histogramDP: Differentially Private Histogram
In DPpack: Differentially Private Statistical Analysis and Machine Learning

histogramDP

R Documentation

Differentially Private Histogram

Description

This function computes a differentially private histogram from a vector at user-specified privacy levels of epsilon and delta. A histogram object is returned with sanitized values for the counts for easy plotting.

Usage

histogramDP(
  x,
  eps,
  lower.bound,
  upper.bound,
  breaks = "Sturges",
  normalize = FALSE,
  which.sensitivity = "bounded",
  mechanism = "Laplace",
  delta = 0,
  type.DP = "aDP",
  allow.negative = FALSE
)

Arguments

`x`	Numeric vector from which the histogram will be formed.
`eps`	Positive real number defining the epsilon privacy budget.
`lower.bound`	Scalar representing the global or public lower bound on values of x.
`upper.bound`	Scalar representing the global or public upper bound on values of x.
`breaks`	Identical to the argument with the same name from `hist`.
`normalize`	Logical value. If FALSE (default), returned histogram counts correspond to frequencies. If TRUE, returned histogram counts correspond to densities (i.e. area of histogram is one).
`which.sensitivity`	String indicating which type of sensitivity to use. Can be one of {'bounded', 'unbounded', 'both'}. If 'bounded' (default), returns result based on bounded definition for differential privacy. If 'unbounded', returns result based on unbounded definition. If 'both', returns result based on both methods \insertCiteKifer2011DPpack. Note that if 'both' is chosen, each result individually satisfies (eps, delta)-differential privacy, but may not do so collectively and in composition. Care must be taken not to violate differential privacy in this case.
`mechanism`	String indicating which mechanism to use for differential privacy. Currently the following mechanisms are supported: {'Laplace', 'Gaussian', 'analytic'}. Default is Laplace. See `LaplaceMechanism` and `GaussianMechanism` for descriptions of the supported mechanisms.
`delta`	Nonnegative real number defining the delta privacy parameter. If 0 (default), reduces to eps-DP.
`type.DP`	String indicating the type of differential privacy desired for the Gaussian mechanism (if selected). Can be either 'pDP' for probabilistic DP \insertCiteMachanavajjhala2008DPpack or 'aDP' for approximate DP \insertCiteDwork2006bDPpack. Note that if 'aDP' is chosen, epsilon must be strictly less than 1.
`allow.negative`	Logical value. If FALSE (default), any negative values in the sanitized histogram due to the added noise will be set to 0. If TRUE, the negative values (if any) will be returned.

Value

Sanitized histogram based on the bounded and/or unbounded definitions of differential privacy.

References

\insertRef

Dwork2006aDPpack

\insertRef

Kifer2011DPpack

\insertRef

Machanavajjhala2008DPpack

\insertRef

Dwork2006bDPpack

Examples

x <- stats::rnorm(500)
graphics::hist(x) # Non-private histogram
result <- histogramDP(x, 1, -3, 3)
plot(result) # Private histogram

graphics::hist(x, freq=FALSE) # Normalized non-private histogram
result <- histogramDP(x, .5, -3, 3, normalize=TRUE,
  which.sensitivity='unbounded', mechanism='Gaussian', delta=0.01,
  allow.negative=TRUE)
plot(result) # Normalized private histogram (note negative values allowed)

DPpack documentation built on Oct. 20, 2024, 9:07 a.m.