<b>Generate parallel databases</b>
<p>Key to the definition of differential privacy is the ability to ask the question "When querying a database, if I removed someone from the database, would the output of the query be any different?". Thus, in order to check this, we must construct what we term "parallel databases", wich are simply databases with one entry removed.</p>
<p>In this first project, I am going to create a list of every parallel database to the one currently contained in the "db" variable.</p>
Then, I am going to create a function which both:
<ul>
    <li>creates the initial database(db)</li>
    <li>creates all parallel databases</li>
<ul>

In [1]:
import torch

#the number of entries in our database
num_entries = 5000

db = torch.rand(num_entries) > 0.5
db

tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8)

In [2]:
remove_index = 2
db[0:5]

tensor([0, 1, 1, 1, 0], dtype=torch.uint8)

In [3]:
def get_parallel_db(db, remove_index):
    return torch.cat((db[0:remove_index],
                      db[remove_index + 1:]))

In [4]:
get_parallel_db(db, 3).shape

torch.Size([4999])

In [5]:
get_parallel_db(db, 11111).shape

torch.Size([5000])

In [6]:
def get_parallel_dbs(db):
    
    parallel_dbs = list()
    
    for i in range(len(db)):
        pdb = get_parallel_db(db, i)
        parallel_dbs.append(pdb)
    
    return parallel_dbs

In [7]:
pdbs = get_parallel_dbs(db)

In [8]:
pdbs

[tensor([1, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0, 0], dtype=torch.uint8),
 tensor([0, 1, 1,  ..., 0, 0

In [9]:
def create_db_and_parallels(num_entries):
    db = torch.rand(num_entries) > 0.5
    pdbs = get_parallel_dbs(db)
    
    return db, pdbs

In [10]:
db, pdbs = create_db_and_parallels(20)

In [11]:
db

tensor([1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
       dtype=torch.uint8)

In [12]:
pdbs

[tensor([1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1],
        dtype=torch.uint8),
 tensor([1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1,

<b>Towards evaluating the differential privacy of a function</b>

<p>
Intuitively, we want to be able to query our database and evaluate whether or not the result of the query is leaking private information. This is about evaluating whether the output of a query changes when we remove someone from the database. Specifically, we want to evaluate the maximum amount the query changes when someone is removed (maximum over all possible people who could be removed). So, in order to evaluate how much privacy is leaked, we´re going to iterate over each person in the database and measure the difference in the output of the query relative to when we query the entire database.
</p>
<p>Just for the sake of argument, let's make our first "database query" a simple sum. Aka, we´re going to count the number of 1s in the database</p>

In [13]:
db, pdbs = create_db_and_parallels(5000)

In [14]:
db

tensor([0, 1, 0,  ..., 0, 0, 1], dtype=torch.uint8)

In [15]:
def query(db):
    return db.sum()

In [16]:
query(db)

tensor(2533)

In [17]:
#next we see that:
#when we remove data from the database,
#the output of the query changes
query(pdbs[5])

tensor(2532)

In [18]:
#let´s see the max amount of change
full_db_result = query(db)

In [19]:
max_distance = 0
for pdb in pdbs:
    pdb_result = query(pdb)
    
    #L1 sensitivity
    db_distance = torch.abs(pdb_result - full_db_result)
    
    if (db_distance > max_distance):
        max_distance = db_distance

In [20]:
#Sensitivity
max_distance

tensor(1)

Some facts:
max_distance will always be 1 in this database with this particular query, because there are only two possible values, 0 and 1

<b>Evaluating the privacy of a function</b>

Create a function that measures sensitivity on whichever query done in the databases

In [21]:
#Let's try to calculate the sensitivity for the "mean" function
def sensitivity(query, n_entries = 1000):
    
    db, pdbs = create_db_and_parallels(n_entries)
    
    full_db_result = query(db)
    
    max_distance = 0
    for pdb in pdbs:
        pdb_result = query(pdb)
        
