Entropy-Minimizing Mechanism for Differential ... - Semantic Scholar

53rd IEEE Conference on Decision and Control December 15-17, 2014. Los Angeles, California, USA

Entropy-minimizing Mechanism for Differential Privacy of Discrete-time Linear Feedback Systems Yu Wang, Zhenqi Huang, Sayan Mitra and Geir E. Dullerud Abstract— The concept of differential privacy stems from the study of private query of datasets. In this work, we apply this concept to metric spaces to study a mechanism that randomizes a deterministic query by adding mean-zero noise to keep differential privacy. For one-shot queries, we show that -differential privacy of an n-dimensional input implies a lower bound n − n ln(/2) on the entropy of the randomized output, and this lower bound is achieved by adding Laplacian noise. We then consider the -differential privacy of a discrete-time linear feedback system in which noise is added to the system output at each time. The adversary estimates the system states from the output history. We show that, to keep the system differentially private, the output entropy is bounded below, and this lower bound is achieves by an explicit mechanism.

I. I NTRODUCTION The concept of -differential privacy comes from the study of privacy-preserving queries of datasets [1]. To keep an entry of a dataset undetectable in general queries, the outputs of the queries should be randomized to blur the difference when the entry changes. A query Q is called -differentially private if for any two adjacent datasets D1 , D2 that differ in only one entry, we have P [Q(D1 ) ∈ O] ≤ e P [Q(D2 ) ∈ O] ,

(1)

where O is an arbitrary set of possible outputs. When it comes to dynamic systems, the quantities involved are small sets of continuous number like real vectors, instead of datasets of numerous discrete values. Therefore, norms are employed to define adjacency. The common approach is to first defining a threshold c > 0 and then calling the two states x1 , x2 ∈ Rn adjacent if kx1 − x2 k ≤ c [2], [3]. But, two weaknesses exist in this idea: the choice of c is arbitrary and the binary nature of adjacency remains. Two states x1 , x2 are not adjacent even if kx1 − x2 k − c is small but positive. On the other hand, randomizing the outputs undermines the accuracy of the query. In dynamic systems, this hinders efficient communications between system components, especially in multi-agent systems [4], [5]. Therefore, it is always desirable to find a mechanism minimizing the inaccuracy while preserving -differential privacy. Previous results show that there is trade-off between privacy and accuracy. For datasets, it has been observed that -differential privacy imposes a upper bound on the min entropy that measures the information leakage of the Yu Wang, Zhenqi Huang, Sayan Mitra and Geir E. Dullerud are with the Coordinate Science Laboratory, University of Illinois at UrbanaChampaign, Urbana, IL 61801, USA [email protected],

[email protected], [email protected], [email protected] 978-1-4673-6088-3/14/$31.00 ©2014 IEEE

queries. [6], [7]. For dynamics systems, it has been shown that, under the usual definition, -differential privacy imposes a lower bound on the variance of queries and the minimum is achieved by staircase distributions [8], [9], [10]. In this work, we study the relationship between privacy and accuracy in the framework of a discrete-time feedback control system, where accuracy is measured by Shannon entropy and a version of -differential privacy without adjacency is adopted [11] (see Section II). We first study an -differentially private noise-adding mechanism for one-shot queries that provides the best output accuracy. Then, we consider the -differential privacy of a discrete-time linear feedback system, which is characterized by the interplay of differential privacy and system dynamics. At each time, noise is added to the system outputs to keep the system states private against the adversary who has access to the system outputs. Since the system states and outputs at different time are related via the system dynamics, the adversary can filter the noise using the output history. In the sequel, the preliminaries are presented in Section II. In Section III, we prove that, for a one-shot n-dimensional input, there is a lower bound n − n ln(/2) on the entropy of the output for an -differentially private noise-adding mechanism, and the lower bound is achieved by Laplacian noise with parameter 1/. In Section IV, we introduce a discrete-time linear feedback system where the noise-adding mechanism is incorporated to keep the system states differentially private, and give the definition of -differential privacy and output entropy for the system. In Section V, we show that the -differential privacy of the system implies a lower bound on the output entropy, and give explicitly a mechanism that achieves the lower bound. Finally, we conclude this work in Section VI. II. P RELIMINARIES Denote respectively the set of natural numbers, positive integers, positive real numbers and real numbers by N, Z+ R+ and R. Let Rn and Rm×n be the set of n-dimensional real vectors and the set of m by n real matrices. Denote the positive orthant in Rn by Rn+ . In this work, scalars and vectors are in lower case; matrices are in upper case; random variables are in roman font. For n ∈ N, let [n] = [0, 1, 2, . . . , n]. For x ∈ R, denote the absolute value of x by |x|. For x ∈ Rn , denote the ith component of x by P xi ; i.e., x = (x1 , x2 , . . . , xn ). For n x, y ∈ Rn , let x · y = i=1 xi yi . For a function f , denote the image of f by Im (f ). For a real-valued function f on R,

