Differentially private (DP) mechanisms are difficult to interpret and calibrate because existing methods for mapping standard privacy parameters to concrete privacy risks -- re-identification, attribute inference, and data reconstruction -- are both overly pessimistic and inconsistent. In this work, we use the hypothesis-testing interpretation of DP ($f$-DP), and determine that bounds on attack success can take the same unified form across re-identification, attribute inference, and data reconstruction risks. Our unified bounds are (1) consistent across a multitude of attack settings, and (2) tunable, enabling practitioners to evaluate risk with respect to arbitrary, including worst-case, levels of baseline risk. Empirically, our results are tighter than prior methods using $\varepsilon$-DP, Rényi DP, and concentrated DP. As a result, calibrating noise using our bounds can reduce the required noise by 20% at the same risk level, which yields, e.g., an accuracy increase from 52% to 70% in a text classification task. Overall, this unifying perspective provides a principled framework for interpreting and calibrating the degree of protection in DP against specific levels of re-identification, attribute inference, or data reconstruction risk.
翻译:差分隐私(DP)机制的解释与校准具有挑战性,因为现有将标准隐私参数映射到具体隐私风险(包括重识别、属性推断和数据重构)的方法既过于悲观又缺乏一致性。本研究基于差分隐私的假设检验解释($f$-DP),证明了针对重识别、属性推断和数据重构风险的攻击成功率上界可以采用统一的数学形式表达。我们提出的统一上界具有两大特性:(1)在多种攻击场景下保持一致性;(2)具备可调性,使实践者能够基于任意基准风险水平(包括最坏情况)评估实际风险。实验表明,相较于基于$\varepsilon$-DP、Rényi DP和集中式DP的现有方法,我们得到的边界更严格。因此,采用本边界进行噪声校准时,在相同风险水平下可减少约20%的噪声添加量,例如在文本分类任务中可使准确率从52%提升至70%。总体而言,这种统一视角为解释和校准差分隐私的保护程度提供了理论框架,使其能够针对特定程度的重识别、属性推断或数据重构风险进行精准防护。