We consider the setting where a user with sensitive features wishes to obtain a recommendation from a server in a differentially private fashion. We propose a ``multi-selection'' architecture where the server can send back multiple recommendations and the user chooses one from these that matches best with their private features. When the user feature is one-dimensional -- on an infinite line -- and the accuracy measure is defined w.r.t some increasing function $\mathfrak{h}(.)$ of the distance on the line, we precisely characterize the optimal mechanism that satisfies differential privacy. The specification of the optimal mechanism includes both the distribution of the noise that the user adds to its private value, and the algorithm used by the server to determine the set of results to send back as a response and further show that Laplace is an optimal noise distribution. We further show that this optimal mechanism results in an error that is inversely proportional to the number of results returned when the function $\mathfrak{h}(.)$ is the identity function.

翻译：我们考虑这样一种场景：拥有敏感特征的用户希望以差分隐私的方式从服务器获取推荐。我们提出一种“多重选择”架构，其中服务器可以返回多个推荐结果，用户从中选择与其私有特征最匹配的一个。当用户特征是一维的——位于无限直线上——且精度度量定义为直线上距离的某个递增函数$\mathfrak{h}(.)$时，我们精确刻画了满足差分隐私的最优机制。该最优机制的规范既包括用户对其私有值所添加噪声的分布，也包括服务器用于确定返回结果集的算法，并进一步证明拉普拉斯分布是最优噪声分布。我们还证明，当函数$\mathfrak{h}(.)$为恒等函数时，该最优机制产生的误差与返回结果数量成反比。