data processing inequality [25], we have

h ˜ i h ˜ i I Θ; Y1:T ≤ I Θ; Θ . (19)

Combining (19) and (18), we have

h ˜ i    H [Θ] − I Θ; Θ − 1 Pr Θ 6= Θˆ Y˜ ≥ 1:T log |Θ| (a) H [Θ] − I − 1 ≥ 0 log |Θ|

where (a) follows from the fact that the mutual information between the private parameter and the pseudo parameter is upper bounded by the leakage level of private information in (6).

May 25, 2021 DRAFT 27

APPENDIX E

PROOFOF LEMMA 2

Note that the distribution of Yk given {Y1:k−1 = y1:k−1, Θ = θi} is Gaussian with mean yˆk|k−1 o,i and covariance Σk|k−1 where

yˆk|k−1 = E [Yk| y1:k−1]

= Cixˆk|k−1 ,

and

o,i h  >i Σk|k−1 = E Yk − yˆk|k−1 Yk − yˆk|k−1

i > i = CiΣk|k−1 Ci + Qv,

i where xˆk|k−1 is the optimal predictor of Xk based on {Y1:k−1 = y1:k−1, Θ = θi} and Σk|k−1 1:l is the error covariance matrix associated with xˆk|k−1 . Note that the joint p.d.f. of Yk given 1:l h o,i i {Y1:k−1 = y1:k−1, Θ = θi} is also a Gaussian distribution with mean yˆk|k−1 and covariance Σk|k−1 l h o,i i where Σk|k−1 is a matrix formed by the elements in the first l rows and the first l columns l o,i of Σk|k−1 . Thus, using the conditional distribution formula for Gaussian random variables, the l  1:l−1 1:l−1 conditional p.d.f. of Yk given Yk = yk ,Y1:k−1 = y1:k−1, Θ = θi is a Gaussian distribution l,i i,l with mean µˆlk and variance σlk where

−1 l,i l l,i h o,i i  1:l−1 1:l−1  µˆk =y ˆk|k−1 − ∆k Σk|k−1 yk − yˆk|k−1 l−1 −1 > l,i l,o,i l,i h o,i i  l,i σk = Σk|k−1 − ∆k Σk|k−1 ∆k . l−1

l,o,i o,i l,i Σk|k−1 is the lth diagonal entry of Σk|k−1 and ∆k is the vector of the first l − 1 elements in the o,i lth row of Σk|k−1 .

REFERENCES

[1] A. Ebadat, G. Bottegal, D. Varagnolo, B. Wahlberg, and K. H. Johansson, “Regularized deconvolution-based approaches for estimating room occupancies,” IEEE Transactions on Automation Science and Engineering, vol. 12, no. 4, pp. 1157–1168, Oct 2015. [2] X. He, W. P. Tay, and M. Sun, “Privacy-aware decentralized detection using linear precoding,” in 2016 IEEE Sensor Array and Multichannel Signal Processing Workshop (SAM), July 2016, pp. 1–5. [3] M. Sun and W. P. Tay, “Privacy-preserving nonparametric decentralized detection,” in 2016 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Mar. 2016, pp. 6270–6274.