2130

mechanism Y = M(x) is a random variable on Rn with probability density function fx (y). We call p(x, y) = fx (y) the output distribution function, which is assumed to be absolutely continuous in x and y In addition, we assume that the noise added is mean-zero; i.e., Z yp(x, y)dy = x. (7)

Noise N (x) Input x

Fig. 1.

Mechanism M

Output Y

Block Diagram for a -Differentially Private Mechanism

Rn

denote the first derivative by f 0 ; for a real-valued function on Rn , denote the gradient by ∇f . A metric space is denoted by (M, ρ (·, ·)) where ρ (·, ·) is the metric on M. Rn equipped with a norm k · k is a metric space, denoted by (Rn , k · k), where ρ (x, y) = kx − yk. In particular, the `1 -norm on Rn , which Pnwill be frequently referred to later, is defined as kxk1 = i=1 |xi |. A random variable X on R obeys Laplace distribution with parameter λ, denoted by X ∼ Lap(λ), if its probability distribution function is |x| 1 exp( ). (2) fX (x) = 2λ λ Similarly, on Rn , X ∼ Lapn (λ) if its probability distribution function is  n 1 kxk1 exp( ). (3) fX (x) = 2λ λ Let X be a random variable on Rn with probability distribution function f (x). Definition 1: The entropy of X is Z H (X) = − f (x) ln(x)dx (4) Rn

Informally speaking, the entropy is a measure of the uncertainty of a random variable, either positive or negative. Conditioning reduces entropy; for two random variables X and Y , H (X | Y ) ≤ H (X) . (5) with equality iff X and Y are independent. Suppose that we have some data x taken from a metric space (I, ρ (·, ·)). To keep the query of x private, we pass x through a mechanism M which generates a randomized output M(x). Definition 2: The mechanism is called -differentially private for given  > 0, if the inequality P [M(x1 ) ⊆ O] ≤ exp (ρ (x1 , x2 )) P [M(x2 ) ⊆ O] (6) holds for any inputs x1 , x2 and a set of possible outputs O. In this work, as shown in Figure 1, we let the metric space be a real normed space (Rn , k · k) and the mechanism M generate the randomized output by adding noise N (x). III. E NTROPY A NALYSIS FOR D IFFERENTIALLY P RIVATE O NE - SHOT Q UERIES In this section, we show that, for a single query, differential privacy implies a bound on the noise of the entropy and the bound is achieved by adding Laplacian noise. Let M be a randomizing mechanism with input set I = (Rn , k · k). For any input x ∈ Rn , the output of the

Lemma 1: A mechanism M with absolutely continuous output distribution function p(x, y) is -differentially private iff for any x ∈ Rn and unit vector n ˆ under the norm k · k, |ˆ n · ∇x p(x, y)| ≤ p(x, y)

(8)

holds for almost every y, where the gradient ∇x p(x, y) is taken for fixed y ∈ Rn . Proof: Necessity. By Definition 2, for any two inputs x1 , x2 ∈ Rn and an output set O ⊆ Rn , we have Z Z p(x2 , y)dy. (9) p(x1 , y)dy ≤ exp (kx1 − x2 k) O