        #L1 sensitivity
        db_distance = torch.abs(pdb_result - full_db_result)
        
        if (db_distance > max_distance):
            max_distance = db_distance
    return max_distance

In [22]:
def query(db):
    return db.float().mean()

In [23]:
sensitivity(query)

tensor(0.0005)

Some conclusions:
We are assuming we´re dealing with people. We care about sensitivity to people: not about sensitivity to removing certain values, but about removing ALL values related to a person

<b>Calculate L1 sensitivity for threshold</b>
<p>I am going to calculate the sensitivity for the "threshold" function</p>
<ul>
    <li>Create the query function: a sum, and return if the queried database is greater or less than a threshold</li>
    <li>Create 10 databases of size 10 (threshold = 5) and query them, calculating the sensitivity of each</li>
    <li>Print out the sensitivity of each database</li>
</ul>

In [24]:
def query(db, threshold = 5):
    return (db.sum() > threshold).float()

In [25]:
for i in range(10):
    sens_f = sensitivity(query, n_entries = 10)
    print(sens_f)

0
0
0
0
tensor(1.)
0
0
0
0
0


Some conclusions:
<ul>
    <li>When n_entries is equal or less than threshold, query will be 0 in original and parallel databases, thus having sensitivity 0</li>
    <li>When having parallel databases querying 1 for a given threshold, as original database queries 1, we have sensitivity 0</li>
    <li>For n_entries greater than threshold, when original database queries 1 and some parallel database queries 0, whe have sensitivity 1</li>
</ul>
<p>Thus we have a database conditioned sensitivity</p>

<b>Perform a differencing attack</b>
<p>I am going to perform a basic differencing attack to divulge what the value in row 10 is in database</p>
<p>In order to do this, I am going to first query the entire databse, and then the database without row 10</p>

In [26]:
db, _ = create_db_and_parallels(100)

In [27]:
pdb = get_parallel_db(db, remove_index = 10)

In [28]:
db[10]

tensor(1, dtype=torch.uint8)

In [29]:
sum(db)

tensor(56, dtype=torch.uint8)

In [30]:
#differencing attack using sum query
sum(db) - sum(pdb)

tensor(1, dtype=torch.uint8)

In [31]:
#differencing attack using mean query
(sum(db).float()/len(db)) - (sum(pdb).float()/len(pdb))

tensor(0.0044)

In [32]:
#differencing attack using thresold
(sum(db).float() > 42) - (sum(pdb).float() > 42)

tensor(0, dtype=torch.uint8)

<b>Project: Local Differential Privacy</b>

<p>As you can see, the basic sum query is not differentially private at all! In truth, differential privacy always requires a form of randomness added to the query</p>

<b>Randomized response (local differential privacy)</b>

<p>
Let's say I have a group of people a wish to survey about a very taboo behavior which I think they will lie about (say, I want to know if they have ever committed a certain kind of crime. I'm not a policeman, I'm just trying to collect statistics to understand the higher level trend in society. So, how do we do this? One technique is to add randomness to each person's response by giving each personthe following instructions (assumming I'm asking a simple yes/no question):
    <ul>
        <li>Flip a coin two times</li>
        <li>If the first coin flip is heads, answer honestly</li>
        <li>If the first coin flip is tails, answer according to the second coin flip (heads for yes, tails for no)!</li>
    </ul>
Thus, each person is now protected with "plausible deniabulity". If they answer "Yes" to the question "have you commited X crime?", then it might be because they actually did, or it might be because they are answering according to a random coin flip. Each person has a high degree of protection. Furthermore, we can recover the underlying statistics with some accuracy, as the "true statistics" are simply averaged with a 50% probability. Thus, if we collect a bunch of samples and it turns out that 60% of people answer yes, then we know that the TRUE distribution is actually centered around 70%, because 70%averaged with 50% (a coin flip) is 60%, which is the result we obtained.
</p>
<p>However, it should be noted that, especially when we only have a few samples, this comes at the cost of accuracy. This tradeoff exists across all of Differential Privacy. The greater the privacy protection (plausible deniability), the less accurate the results.</p>
<p>Let's implement this local DP for our databse before!</p>

