What Can We Learn Privately?

Learning problems form an important category of computational tasks that generalizes many of the computations researchers apply to large real-life data sets. We ask: what concept classes can be learned privately, namely, by an algorithm whose output does not depend too heavily on any one input or specific training example? More precisely, we investigate learning algorithms that satisfy differential privacy, a notion that provides strong confidentiality guarantees in contexts where aggregate information is released about a database containing sensitive information about individuals. We demonstrate that, ignoring computational constraints, it is possible to privately agnostically learn any concept class using a sample size approximately logarithmic in the cardinality of the concept class. Therefore, almost anything learnable is learnable privately: specifically, if a concept class is learnable by a (non-private) algorithm with polynomial sample complexity and output size, then it can be learned privately using a polynomial number of samples. We also present a computationally efficient private PAC learner for the class of parity functions. Local (or randomized response) algorithms are a practical class of private algorithms that have received extensive investigation. We provide a precise characterization of local private learning algorithms. We show that a concept class is learnable by a local algorithm if and only if it is learnable in the statistical query (SQ) model. Finally, we present a separation between the power of interactive and noninteractive local learning algorithms.

💡 Research Summary

The paper investigates which concept classes can be learned under the stringent guarantee of differential privacy, focusing on three resources: sample size, computational efficiency, and interaction. Its contributions can be grouped into four main results.

1. A Private Version of Occam’s Razor – The authors present a generic, distribution‑free, differentially private agnostic PAC learner that works for any finite concept class C. The learner’s sample complexity is Θ((log |C| + log 1/β)/ε²), matching the classic non‑private Occam bound up to the privacy factor 1/ε. The algorithm is based on the exponential mechanism: it samples hypotheses proportionally to their empirical error, thereby ensuring that the output distribution changes only slightly when a single training example is altered. While the method may require exponential time (it is not computationally efficient), it establishes that privacy alone does not inflate the sample requirement beyond a logarithmic factor in the class size.

2. Efficient Private Learner for Parity – Parity functions over {0,1}ⁿ are a canonical hard case for learning with random classification noise. The paper gives a polynomial‑time, distribution‑free, ε‑differentially private PAC learner for parity that uses a number of samples comparable to the best known non‑private learner. The construction draws a random subset of the data, runs a standard (non‑private) parity learner on that subset, and then applies a carefully calibrated “refusal” step: with probability depending on the privacy budget, the algorithm may output ⊥ instead of a hypothesis. This step guarantees differential privacy without sacrificing the statistical guarantees of the underlying learner. The result shows that privacy does not necessarily inherit the hardness of learning with noise.

3. Equivalence of Local (Randomized‑Response) and SQ Learning – Local differential privacy (LDP) requires each user to randomize her data before sending it to a server. The authors prove that a concept class is learnable by an LDP algorithm iff it is learnable in the statistical query (SQ) model. The forward direction simulates any LDP protocol by an SQ algorithm using rejection sampling; the reverse direction shows that each SQ query can be answered by aggregating locally randomized responses, because differential privacy guarantees that the required expectations can be estimated with low‑accuracy SQ queries. Consequently, the power of LDP learning is exactly the power of SQ learning, linking two previously unrelated frameworks.

4. Separation Between Interactive and Non‑Interactive Local Learning – The paper defines interactive local algorithms (multiple rounds of communication) and non‑interactive ones (single round). It constructs a “masked‑parity” class that can be learned efficiently by an interactive LDP algorithm under the uniform distribution, but requires exponentially many samples for any non‑interactive LDP algorithm. Via the equivalence in (3), this also separates adaptive SQ learning (which corresponds to interaction) from non‑adaptive SQ learning. The separation highlights that adaptivity dramatically increases learning power in the privacy‑preserving setting.

Beyond these technical results, the authors discuss implications: (i) any concept class that has a polynomial‑size representation and a polynomial‑sample non‑private learner automatically admits a polynomial‑sample private learner (though possibly inefficient); (ii) the cost of privacy in sample complexity can be as low as a factor 1/ε, contrasting with earlier works where the overhead was √t/ε (t = number of SQ queries). They also outline open problems such as finding natural concept classes that are efficiently learnable non‑privately but provably require super‑polynomial resources when privacy is imposed, and tightening the sample bounds for practical hypothesis classes (half‑spaces, low‑dimensional manifolds, etc.).

In summary, the paper establishes a comprehensive theoretical foundation for private learning: it shows that privacy does not fundamentally preclude learning, provides concrete efficient algorithms for a hard class (parity), precisely characterizes the capabilities of local differential privacy via SQ learning, and demonstrates that interaction (adaptivity) can be a decisive factor in what can be learned privately.