May 25, 2021 DRAFT 28

[4] X. He and W. P. Tay, “Multilayer sensor network for information privacy,” in 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Mar. 2017, pp. 6005–6009. [5] J. Liao, L. Sankar, V. Y. F. Tan, and F. P. Calmon, “Hypothesis testing in the high privacy limit,” in 2016 54th Annual Allerton Conference on Communication, Control, and Computing, Sept. 2016, pp. 649–656. [6] Z. Li and T. J. Oechtering, “Privacy-aware distributed bayesian detection,” IEEE Journal of Selected Topics in Signal Processing, vol. 9, no. 7, pp. 1345–1357, Oct. 2015. [7] ——, “Privacy-constrained parallel distributed neyman-pearson test,” IEEE Transactions on Signal and Information Processing over Networks, vol. 3, no. 1, pp. 77–90, Mar. 2017. [8] R. Mochaourab and T. J. Oechtering, “Private filtering for hidden Markov models,” IEEE Signal Processing Letters, vol. 25, no. 6, pp. 888–892, June 2018. [9] T. Tanaka, M. Skoglund, H. Sandberg, and K. H. Johansson, “Directed information as privacy measure in cloud-based control,” KTH Royal Institute of Technology, Sweden, Tech. Rep., 2017. [Online]. Available: https://arxiv.org/abs/1705.02802 [10] P. Venkitasubramaniam, “Privacy in stochastic control: A Markov decision process perspective,” in 2013 51st Annual Allerton Conference on Communication, Control, and Computing (Allerton), Oct 2013, pp. 381–388. [11] K. Kalantari, L. Sankar, and O. Kosut, “On information-theoretic privacy with general distortion cost functions,” in 2017 IEEE International Symposium on Information Theory (ISIT), June 2017, pp. 2865–2869. [12] Y. O. Basciftci, Y. Wang, and P. Ishwar, “On privacy-utility tradeoffs for constrained data release mechanisms,” in 2016 Information Theory and Applications Workshop (ITA), Jan. 2016, pp. 1–6. [13] F. du Pin Calmon and N. Fawaz, “Privacy against ,” in 2012 50th Annual Allerton Conference on Communication, Control, and Computing, Oct. 2012, pp. 1401–1408. [14] B. Moraffah and L. Sankar, “Information-theoretic private interactive mechanism,” in 2015 53rd Annual Allerton Conference on Communication, Control, and Computing, Sept. 2015, pp. 911–918. [15] E. Nekouei, T. Tanaka, M. Skoglund, and K. H. Johansson, “Information-theoretic approaches to privacy in estimation and control,” Annual Reviews in Control, vol. 47, pp. 412 – 422, 2019. [16] J. L. Ny and G. J. Pappas, “Differentially private filtering,” IEEE Transactions on Automatic Control, vol. 59, no. 2, pp. 341–354, Feb 2014. [17] H. Sandberg, G. Dan,´ and R. Thobaben, “Differentially private state estimation in distribution networks with smart meters,” in 2015 54th IEEE Conference on Decision and Control (CDC), Dec. 2015, pp. 4492–4498. [18] E. Nozari, P. Tallapragada, and J. Cortes,´ “Differentially private average consensus: Obstructions, trade-offs, and optimal algorithm design,” Automatica, vol. 81, pp. 221 – 231, 2017. [19] Y. Mo and R. M. Murray, “Privacy preserving average consensus,” IEEE Transactions on Automatic Control, vol. 62, no. 2, pp. 753–765, Feb 2017. [20] Y. Wang, Z. Huang, S. Mitra, and G. E. Dullerud, “Differential privacy in linear distributed control systems: Entropy minimizing mechanisms and performance tradeoffs,” IEEE Transactions on Control of Network Systems, vol. 4, no. 1, pp. 118–130, March 2017. [21] G. Bassi, M. Skoglund, and P. Piantanida, “Lossy communication subject to statistical parameter privacy,” in 2018 IEEE International Symposium on Information Theory (ISIT), June 2018, pp. 1031–1035. [22] I. Ziemann and H. Sandberg, “Parameter Privacy versus Control Performance: Fisher Information Regularized Control,” Tech. Rep., Mar. 2020. [Online]. Available: https://hal.archives-ouvertes.fr/hal-02318237 [23] G. Bassi, E. Nekouei, M. Skoglund, and K. H. Johansson, Privacy in Dynamical Systems. Springer, 2020, ch. Statistical Parameter Privacy, pp. 65–82.

May 25, 2021 DRAFT 29

[24] C. Dwork and A. Roth, The Algorithmic Foundations of Differential Privacy. Foundations and Trendsr in Theoretical Computer Science, 2014, vol. 9, no. 3-4. [25] T. M. Cover and J. A. Thomas, Elements of Information Theory. Wiley-Interscience, 2006.

