Transformations#
This section gives a high-level overview of the transformations that are available in the library. Refer to the Transformation section for an explanation of what a transformation is.
As covered in the Chaining section, the intermediate domains need to match when chaining. Each transformation has a carefully chosen input domain and output domain that supports their relation.
Note
If you pass information collected directly from the dataset into constructors, the privacy budget will be underestimated. Constructor arguments should be either:
Public information, like information from a codebook or prior domain expertise
Other DP releases on the data
Preprocessing is the series of transformations that shape the data into a domain that is conformable with the aggregator.
You will need to choose the proper transformations from the sections below in order to chain with the aggregator you intend to use. The sections below are in the order you would typically chain transformations together, but you may want to peek at the aggregator section at the end first, to identify the input domain that you’ll need to preprocess to.
Dataframe#
These transformations are for loading data into a dataframe and retrieving columns from a dataframe.
If you just want to load data from a CSV or TSV into a dataframe,
you’ll probably want to use opendp.transformations.make_split_dataframe()
.
Use opendp.transformations.make_select_column()
to retrieve a column from the dataframe.
The other dataframe transformations are more situational.
Be warned that it is not currently possible to directly load and unload dataframes from the library in bindings languages!
You need to chain with make_select_column
first.
Preprocessor |
Input Domain |
Output Domain |
Input/Output Metric |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dataframe Subsetting#
It can be useful to subset to data that meets a certain condition.
The library contains some transformations that can be used to create a predicate column,
and opendp.transformations.make_subset_by()
to filter by the predicate column.
Preprocessor |
Input Domain |
Output Domain |
Input/Output Metric |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
Casting#
Any time you want to convert between data types, you’ll want to use a casting transformation. In particular, in pipelines that load dataframes from CSV files, it is very common to cast from Strings to some other type.
Depending on the caster you choose, the output data may be null and you will be required to chain with an imputer.
Caster |
Input Domain |
Output Domain |
Input/Output Metric |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Imputation#
Null values are tricky to handle in a differentially private manner. If we were to allow aggregations to propagate null, then aggregations provide a non-differentially-private bit revealing the existence of nullity in the dataset. If we were to implicitly drop nulls from sized aggregations, then the sensitivity of non-null individuals is underestimated. Therefore, aggregators must be fed completely non-null data. We can ensure data is non-null by imputing.
When you cast with opendp.transformations.make_cast()
or opendp.transformations.make_cast_default()
,
the cast may fail, so the output domain may include null values (OptionNullDomain
and InherentNullDomain
).
We have provided imputation transformations to transform the data domain to the non-null VectorDomain<AllDomain<TA>>
.
You may also be in a situation where you want to bypass dataframe loading and casting because you already have a vector of floats loaded into memory. In this case, you should start your chain with an imputer if the floats are potentially null.
- OptionNullDomain:
A representation of nulls using an Option type (
Option<bool>
,Option<i32>
, etc).- InherentNullDomain:
A representation of nulls using the data type itself (
f32
andf64
).
The opendp.transformations.make_impute_constant()
transformation supports imputing on either of these representations of nullity,
so long as you pass the DA (atomic domain) type argument.
Imputer |
Input Domain |
Output Domain |
Input/Output Metric |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Indexing#
Indexing operations provide a way to relabel categorical data, or bin numeric data into categorical data.
These operations work with usize data types: an integral data type representing an index.
opendp.transformations.make_find()
finds the index of each input datum in a set of categories.
In other words, it transforms a categorical data vector to a vector of numeric indices.
>>> finder = (
... make_find(categories=["A", "B", "C"]) >>
... # impute any input datum that are not a part of the categories list as 3
... make_impute_constant(3, DIA=OptionNullDomain[AllDomain["usize"]])
... )
>>> finder(["A", "B", "C", "A", "D"])
[0, 1, 2, 0, 3]
opendp.transformations.make_find_bin()
is a binning operation that transforms numerical input data to a vector of bin indices.
>>> binner = make_find_bin(edges=[1., 2., 10.])
>>> binner([0., 1., 3., 15.])
[0, 1, 2, 3]
opendp.transformations.make_index()
uses each indicial input datum as an index into a category set.
>>> indexer = make_index(categories=["A", "B", "C"], null="D")
>>> indexer([0, 1, 2, 3, 2342])
['A', 'B', 'C', 'D', 'D']
You can use combinations of the indicial transformers to map hashable data to integers, bin numeric types, relabel hashable types, and label bins.
Indexer |
Input Domain |
Output Domain |
Input/Output Metric |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
Clamping#
Many aggregators depend on bounded data to limit the influence that perturbing an individual may have on a query.
For example, the relation downstream for the opendp.transformations.make_bounded_sum()
aggregator is d_out >= d_in * max(|L|, |U|)
.
This relation states that adding or removing d_in
records may influence the sum by d_in
* the greatest magnitude of a record.
Any aggregator that needs bounded data will indicate it in the function name.
In these kinds of aggregators the relations make use of the clamping bounds L
and U
to translate d_in
to d_out
.
