Add quantile trees and deprecate order statistics in C++

C++: - Add an interface for multiple quantiles, supported by Quantile Trees - Mark OrderStatistics as deprecated in favor of the new quantile implementation Go & Privacy on Beam: - Various fixes and improvements for CI with the `go` tool Privacy on Beam: - Improve instructions for depending on the library with Bazel - Fix typos in DistinctPerKey tests Accounting: - Add a function to conveniently create PLD for Discrete Laplace, Discrete Gaussian and Gaussian Mechanisms GitOrigin-RevId: 958acb2199902126d3d333dd8d1da150fa281911 Change-Id: I89de361be98dcc6da9675d5730f5b06bb7c59a31
google · Aug 2, 2021 · 8d1c557 · 8d1c557
1 parent e149618
commit 8d1c557
Show file tree

Hide file tree

Showing 32 changed files with 3,773 additions and 108 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -0,0 +1,47 @@
+name: Go
+
+on:
+ push:
+ branches-ignore:
+ # Version 1.0 does not work with the "go" tool properly.
+ - "1.0"
+ pull_request:
+ branches-ignore:
+ # Version 1.0 does not work with the "go" tool properly.
+ - "1.0"
+ schedule:
+ # Every Thursday at 1PM UTC
+ - cron: "0 13 * * 4"
+
+jobs:
+
+ build:
+ runs-on: ubuntu-latest
+ timeout-minutes: 15
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Set up Go
+ uses: actions/setup-go@v2
+ with:
+ go-version: 1.16
+
+ - name: Build go
+ run: go build -mod=mod -v ./...
+ working-directory: ./go
+
+ - name: Test go
+ run: go test -mod=mod -v ./...
+ working-directory: ./go
+
+ - name: Build examples/go
+ run: go build -mod=mod -v ./...
+ working-directory: ./examples/go
+
+ - name: Build privacy-on-beam
+ run: go build -mod=mod -v ./...
+ working-directory: ./privacy-on-beam
+
+ - name: Test privacy-on-beam
+ run: go test -mod=mod -v ./...
+ working-directory: ./privacy-on-beam
diff --git a/README.md b/README.md
@@ -28,8 +28,8 @@ Currently, the DP building block libraries support the following algorithms:
 | Count | Supported | Supported | Supported |
 | Sum | Supported | Supported | Supported |
 | Mean | Supported | Supported | Supported |
-| Variance | Supported | Planned  | Planned |
-| Standard deviation | Supported | Planned  | Planned |
+| Variance | Supported | Supported | Planned |
+| Standard deviation | Supported | Supported | Planned |
 | Quantiles | Supported | Supported | Supported |
 | Automatic bounds approximation | Supported | Planned | Planned |
 | Truncated geometric thresholding | Supported | Supported | Supported |

diff --git a/cc/accounting/BUILD b/cc/accounting/BUILD
@@ -47,6 +47,7 @@ cc_library(
  "@com_google_absl//absl/container:flat_hash_map",
  "@com_google_absl//absl/status",
  "@com_google_absl//absl/strings:str_format",
+ "@com_google_absl//absl/types:optional",
  "@com_google_cc_differential_privacy//base:status",
  "@com_google_cc_differential_privacy//base:statusor",
  ],
@@ -81,6 +82,7 @@ cc_test(
  "//accounting/common:test_util",
  "@com_google_differential_privacy//proto/accounting:privacy_loss_distribution_cc_proto",
  "@com_google_absl//absl/status",
+ "@com_google_absl//absl/types:optional",
  "@com_google_cc_differential_privacy//base:statusor",
  ],
 )

diff --git a/cc/accounting/privacy_loss_distribution.cc b/cc/accounting/privacy_loss_distribution.cc
@@ -22,6 +22,7 @@
 #include "absl/strings/str_format.h"
 #include "accounting/common/common.h"
 #include "accounting/convolution.h"
+#include "accounting/privacy_loss_mechanism.h"
 #include "proto/accounting/privacy-loss-distribution.pb.h"
 #include "base/status_macros.h"
 
@@ -204,6 +205,39 @@ PrivacyLossDistribution::CreateForLaplaceMechanism(
  discretization_interval);
 }
 
+base::StatusOr<std::unique_ptr<PrivacyLossDistribution>>
+PrivacyLossDistribution::CreateForDiscreteLaplaceMechanism(
+ double parameter, int sensitivity, EstimateType estimate_type,
+ double discretization_interval) {
+ ASSIGN_OR_RETURN(std::unique_ptr<DiscreteLaplacePrivacyLoss> privacy_loss,
+ DiscreteLaplacePrivacyLoss::Create(parameter, sensitivity));
+ return CreateForAdditiveNoise(*privacy_loss, estimate_type,
+ discretization_interval);
+}
+
+base::StatusOr<std::unique_ptr<PrivacyLossDistribution>>
+PrivacyLossDistribution::CreateForGaussianMechanism(
+ double standard_deviation, double sensitivity, EstimateType estimate_type,
+ double discretization_interval, double mass_truncation_bound) {
+ ASSIGN_OR_RETURN(
+ std::unique_ptr<GaussianPrivacyLoss> privacy_loss,
+ GaussianPrivacyLoss::Create(standard_deviation, sensitivity,
+ estimate_type, mass_truncation_bound));
+ return CreateForAdditiveNoise(*privacy_loss, estimate_type,
+ discretization_interval);
+}
+
+base::StatusOr<std::unique_ptr<PrivacyLossDistribution>>
+PrivacyLossDistribution::CreateForDiscreteGaussianMechanism(
+ double sigma, int sensitivity, EstimateType estimate_type,
+ double discretization_interval, absl::optional<int> truncation_bound) {
+ ASSIGN_OR_RETURN(std::unique_ptr<DiscreteGaussianPrivacyLoss> privacy_loss,
+ DiscreteGaussianPrivacyLoss::Create(sigma, sensitivity,
+ truncation_bound));
+ return CreateForAdditiveNoise(*privacy_loss, estimate_type,
+ discretization_interval);
+}
+
 std::unique_ptr<PrivacyLossDistribution>
 PrivacyLossDistribution::CreateForPrivacyParameters(
  EpsilonDelta epsilon_delta, double discretization_interval) {

