Successive Refinement of Privacy
This work addresses a novel problem in privacy-preserving data analysis for scenarios requiring hierarchical access with varying privacy guarantees, though it is incremental in extending classical security settings to LDP.
The paper tackles the problem of determining the minimal randomness required for local differential privacy (LDP) and introduces a successive refinement setting that allows multiple analysts to access the same randomized output with different privacy levels, such as enabling one to reconstruct input while another only estimates distributions under LDP. It provides tight characterizations of privacy-utility-randomness trade-offs for distribution estimation and shows that random keys cannot be reused over time while preserving user privacy.
This work examines a novel question: how much randomness is needed to achieve local differential privacy (LDP)? A motivating scenario is providing {\em multiple levels of privacy} to multiple analysts, either for distribution or for heavy-hitter estimation, using the \emph{same} (randomized) output. We call this setting \emph{successive refinement of privacy}, as it provides hierarchical access to the raw data with different privacy levels. For example, the same randomized output could enable one analyst to reconstruct the input, while another can only estimate the distribution subject to LDP requirements. This extends the classical Shannon (wiretap) security setting to local differential privacy. We provide (order-wise) tight characterizations of privacy-utility-randomness trade-offs in several cases for distribution estimation, including the standard LDP setting under a randomness constraint. We also provide a non-trivial privacy mechanism for multi-level privacy. Furthermore, we show that we cannot reuse random keys over time while preserving privacy of each user.