O

Since p(x, y) is absolute continuous, we have p(x1 , y) ≤ exp (kx1 − x2 k) p(x2 , y) for any y ∈ Rn . Thus, exp (kx1 − x2 k) − 1 p(x1 , y) − p(x2 , y) ≤ p(x2 , y). kx1 − x2 k kx1 − x2 k (10) x1 −x2 · By letting x1 converge to x2 , we have | kx 1 −x2 k ∇x p(x2 , y)| ≤ p(x2 , y), for x almost everywhere, abbreviated as a.e. Since x1 can approach x2 in arbitrary direction, we have |ˆ n·∇x p(x2 , y)| ≤ p(x2 , y) for arbitrary unit vector n ˆ and x a.e. Sufficiency. For any two inputs x1 , x2 ∈ Rn , define g(z) = p(x2 + n ˆ z, y),

(11)

x1 −x2 where n ˆ = kx . Clearly, g(0) = p(x2 , y) and g(kx1 − 1 −x2 k x2 k) = p(x1 , y). By (8), |g 0 (z)| ≤ g(z) for z a.e. Thus,

| ln p(x1 , y)− ln p(x2 , y)| = | ln g(kx1 − x2 k) − ln g(0)| Z kx1 −x2 k 0 |g (z)| ≤ dz ≤ kx1 − x2 k g(z) 0 (12) Therefore, p(x1 , y) ≤ exp (kx1 − x2 k) p(x2 , y)

(13)

Finally, we finish the proof by integrating (13) over y on any output set O ⊆ Rn . Given mechanism M, we use the output entropy Z H (M) = sup −p(x, y) ln p(x, y)dy. (14) x∈Rn

Rn

to evaluate the accuracy of outputs. In the following, we propose several properties of a mechanism M that minimizes the output entropy H (M). Lemma 2: Given a -differentially private M with output distribution function p(x, y), we can construct an differentially private mechanism N with output probability distribution function q(x, y), such that (i) H (N ) ≤ H (M),

2131

and (ii) for any x ∈ Rn , gx (y) = q(x, y − x) is even with respect to each ym (m ∈ [n]). Proof: Without loss of generality, assume m = 1. Let Z H+ (M) = sup −p(x, y) ln p(x, y)dy, 1 x∈Rn

Z

x∈Rn

−p(x, y) ln p(x, y)dy. (−∞,x1 ]×Rn−1

(16) Define

q(x, y) =

    p(x, y)    p(x, z)

− if y1 > x1 , H+ 1 (M) ≤ H1 (M) − or y1 < x1 , H+ 1 (M) > H1 (M) , − if y1 > x1 , H+ 1 (M) > H1 (M) + − or y1 < x1 , H1 (M) ≤ H1 (M) . (17)

where ( zi = 2xi − yi , zi = yi ,

i = 1, i = 2, 3, . . . , n.

(18)

By definition, q(x, y) ≥ 0, and q(x, y) is absolute continuous. Since the noise Ris mean-zero, for any x ∈ Rn , R q(x, y)dy = 1 and Rn yq(x, y)dy = x. Noting that Rn for fixed y and any x 6= y, ∇x q(x, y) =     ∇x p(x, y)    ∇x p(x, z)

L−

[x1 ,∞)×Rn−1

(15) H− 1 (M) = sup

{x ∈ Rn | x1 < a}. Define Z + H (M) = sup −p(x, y) ln p(x, y)dy, L+ Rn Z H− (M) = sup −p(x, y) ln p(x, y)dy.

