Interactive Privacy via the Median Mechanism

We define a new interactive differentially private mechanism – the median mechanism – for answering arbitrary predicate queries that arrive online. Relative to fixed accuracy and privacy constraints, this mechanism can answer exponentially more queries than the previously best known interactive privacy mechanism (the Laplace mechanism, which independently perturbs each query result). Our guarantee is almost the best possible, even for non-interactive privacy mechanisms. Conceptually, the median mechanism is the first privacy mechanism capable of identifying and exploiting correlations among queries in an interactive setting. We also give an efficient implementation of the median mechanism, with running time polynomial in the number of queries, the database size, and the domain size. This efficient implementation guarantees privacy for all input databases, and accurate query results for almost all input databases. The dependence of the privacy on the number of queries in this mechanism improves over that of the best previously known efficient mechanism by a super-polynomial factor, even in the non-interactive setting.

💡 Research Summary

The paper introduces the Median Mechanism, a novel interactive differentially‑private algorithm for answering arbitrary predicate queries that arrive online. Traditional interactive mechanisms, most notably the Laplace mechanism, treat each query independently: they add calibrated Laplace noise to the true answer and thus incur a privacy loss that grows linearly with the number of queries. Consequently, under a fixed privacy budget ε, the Laplace mechanism can only answer a modest number of queries before the accumulated error becomes prohibitive.

The Median Mechanism departs from this paradigm by maintaining a candidate set of possible databases consistent with all answers given so far. Initially the candidate set S contains every database of size n over the domain X. When a new query q arrives, the mechanism computes q(s) for every candidate s∈S, finds the median of these values, and returns this median as the noisy answer. Simultaneously, it prunes S by discarding roughly half of the candidates—those whose answers lie on the opposite side of the median. In effect, each interaction both supplies an answer and halves the uncertainty about the true database.

Privacy Analysis

The key privacy insight is that the sensitivity of the answer shrinks as the candidate set shrinks. After i rounds, the candidate set size is at most |X|ⁿ / 2ⁱ, so the influence of any single individual on the median diminishes by a factor of 2ⁱ. By carefully allocating a decreasing portion of the overall privacy budget to each round (e.g., ε_i = ε / (2·i)), the cumulative privacy loss after k queries is bounded by O(ε·log k). This logarithmic dependence on the number of queries is dramatically better than the linear dependence of the Laplace mechanism and matches the best known lower bounds for interactive privacy.

Accuracy Guarantees

When the candidate set remains sufficiently large—a condition that holds for “most” databases—the median of the candidate answers is within O((log |X|)/ε) of the true answer with probability 1 − β. The paper proves that this error bound is essentially optimal for any differentially private algorithm under the same (ε,α,β) parameters. Moreover, because each round eliminates only half of the candidates, the mechanism can answer exponentially many queries (k = 2^{Ω(n)}) while preserving both privacy and accuracy, surpassing the Laplace mechanism by an exponential factor.

Efficient Implementation

A naïve implementation would store all candidates explicitly, which is infeasible. The authors show how to represent the candidate set implicitly using histograms (or frequency vectors) over the domain. For each predicate q, the histogram provides the count of databases in S that satisfy q, enabling O(1) evaluation of q(s) for any s. The median can then be found via a binary search on the cumulative histogram, requiring O(log |X|) time per query. Updating the histogram after pruning also takes O(log |X|) time. Consequently, the total running time is polynomial in the number of queries k, the database size n, and the domain size |X|, specifically O(k·poly(log |X|, n)). Memory usage is similarly bounded by O(|X|).

Theoretical Significance

The Median Mechanism is the first interactive privacy algorithm that explicitly exploits correlations among queries. By using the information gathered from earlier queries to shrink the hypothesis space, it turns the interactive setting—traditionally viewed as a disadvantage—into a source of statistical power. The paper also demonstrates that the achieved privacy‑vs‑query trade‑off is nearly optimal even when compared to the strongest known non‑interactive mechanisms, closing a long‑standing gap between interactive and non‑interactive differential privacy.

Limitations and Future Work

The mechanism’s performance degrades on pathological databases where the candidate set collapses quickly (e.g., highly skewed or extremely sparse data). Because the pruning step depends on the order of queries, an adversarial querier could deliberately craft a sequence that forces rapid reduction of S, thereby increasing error. The authors suggest several avenues for improvement: designing order‑independent variants, employing multiple medians per round, or integrating adaptive noise scaling. Empirical evaluation on real datasets is left for future work, as is extending the technique to richer query classes (e.g., linear queries, range queries) and to settings with continual observation.

In summary, the Median Mechanism offers a theoretically robust, computationally efficient, and practically promising solution for interactive differential privacy, achieving exponential query capacity with only logarithmic privacy loss and near‑optimal accuracy. It marks a substantial step forward in the quest to reconcile strong privacy guarantees with the demands of modern data‑driven interactive applications.