diff --git a/cc/accounting/privacy_loss_distribution.h b/cc/accounting/privacy_loss_distribution.h
@@ -22,6 +22,7 @@
 
 #include "absl/container/flat_hash_map.h"
 #include "base/statusor.h"
+#include "absl/types/optional.h"
 #include "accounting/common/common.h"
 #include "accounting/privacy_loss_mechanism.h"
 #include "proto/accounting/privacy-loss-distribution.pb.h"
@@ -122,12 +123,80 @@ class PrivacyLossDistribution {
  // estimate_type: kPessimistic denoting that the rounding is done in such a
  // way that the resulting epsilon-hockey stick divergence computation gives
  // an upper estimate to the real value.
+ // discretization_interval: the length of the dicretization interval for the
+ // privacy loss distribution. The values will be rounded up/down to be
+ // integer multiples of this number.
  static base::StatusOr<std::unique_ptr<PrivacyLossDistribution>>
  CreateForLaplaceMechanism(
  double parameter, double sensitivity = 1,
  EstimateType estimate_type = EstimateType::kPessimistic,
  double discretization_interval = 1e-4);
 
+ // Creates {@link PrivacyLossDistribution} for the Discrete Laplace mechanism.
+ //
+ // parameter: the parameter of the Discrete Laplace distribution.
+ // sensitivity: the sensitivity of function f. (i.e. the maximum absolute
+ // change in f when an input to a single user changes.)
+ // estimate_type: kPessimistic denoting that the rounding is done in such a
+ // way that the resulting epsilon-hockey stick divergence computation gives
+ // an upper estimate to the real value.
+ // discretization_interval: the length of the dicretization interval for the
+ // privacy loss distribution. The values will be rounded up/down to be
+ // integer multiples of this number.
+ static base::StatusOr<std::unique_ptr<PrivacyLossDistribution>>
+ CreateForDiscreteLaplaceMechanism(
+ double parameter, int sensitivity = 1,
+ EstimateType estimate_type = EstimateType::kPessimistic,
+ double discretization_interval = 1e-4);
+
+ // Creates {@link PrivacyLossDistribution} for the Gaussian mechanism.
+ //
+ // standard_deviation: the standard_deviation of the Gaussian distribution.
+ // sensitivity: the sensitivity of function f. (i.e. the maximum absolute
+ // change in f when an input to a single user changes.)
+ // estimate_type: kPessimistic denoting that the rounding is done in such a
+ // way that the resulting epsilon-hockey stick divergence computation gives
+ // an upper estimate to the real value.
+ // discretization_interval: the length of the dicretization interval for the
+ // privacy loss distribution. The values will be rounded up/down to be
+ // integer multiples of this number.
+ // mass_truncation_bound: the natural log of the probability mass that might
+ // be discarded from the noise distribution. The larger this number, the
+ // more error it may introduce in divergence calculations.
+ static base::StatusOr<std::unique_ptr<PrivacyLossDistribution>>
+ CreateForGaussianMechanism(
+ double standard_deviation, double sensitivity = 1,
+ EstimateType estimate_type = EstimateType::kPessimistic,
+ double discretization_interval = 1e-4,
+ double mass_truncation_bound = -50);
+
+ // Creates {@link PrivacyLossDistribution} for the Gaussian mechanism.
+ //
+ // sigma: he parameter of the discrete Gaussian distribution. Note that unlike
+ // the (continuous) Gaussian distribution this is not equal to the standard
+ // deviation of the noise.
+ // sensitivity: the sensitivity of function f. (i.e. the maximum absolute
+ // change in f when an input to a single user changes.)
+ // estimate_type: kPessimistic denoting that the rounding is done in such a
+ // way that the resulting epsilon-hockey stick divergence computation gives
+ // an upper estimate to the real value.
+ // discretization_interval: the length of the dicretization interval for the
+ // privacy loss distribution. The values will be rounded up/down to be
+ // integer multiples of this number.
+ // mass_truncation_bound: the natural log of the probability mass that might
+ // be discarded from the noise distribution. The larger this number, the
+ // more error it may introduce in divergence calculations.
+ // truncation_bound: bound for truncating the noise, i.e. the noise will only
+ // have a support in [-truncation_bound, truncation_bound]. When not set,
+ // truncation_bound will be chosen in such a way that the mass of the noise
+ // outside of this range is at most 1e-30.
+ static base::StatusOr<std::unique_ptr<PrivacyLossDistribution>>
+ CreateForDiscreteGaussianMechanism(
+ double sigma, int sensitivity = 1,
+ EstimateType estimate_type = EstimateType::kPessimistic,
+ double discretization_interval = 1e-4,
+ absl::optional<int> truncation_bound = absl::nullopt);
+
  // Creates {@link PrivacyLossDistribution} from epsilon and delta parameters.
  //
  // When the mechanism is (epsilon, delta)-differentially private, the