− if y1 ≥ x1 , H+ 1 (M) ≤ H1 (M) − or y1 < x1 , H+ 1 (M) > H1 (M) , + if y1 ≥ x1 , H1 (M) > H− 1 (M) + − or y1 < x1 , H1 (M) ≤ H1 (M) ,

(19)

where z is given in (18), we have |ˆ n ·∇x q(x, y)| ≤ q(x, y) for x a.e. By Lemma 1, N is a well-defined -differentially private mechanism. Finally, we finish the proof by noting that for fixed x, q(x, y − x) is even with respect to each ym (m ∈ [n]) and − H (N ) = 2 min{H+ 1 (M) , H1 (M)} − ≤ H+ 1 (M) + H1 (M) = H (M) ,

(20)

− where the equality holds iff H+ 1 (M) = H1 (M). In the following Lemma, we write p(xm , ym ) = p(x, y) for fixed {xi | i 6= m, i ∈ [n]} and {yi | i 6= m, i ∈ [n]}. Lemma 3: Given any -differentially private M with output distribution function p(x, y), we can construct an differentially private mechanism N with output probability distribution function q(x, y), such that (i) H (N ) ≤ H (M), and (ii) for any a ∈ R and m ∈ [n], fixing {xi | i 6= m, i ∈ [n]} and {yi | i 6= m, i ∈ [n]}, the equation q(xm , ym ) = q(2a − xm , 2a − ym ) holds. Proof: Without loss of generality, assume m = 1. For a ∈ R, let L+ = {x ∈ Rn | x1 ≥ a} and L− =

(21) (22)

Rn

For fixed {xi | i 6= 1, i ∈ [n]} and {yi | i 6= 1, i ∈ [n]}, if H+ (M) ≤ H− (M), then define ( p(x1 , y1 ), x1 ∈ L+ , (23) q(x1 , y1 ) = p(2a − x1 , 2a − y1 ), x1 ∈ L− , otherwise, define ( p(2a − x1 , 2a − y1 ), q(x1 , y1 ) = p(x1 , y1 ),

x1 ∈ L+ , x1 ∈ L− .

(24)

Clearly, q(x1 , y1 ) = q(2a − x1 , 2aR− y1 ). In addition, it is easy to check that q(x, y) ≥ 0, Rn q(x, y)dy = 1 and R yq(x, y)dy = x. By Lemma 2, we have p(a, y1 ) = n R p(a, 2a − y1 ), thus q(x1 , y1 ), i.e. q(x, y) is absolutely continuous and |∇x q(x, y)| = |∇x p(x, y)|. Consequently, n|ˆ n · ∇x q(x, y)| ≤ q(x, y) for x a.e. By Lemma 1, N is a well-defined -differentially private mechanism and H (N ) = min{H+ (M) , H− (M)} ≤ max{H+ (M) , H− (M)} = H (M) ,

(25)

where the equality holds iff H+ (M) = H− (M). By the above two Lemmas, we derive the following result. Lemma 4: There exists an -differentially private mechanism M, such that (i) M minimizes the output entropy H (M), and (ii) the noise added is independent of the input x ∈ Rn . Proof: Let q(x, y) = p(x, y − x). Then q(x, y) is the probability distribution function of the noise N (x) for input x. By Lemma 3, for any a ∈ R and m ∈ [n], fixing {xi | i 6= m, i ∈ [n]} and {yi | i 6= m, i ∈ [n]}, we can have q(xm , ym ) = q(2a − xm , −ym ). By Lemma 2, we can have q(xm , ym ) = q(2a − xm , −ym ) = q(2a − xm , ym ). Therefore, q(x, y) is independent of xm , hence independent of x. By Lemma 2 and Lemma 4, if a mechanism M minimizes the output entropy H (M), the output distribution function will be in the form p(x, y) = f (y − x), where f is an absolutely continuous probability distribution function. For each i ∈ [n], f is a even function with respect to xi . For now, we assume a scalar input, that is n = 1. Then the problem of minimizing (14) becomes Problem 1 (Scalar Case): Z Minimize: H(f ) = − f (x) ln f (x)dx,

2132

[0,∞)

subject to: f (x) is absolutely continuous, f (x) ≥ 0, |f 0 (x)| ≤ f (x) a.e., Z 1 f (x)dx = . 2 [0,∞)

