Mathematical notions of privacy, such as differential privacy, are often stated as probabilistic guarantees that are difficult to interpret. It is imperative, however, that the implications of data sharing be effectively communicated to the data principal to ensure informed decision-making and offer full transparency with regards to the associated privacy risks. To this end, our work presents a rigorous quantitative evaluation of the protection conferred by private learners by investigating their resilience to training data reconstruction attacks. We accomplish this by deriving non-asymptotic lower bounds on the reconstruction error incurred by any adversary against $(\epsilon, \delta)$ differentially private learners for target samples that belong to any compact metric space. Working with a generalization of differential privacy, termed metric privacy, we remove boundedness assumptions on the input space prevalent in prior work, and prove that our results hold for general locally compact metric spaces. We extend the analysis to cover the high dimensional regime, wherein, the input data dimensionality may be larger than the adversary's query budget, and demonstrate that our bounds are minimax optimal under certain regimes.

翻译：数学隐私概念（如差分隐私）往往以难以解释的概率性保证形式呈现。然而，必须向数据主体有效传达数据共享的影响，以确保知情决策，并完全透明地揭示相关隐私风险。为此，我们的工作通过研究私有学习器对训练数据重构攻击的抵抗力，对其提供的保护进行严格的定量评估。我们通过推导非渐近下界来实现这一目标，该下界刻画了任何攻击者对属于任意紧度量空间的目标样本所实施的（ε, δ）-差分隐私学习器的重构误差。通过采用差分隐私的推广形式——度量隐私，我们消除了以往工作中对输入空间的有界性假设，并证明我们的结果适用于一般局部紧度量空间。我们将分析扩展到高维场景（即输入数据维度可能超过攻击者的查询预算），并证明在某些条件下我们的下界具有极小化最优性。