Ehsan Nekouei (S’11, M’14 ) is currently an Assistant Professor with the Department of Electrical Engineering, City University of Hong Kong. From 2014 to 2019, he held postdoctoral positions at the PLACE KTH Royal Institute of Technology, Stockholm, Sweden, and The University of Melbourne, Australia. PHOTO His current research interests include privacy in networked control systems and integrated processing of HERE human decision-making data.

Henrik Sandberg (S’01–M’07) received the M.Sc. degree in engineering physics and the Ph.D. degree in automatic control from Lund University, Lund, Sweden, in 1999 and 2004, respectively. He is currently PLACE a Professor with the Department of Automatic Control, KTH Royal Institute of Technology, Stockholm, PHOTO Sweden. From 2005 to 2007, he was a Postdoctoral Scholar with the California Institute of Technology, HERE Pasadena, CA, USA. In 2013, he was a visiting scholar with the Laboratory for Information and Decision Systems (LIDS), MIT, Cambridge, MA, USA. He has also held visiting appointments at the Australian National University and the University of Melbourne, Australia. His research interests include security of cyberphysical systems, power systems, model reduction, and fundamental limitations in control. Dr. Sandberg was a recipient of the Best Student Paper Award from the IEEE Conference on Decision and Control in 2004 and an Ingvar Carlsson Award from the Swedish Foundation for Strategic Research in 2007. He has been an Associate Editor for the IFAC Journal Automatica and the IEEE TRANSACTIONS ON AUTOMATIC CONTROL.

May 25, 2021 DRAFT 30

Mikael Skoglund (S’93–M’97–SM’04-F’19) received the Ph.D. degree in information theory from the Chalmers University of Technology, Gothenburg, Sweden, in 1997. In 1997, he joined the Royal Institute PLACE of Technology (KTH), Stockholm, Sweden, where he was appointed as the Chair in Communication PHOTO Theory in 2003. At KTH, he heads the Communication Theory Division and he is also an Assistant Dean HERE in electrical engineering. He is also a founding faculty member of the ACCESS Linnaeus Center and the Director of the Center Graduate School. He has authored and co-authored more than 130 journal and 300 conference papers, and he holds six patents. His research interests include problems in source-channel coding, coding and transmission for wireless communications, communication and control, Shannon theory, and statistical signal processing. Dr. Skoglund has served on numerous technical program committees for IEEE sponsored conferences. From 2003 to 2008, he was an Associate Editor for the IEEE TRANSACTIONS ON COMMUNICATIONS, and from 2008 to 2012, he was on the editorial board of the IEEE TRANSACTIONS ON INFORMATION THEORY.

Karl Henrik Johansson (F’13) received the M.Sc. and Ph.D. degrees from Lund University, Lund, Sweden. He is the Director of the Stockholm Strategic Research Area ICT The Next Generation and PLACE a Professor with the School of Electrical Engineering and Computer Science, KTH Royal Institute of PHOTO Technology. He has held visiting positions with the University of California, Berkeley, California Institute HERE of Technology, Nanyang Technological University, HKUST Institute of Advanced Studies, and Norwegian University of Science and Technology. His research interests include networked control systems, cyber- physical systems, and applications in transportation, energy, and automation. He is a member of the IEEE Control Systems Society Board of Governors, the IFAC Executive Board, and the European Control Association Council. He has received several best paper awards and other distinctions. He has been awarded Distinguished Professor with the Swedish Research Council and Wallenberg Scholar. He is a recipient of the Future Research Leader Award from the Swedish Foundation for Strategic Research and the triennial Young Author Prize from IFAC. He is a Fellow of the Royal Swedish Academy of Engineering Sciences. He is an IEEE Distinguished Lecturer.

May 25, 2021 DRAFT