Lemma 5: f (x) is nonincreasing if it solves Problem 1. Proof: Let f (x) be a function that solves Problem 1. Let g(x) = supy≥x f (y). Clearly, g(x) ≥ f (x) for x ≥ 0. Assume that f (x) is not non-increasing. Then for some x∗ > 0, g(x∗ ) > f (x∗ ). By continuity of f , there exists a “largest” non-empty interval (a, b) containing x∗ , on which g(x) > f (x). Note that b is finite since f (x) > 0 and limx→∞ R b f (x) = 0. In addition, g(b) = f (b). Let d = 1 f (a) a f (x)dx, then d ∈ [0, b − a). For a = 0, define ( f (b), x ∈ [0, d], (26) h(x) = f (x + b − d), x ∈ [d, ∞]. Otherwise, we have f (a) = g(a) = f (b) = g(b) and define   x ∈ [0, a], f (x), h(x) = f (b), (27) x ∈ [a, a + d],   f (x + b − a − d), x ∈ [a + d, ∞], In both cases, h(x) satisfies the constraints in Problem 1 and H(h) < H(f ). This is in contradiction with the assumption. Theorem 6: For a -differentially private mechanism M with input set I = (R, | · |), the output entropy is lower bounded by 1 − ln(/2) and the minimum is achieved by p(x, y) = 2 exp(−|y − x|). Proof: It suffices to show that in the above minimization Problem 1, H ≥ 12 − 12 ln(/2) and the minimum is achieved by f (x) = 2 exp(−x). R∞ Let F (x) = x f (y)dy. Noting that limx→∞ f (x) = 0, by the definition of -differential privacy, Z ∞ Z ∞ 0 1 |f (x)| dy ≥ | F (x) ≥ f 0 (x)dy|   x x (28) f (x) 1 = |f (∞) − f (x)| =    In particular, f (0) ≥ F (0) = 2 . In (28), the first equality holds iff |f 0 (x)| = f (x) for x a.e. The second equality holds iff f (x) is monotonous. Considering that f (x) > 0 and f (∞) = 0, f (x) is monotonously decreasing. Thus, f (x) = F (x) iff f 0 (x) = −f (x). By Lemma 5, f 0 (y) ≤ 0 a.e. Thus, Z ∞ H(f ) = − f (x) ln f (x)dx   Z0 ∞ Z x 0 f (y) =− f (x) ln f (0) + dy dx 0 0 f (y) Z  Z ∞ 0 ∞ 1 f (y) = − ln f (0) − f (x)dx dy 2 f (y) x (29) Z0 ∞ 0 1 f (y)F (y) = − ln f (0) − dy 2 f (y) Z0 ∞ 0 1 f (y) ≥ − ln f (0) − dy 2  0 f (0) 1 = − ln f (0),  2 where the equality holds iff f 0 (x) = −f (x).

1 Since f (0) ∈ (0, 2 ] and f (0)  − 2 ln f (0) is decreasing on 1 1 this interval, we have H ≥ 2 − 2 ln( 2 ). Again, the equality holds if f 0 (x) = −f (x) a.e. R Finally, by f (x) ≥ 0 and [0,∞) f (x)dx = 12 , we derive that the minimum is achieved by  (30) f (x) = exp(−x). 2

In this case, we have H(f ) = 12 − 12 ln( 2 ).R Remark 7: If we replace the restriction [0,∞) f (x)dx = R 1 c 2 in Problem 1 with [0,∞) f (x)dx = 2 where c > 0 is a real constant, then the above proof will still work. In this case, we have H ≥ 12 − 21 ln( 2 ) + 2c ln c and the minimum is achieved by f (x) = c 2 exp(−x). For multidimensional inputs, n ≥ 2, noting that we have taken the `1 -norm on Rn , the problem of minimizing (14) becomes Problem 2 (Multi-dimensional Case): Z Minimize: H(f ) = − f (x) ln f (x)dx, Rn +

subject to: f (x) is absolutely continuous, f (x) ≥ 0, ∂f (x) | ≤ f (x), ∀i ∈ [n] a.e., | Z ∂xi 1 f (x)dx = n . n 2 R+ Theorem 8: For a -differentially private mechanism M with input set I = (Rn , k · k1 ), the output entropy is lower bounded by H (M) ≥ n − n ln(/2) and the minimum is achieved by p(x, y) = ( 2 )n exp(−ky − xk1 ). Proof: It suffices to show that in the minimization Problem 2, H ≥ n2 − n2 ln(/2) and the minimum is achieved by f (x1 , x2 , . . . , xn ) = ( 2 )n exp(−(x1 + x2 + . . . + xn )). For each fixed x2 , x3 , . . . , xn , let gx2 ,x3 ,...,xn (x1 ) = f (x1 , x2 , . . . , xn ),

