We initiate an investigation of node differential privacy for graphs in the local model of private data analysis. In our model, dubbed LNDP, each node sees its own edge list and releases the output of a local randomizer on this input. These outputs are aggregated by an untrusted server to obtain a final output. We develop a novel algorithmic framework for this setting that allows us to accurately answer arbitrary linear queries on a blurry approximation of the input graph's degree distribution. For some natural problems, the resulting algorithms match the accuracy achievable with node privacy in the central model, where data are held and processed by a trusted server. We also prove lower bounds on the error required by LNDP that imply the optimality of our algorithms for several fundamental graph statistics. We then lift these lower bounds to the interactive LNDP setting, demonstrating the optimality of our algorithms even when constantly many rounds of interaction are permitted. Obtaining our lower bounds requires new approaches, since those developed for the usual local model do not apply to the inherently overlapping inputs that arise from graphs. Finally, we prove structural results that reveal qualitative differences between local node privacy and the standard local model for tabular data.

翻译：我们在私有数据分析的局部模型中，首次对图的节点差分隐私展开研究。在我们提出的LNDP模型中，每个节点获取自身的边列表，并发布基于该输入的局部随机化器输出。这些输出由一个不可信服务器聚合以获取最终结果。针对这一设置，我们开发了一种新颖的算法框架，能够基于输入图度分布的模糊近似，精确回答任意线性查询。对于某些自然问题，所得算法在精度上达到了中心模型（数据由可信服务器持有和处理）中节点隐私所能实现的水平。我们还证明了LNDP所需误差的下界，这表明我们的算法在若干基础图统计量上具有最优性。随后，我们将这些下界推广到交互式LNDP场景，证明即使允许常数轮交互，我们的算法仍保持最优性。获得这些下界需要新的研究方法，因为针对常规局部模型开发的技术不适用于图数据固有的重叠输入特性。最后，我们通过结构分析揭示了局部节点隐私与表格数据标准局部模型之间的本质差异。