Clamping happens after casting and imputation but before resizing. Only chain with a clamp transformation if the aggregator you intend to use needs bounded data.
Clamper |
Input Domain |
Output Domain |
Input/Output Metric |
---|---|---|---|
|
|
|
|
|
|
|
Dataset Ordering#
Most dataset-to-dataset transformations are not sensitive to the order of elements within the dataset. This includes all row-by-row transformations. These transformations that are not sensitive to operate with SymmetricDistances.
Transformations that are sensitive to the order of elements in the dataset use the InsertDeleteDistance metric instead. It is common for aggregators to be sensitive to the dataset ordering.
The following transformations are used to relate dataset metrics that are not sensitive to ordering (SymmetricDistance
and ChangeOneDistance
)
to metrics that are sensitive to ordering (InsertDeleteDistance
and HammingDistance
respectively).
Take note that there are separate constructors for metric casts on sized vs unsized datasets.
Caster |
Input/Output Domain |
Input Metric |
Output Metric |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bounded Metrics#
You may be more familiar with “bounded” differential privacy, where dataset distances are expressed in terms of the number of changed rows.
Expressing dataset distances in this manner is more restrictive, as edit distances are only valid for datasets with a fixed size.
Generally speaking, if a dataset differs from a neighboring dataset by no more than k
edits, then they differ by no more than 2k
additions and removals.
We therefore write all transformations in terms of the more general “unbounded”-dp metrics SymmetricDistance
and InsertDeleteDistance
,
and provide the following constructors to convert to/from “bounded”-dp metrics ChangeOneDistance
and HammingDistance
respectively.
Caster |
Input/Output Domain |
Input Metric |
Output Metric |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resizing#
Similarly to data bounds, many aggregators depend on a known dataset size in their relation as well.
For example, the relation downstream for the opendp.transformations.make_sized_bounded_mean()
aggregator is d_out >= d_in * (U - L) / n / 2
.
Notice that any addition and removal may, in the worst case, change a record from L
to U
.
Such a substitution would influence the mean by (U - L) / n
.
Any aggregator that needs sized data will indicate it in the function name.
In these kinds of aggregators, the relations need knowledge about the dataset size n
to translate d_in
to d_out
.
Resizing happens after clamping. Only chain with a resize transformation if the aggregator you intend to use needs sized data.
At this time, there are two separate resize transforms: one that works on unbounded data, and one that works on bounded data. We intend to merge these in the future.
The input and output metrics may be configured to any combination of SymmetricDistance
and InsertDeleteDistance
.
Resizer |
Input Domain |
Output Domain |
Input/Output Metric |
---|---|---|---|
|
|
|
|
|
|
|
Aggregators#
Aggregators compute a summary statistic on individual-level data.
Aggregators that produce scalar-valued statistics have a output_metric of AbsoluteDistance[TO]
.
This output metric can be chained with most noise-addition measurements interchangeably.
However, aggregators that produce vector-valued statistics like opendp.transformations.make_count_by_categories()
provide the option to choose the output metric: L1Distance[TOA]
or L2Distance[TOA]
.
These default to L1Distance[TOA]
, which chains with L1 noise mechanisms like opendp.measurements.make_base_discrete_laplace()
and opendp.measurements.make_base_laplace()
.
If you set the output metric to L2Distance[TOA]
, you can chain with L2 mechanisms like opendp.measurements.make_base_gaussian()
.
The constructor opendp.measurements.make_count_by()
does a similar aggregation as opendp.transformations.make_count_by_categories
,
but does not need a category set (you instead chain with opendp.measurements.make_base_ptr()
, which uses the propose-test-release framework).
The make_sized_bounded_covariance
aggregator is Rust-only at this time because data loaders for data of type Vec<(T, T)>
are not implemented.
Aggregator |
Input Domain |
Output Domain |
Input Metric |
Output Metric |
---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
make_sized_bounded_covariance (Rust only) |
|
|
|
|
opendp.transformations.make_bounded_sum()
and opendp.transformations.make_sized_bounded_sum()
make a best guess as to which summation strategy to use.
Should you need it, the following constructors give greater control over the sum.
Expand Me
The following strategies are ordered by computational efficiency:
checked
can be used when the dataset size multiplied by the bounds doesn’t overflow.monotonic
can be used when the bounds share the same sign.ordered
can be used when the input metric isInsertDeleteDistance
.split
separately sums positive and negative numbers, and then adds these sums together.
All four algorithms are valid for integers, but only checked
and ordered
are available for floats.
There are separate constructors for integers and floats, because floats additionally need a dataset truncation and a slightly larger sensitivity.
The increase in float sensitivity accounts for inexact floating-point arithmetic, and is calibrated according to the length of the mantissa and underlying summation algorithm.
Floating-point summation may be further configured to either Sequential<T>
or Pairwise<T>
(default).
Sequential summation results in an O(n^2)
increase in sensitivity, while pairwise summation results only in a O(log_2(n)n))
increase.
Aggregator |
Input Domain |
Input Metric |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|