(31)

then we have gx2 ,x3 ,...,xn (x1 ) ≥ 0, |gx0 2 ,x3 ,...,xn (x1 )| ≤ gx2 ,x3 ,...,xn (x1 ) and Z Z H(f ) = − gx2 ,x3 ,...,xn (x1 ) Rn−1 [0,∞) (32) + ln gx2 ,x3 ,...,xn (x1 )dx1 dx2 dx3 . . . dxn . By Remark 7, to minimize H, we should have f (x1 , x2 , . . . , xn ) = gx2 ,x3 ,...,xn (x1 ) = exp(−x1 )h(x2 , x3 , . . . , xn )

(33)

where h(x2 , x3 , . . . , xn ) is some function of x2 , x3 , . . . , xn . By repeating the above argument, we derive that the minimum is achieved by f (x1 , x2 , . . . , xn ) = k exp(−(x1 + x2 + . . . + xn )) (34) R where k is some constant. Finally, by Rn f (x)dx = 21n , + we have k = ( 2 )n . In this case, the lower bound is H(f ) = n n 2 − 2 ln(/2).

2133

The system output Z(t) is accessible to the adversary. As shown in (38), due to the feedback setting, given the past history of outputs {Z(t) | t ∈ N}, we can derive the trajectory of system states {X(t) | t ∈ N} from the initial system state X(0). Therefore, protecting the -differential privacy of the initial system state is equivalent to protecting the -differential privacy of the whole system state trajectory. For t ≥ 0, the adversary A estimates the initial system state from the past history of output {Z(i) | i ∈ [t]}. The best estimation of X(0) at time t is a random variable such that ˜ X(t) = E [X(0) | Z(0), Z(1), . . . , Z(t)] . (41)

Adversary A Noise N (t) U (t) V (t) +

Plant P

X(t)

Mechanism L

Z(t)

Y (t) Controller C Fig. 2. Block Diagram for an -Differentially Private Discrete-time Linear Feedback System

IV. D IFFERENTIAL P RIVACY OF D ISCRETE - TIME L INEAR F EEDBACK S YSTEMS

˜ t. ˜ We denote the probability density function of X(t) by h Since the adversary gets cumulating outputs, the entropy of ˜ X(t) is not increasing. The mechanism L is -differentially private up to time t ∈ N, if for any pair of initial states x1 , x2 ∈ Rn , and output history {z(i) | i ∈ [t]},

In the following, we assume that the probability distribution functions exist when necessary. In [12], the authors discussed the differential privacy of a distributed control system. Here, we simplify the system to a discrete-time linear feedback system, as shown in Figure 2. The system input U (t) here corresponds to the “system preference” in the setup of [12]. In the following, we set U (t) = 0. Thus

The output entropy H (L, t) of the mechanism L at time t ∈ N is defined by

V (t) = U (t) + Y (t) = Y (t).

˜ H (L, t) = H(X(t)).

(35)

The system output V (t) is fed back to the input of the plant P through a proportional controller C. For simplicity, we assume that controller C has unit gain; that is, V (t) = Y (t) = Z(t).

where A, B ∈ Rn×n . We avoid the observability issue by letting the plant output its state. From (37), we know for t ≥ 1, t−1 X

At−i−1 BZ(i).

(38)

i=0

The state X(t) of the plant P, referred to as the system state, is passed directly to the mechanism L which generates an output Z(t), referred to as the system output, by adding a time-dependent mean-zero noise N (t), Z(t) = X(t) + N (t).

E [N (t) | X(0), N (0), N (1), . . . , N (t − 1)] = 0.