In [33]:
def query(db):
    true_result = torch.mean(db.float())
    
    first_coin_flip = (torch.rand(len(db)) > 0.5).float()
    second_coin_flip = (torch.rand(len(db)) > 0.5).float()

    augmented_db = db.float() * first_coin_flip + (1 - first_coin_flip) * second_coin_flip

    db_result = torch.mean(augmented_db.float()) * 2 - 0.5
    
    return db_result, true_result

In [34]:
db, pdbs = create_db_and_parallels(10)
private_result, true_result = query(db)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))

With noise: tensor(0.7000)
Without noise:tensor(0.5000)


In [35]:
db, pdbs = create_db_and_parallels(100)
private_result, true_result = query(db)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))

With noise: tensor(0.6000)
Without noise:tensor(0.5200)


In [36]:
db, pdbs = create_db_and_parallels(1000)
private_result, true_result = query(db)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))

With noise: tensor(0.5480)
Without noise:tensor(0.5100)


In [37]:
db, pdbs = create_db_and_parallels(10000)
private_result, true_result = query(db)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))

With noise: tensor(0.4916)
Without noise:tensor(0.5003)


In [38]:
#100,000 is too much!
'''db, pdbs = create_db_and_parallels(100000)
private_result, true_result = query(db)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))
'''

'db, pdbs = create_db_and_parallels(100000)\nprivate_result, true_result = query(db)\nprint("With noise: " + str(private_result))\nprint("Without noise:" + str(true_result))\n'

Some conclusions:
<ul>
    <li>The bigger the dataset, the more the noise will tend to average out. It will tend to not affect the output of the query.</li>
    <li>Local differential privacy is very data hungry: we add noise to every singel value of the dataset</li>
    </ul>

<b>Project 5: Varying amounts of noise</b>
<p>I will augment the randomized response query to allow for varying amounts of randomness to be added. Specifically, I will bias the coin flip to be higher or lower and then run the same experiment.</p>
<p>Note - I will adjust both the likelihood of the first coin flip AND the deskewing at the end (the db_result)</p>

In [39]:
def query(db, noise = 0.2):
    true_result = torch.mean(db.float())
    
    first_coin_flip = (torch.rand(len(db)) > noise).float()
    second_coin_flip = (torch.rand(len(db)) > 0.5).float()

    augmented_db = db.float() * first_coin_flip + (1 - first_coin_flip) * second_coin_flip
    
    sk_result = augmented_db.float().mean()
    
    private_result = ((sk_result / noise) - 0.5) * noise / (1 - noise)
    
    return private_result, true_result

In [40]:
db, pdbs = create_db_and_parallels(100)
private_result, true_result = query(db, noise = 0.1)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))

With noise: tensor(0.5111)
Without noise:tensor(0.5100)


In [41]:
db, pdbs = create_db_and_parallels(100)
private_result, true_result = query(db, noise = 0.2)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))

With noise: tensor(0.4125)
Without noise:tensor(0.5000)


In [42]:
db, pdbs = create_db_and_parallels(100)
private_result, true_result = query(db, noise = 0.4)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))

With noise: tensor(0.5667)
Without noise:tensor(0.5100)


In [43]:
db, pdbs = create_db_and_parallels(100)
private_result, true_result = query(db, noise = 0.8)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))

With noise: tensor(0.5500)
Without noise:tensor(0.5400)


In [44]:
db, pdbs = create_db_and_parallels(10000)
private_result, true_result = query(db, noise = 0.8)
print("With noise: " + str(private_result))
print("Without noise:" + str(true_result))

With noise: tensor(0.5475)
Without noise:tensor(0.4997)


Conclusion: The more private data, the easier to protect privacy, thus, the more noise we can add to the data while still getting an accurate result