˜ t (x1 ) ≤ exp (kx1 − x2 k) h ˜ t (x2 ). h

(43)

(44)

˜ Roughly speaking, the shape of distribution of X(t) is flat enough to mask two different guesses x1 , x2 of the initial state. V. E NTROPY A NALYSIS In this section, we consider the -differentially private mechanisms and derive the one that gives the most accurate output up to time t ≥ 0; i.e., a mechanism L that minimizes the output entropy H (L, i) at each time i ∈ [t] while preserving -differential privacy. First we assume that the norm used in this section is the `1 -norm k · k1 . By combining (35) (36), we have X(t + 1) = (A + B)X(t) + BN (t),

(45)

which implies that

(39)

According to Lemma 4, we assume that the noise is independent of the system state. The noise {N (t) | t ∈ N} may be correlated. Therefore, “mean-zero” here indicates that the noise N (t) conditioning on the initial state X(0) and a history of noise {N (i) | i ∈ [t − 1]} is mean-zero. That is,

(42)

Since we have no a prior knowledge on X(0), by Bayes formula, (42) is equivalent to

(36)

But the analysis here also applies to other proportional controllers. In the plant P, the state X(t) ∈ Rn is updated via X(t + 1) = AX(t) + BV (t), (37)

X(t) = At X(0) +

P [Z(1) = z(1), . . . , Z(t) = z(t) | X(0) = x1 ] P [Z(1) = z(1), . . . , Z(t) = z(t) | X(0) = x2 ] ≤ exp (kx1 − x2 k) .

X(t) = (A + B)t X(0) +

t−1 X

(A + B)t−i−1 BN (i). (46)

i=0

Thus, Z(0) = X(0) + N (0) and for t ≥ 1

(40) 2134

Z(t) = (A + B)t X(0) +

t−1 X (A + B)t−i−1 BN (i) + N (t) i=0

(47)

On the other hand, by (38) and (39), we have N (0) = Z(0) − X(0) and for t ≥ 1, N (t) = Z(t) − X(t) t

= Z(t) − A X(0) −

t−1 X

At−i−1 BZ(i)

(48)

i=0

Lemma 9: Given the initial state X(0) and a history of outputs {Z(i) | i ∈ [t − 1]}, we have E [N (t) | X(0), Z(0), Z(1), . . . , Z(t − 1)] = 0. (49) Proof: By (47) and (48), there is an one-to-one linear map between {X(0), X(0), N (0), N (1), . . . , N (t − 1)} and {X(0), X(0), Z(0), Z(1), . . . , Z(t − 1)}. Then by (40), (49) holds. Lemma 10: Given an output history {z i | i ∈ [t]}, the following equality holds: ˜ At E[X(t)] = wt , (50) Pt−1 t−i−1 Bz i for t ≥ 1. where w0 = z 0 and wt = z t − i=0 A Proof: Take conditional expectation on (48) with respect to {Z(i) = z i | i ∈ [t]}. Theorem 11: If a mechanism is -differentially private up to time t ≥ 0, then the output entropy obeys  H (L, i) ≥ n − n ln( ) (51) 2 for i ∈ [t]. The equality holds when N (0) ∼ Lapn (1/), and for t ≥ 1, N (t) = AN (t − 1). Proof: Denote the joint probability distribution function of {N (i) | i ∈ [t]} by pt (n0 , n1 , . . . , nt ). For an output history {z i | i ∈ [t]}, by (48), ˜ 0 (x) = c0 p0 (w0 − x) h ˜ 1 (x) = c1 p1 (w0 − x, w1 − Ax) h ... ˜ t (x) = ct pt (w0 − x, . . . , wt − At x) h ...

(52)

where {ct | t ∈ N} are unifying constants. To minimize the ˜ entropy of X(t) at each time t ∈ N while ensuring differential privacy, by Theorem 6, we should have ˜ t (x) =  exp(−kx − E[X(t)]k ˜ h (53) 1 ). 2 Plug (50) (53) into (52). Since the new equalities holds for arbitrary x and {wt | t ∈ N}, by comparing the arguments, we have p0 (x0 ) = d1 exp(−kx0 k1 ) p1 (x0 , Ax1 ) = d2 exp(−kx1 k1 ) ... pt (x0 , . . . , At xt ) = dt exp(−kxt k1 ) ...

(54)

where {xt | t ∈ N} ⊆ R and {dt | t ∈ N} are unifying constants. A mechanism that satisfies (54) is N (0) ∼ Lap(1/) and for t ≥ 1, N (t) = AN (t − 1). The noise N (1) is

determined by N (0); N (2) is determined by N (0), N (1); and so on. In this case, the output entropy is independent of time t,  H (L, 1) = H (L, 2) = . . . = H (L, t) = n − n ln( ). (55) 2 This is because all the randomness is brought to the system at the initial time. VI. CONCLUSION In this work, we introduced the entropy-minimizing mechanism for differential privacy. In particular, we studied a query mechanism which randomizes a deterministic quantity by adding mean-zero noise to keep differential privacy. For one-shot queries, we showed that for n-dimensional input, differential privacy implies a lower bound n − n ln(/2) on the entropy of the randomized output of the mechanism, and this lower bound is achieved by adding Laplacian noise with parameter . Then we studied a discrete-time linear feedback system that simplifies the system in [12], where the adversary is modeled as a filter on the system output. We demonstrate that there is a lower bound on the entropy if the mechanism ensures the -differential privacy of the system. This lower bound is achieve by N (0) ∼ Lapn (1/), and for t ≥ 1, N (t) = AN (t − 1). R EFERENCES [1] C. Dwork, “Differential privacy,” in Automata, Languages and Programming, ser. Lecture Notes in Computer Science, M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener, Eds. Springer Berlin Heidelberg, 2006, vol. 4052, pp. 1–12. [2] J. Le Ny and G. J. Pappas, “Differentially private filtering,” in Decision and Control (CDC), 2012 IEEE 51st Annual Conference on. IEEE, 2012, pp. 3398–3403. [3] M. Hardt and K. Talwar, “On the geometry of differential privacy,” in Proceedings of the 42nd ACM symposium on Theory of computing. ACM, 2010, pp. 705–714. [4] Z. Huang, S. Mitra, and G. Dullerud, “Differentially private iterative synchronous consensus,” in Proceedings of the 2012 ACM workshop on Privacy in the electronic society. ACM, 2012, pp. 81–90. [5] Z. Huang, Y. Wang, S. Mitra, and G. E. Dullerud, “On the cost of differential privacy in distributed control systems,” in Proceedings of the 3rd International Conference on High Confidence Networked Systems, ser. HiCoNS ’14. New York, NY, USA: ACM, 2014, pp. 105–114. [6] M. S. Alvim, M. E. Andr´es, K. Chatzikokolakis, and C. Palamidessi, “On the relation between differential privacy and quantitative information flow,” in Automata, Languages and Programming. Springer, 2011, pp. 60–76. [7] M. S. Alvim, M. E. Andr´es, K. Chatzikokolakis, P. Degano, and C. Palamidessi, “Differential privacy: on the trade-off between utility and information leakage,” in Formal Aspects of Security and Trust. Springer, 2012, pp. 39–54. [8] Q. Geng and P. Viswanath, “The optimal mechanism in differential privacy,” arXiv preprint arXiv:1212.1186, 2012. [9] Q. Geng and P. Viswanath, “The optimal mechanism in differential privacy: Multidimensional setting,” arXiv preprint arXiv:1312.0655, 2013. [10] Q. Geng and P. Viswanath, “The optimal mechanism in (, δ)differential privacy,” arXiv preprint arXiv:1305.1330, 2013. [11] K. Chatzikokolakis, M. E. Andr´es, N. E. Bordenabe, and C. Palamidessi, “Broadening the scope of differential privacy using metrics,” in Privacy Enhancing Technologies. Springer, 2013, pp. 82–102. [12] Z. Huang, Y. Wang, S. Mitra, and G. E. Dullerud, “On the cost of differential privacy in distributed control systems,” in In 3rd ACM International Conference on High Confidence Networked Systems, 2014.

2135