Supporting Elements =================== This section builds on the :ref:`core-structures` documentation to expand on the constituent pieces of Measurements and Transformations. .. _functions: Function -------- As one would expect, all data processing is handled via a function. The function member stored in a Transformation or Measurement struct is straightforward representation of an idealized mathematical function. A mathematical function associates each value in some input set with some value in the output set (or a distribution over such values, in the case of a randomized function). In OpenDP, we capture these sets with domains... .. _domains: Domain ------ A domain describes the set of all possible input values of a function, or all possible output values of a function. Transformations have both an ``input_domain`` and ``output_domain``, while measurements only have an ``input_domain``. A commonly-used domain is ``atom_domain(T)``, which describes the set of all possible non-null values of type ``T``. The following example creates a domain consisting of all possible non-null 64-bit floats, and checks that 1.0 is a member of the domain, but NaN is not. .. doctest:: >>> import opendp.prelude as dp >>> f64_atom_domain = dp.atom_domain(T=float) # float defaults to f64, a double-precision 64-bit float >>> assert f64_atom_domain.member(1.0) >>> assert not f64_atom_domain.member(float('nan')) Similarly, ``atom_domain(T=u8)`` consists of all possible non-null unsigned 8-bit integers: ``{0, 1, 2, 3, ..., 127}``, and ``atom_domain(bounds=(-2, 2))`` consists of all possible 32-bit signed integers bounded between -2 and 2: ``{-2, -1, 0, 1, 2}``. .. doctest:: >>> i32_bounded_domain = dp.atom_domain(bounds=(-2, 2)) # int defaults to i32, a 32-bit signed integer >>> assert i32_bounded_domain.member(-2) >>> assert not i32_bounded_domain.member(3) Domains may also be used to construct higher-level domains. For instance, ``vector_domain(atom_domain(T=bool))`` describes the set of all boolean vectors: ``{[], [True], [False], [True, True], [True, False], ...}``. .. doctest:: >>> bool_vector_domain = dp.vector_domain(dp.atom_domain(T=bool)) >>> assert bool_vector_domain.member([]) >>> assert bool_vector_domain.member([True, False]) ``vector_domain(atom_domain(T=bool), size=2)`` describes the set of boolean vectors of size 2: ``{[True, True], [True, False], [False, True], [False, False]}``. .. doctest:: >>> bool_vector_2_domain = dp.vector_domain(dp.atom_domain(T=bool), size=2) >>> assert bool_vector_2_domain.member([True, True]) >>> assert not bool_vector_2_domain.member([True, True, True]) Let's look at the Transformation returned from :py:func:`make_sum() `. .. doctest:: >>> dp.enable_features('contrib') >>> bounded_sum = dp.t.make_sum( ... input_domain=dp.vector_domain(dp.atom_domain(bounds=(0, 1))), ... input_metric=dp.symmetric_distance(), ... ) >>> bounded_sum.input_domain VectorDomain(AtomDomain(bounds=[0, 1], T=i32)) We see that the input domain is the same as we passed in: "the set of all vectors of 32-bit signed integers bounded between 0 and 1." .. doctest:: >>> bounded_sum.output_domain AtomDomain(T=i32) The output domain is "the set of all 32-bit signed integers." These domains serve two purposes: #. The stability map or privacy map depends on the input domain in its proof to restrict the set of neighboring datasets or distributions. An example is the relation for :py:func:`opendp.transformations.make_sum`, which may make use of a size descriptor in the vector domain to more tightly bound the sensitivity. #. Combinators also use domains to ensure that the output is well-defined. For instance, chainer constructors check that intermediate domains are equivalent to guarantee that the output of the first function is always a valid input to the second function. .. _metrics: Metric ------ A metric is a function that computes the distance between two elements of a domain. Transformations have both an ``input_metric`` and ``output_metric``, while measurements only have an ``input_metric``. .. _symmetric-distance: A concrete example of a metric in opendp is ``SymmetricDistance``, or "the symmetric distance metric ``|A △ B| = |(A\B) ∪ (B\A)|``." This is used to count the fewest number of additions or removals to convert one dataset ``A`` into another dataset ``B``. .. _absolute-distance: Each metric is bundled together with a domain, and ``A`` and ``B`` are members of that domain. Since the symmetric distance metric is often paired with a ``VectorDomain``, ``A`` and ``B`` are often vectors. If we had a dataset where each user can influence at most k records, we would say that the symmetric distance is bounded by `k`, so ``d_in=k`` (where ``d_in`` denotes an upper bound on the distance between adjacent inputs). Another example metric is ``AbsoluteDistance``. This can be read as "the absolute distance metric ``|A - B|``, where distances are expressed in 64-bit floats." This metric is used to represent global sensitivities (an upper bound on how much an aggregated value can change if you were to perturb an individual in the original dataset). In practice, you may not have a need to provide global sensitivities to stability/privacy maps, because they are a midway distance bound encountered while relating dataset distances and privacy distances. However, there are situations where constructors accept a metric for specifying the metric for sensitivities. .. _measures: Measure ------- In OpenDP, a measure is a function for measuring the distance between probability distributions. Transformations don't make use of a measure, but measurements do have an ``output_measure``. .. _max-divergence: A concrete example is ``MaxDivergence``, read as "the max divergence metric where numbers are expressed in terms of 64-bit floats." The max divergence measure has distances that correspond to ``epsilon`` in the definition of pure differential privacy. .. _smoothed-max-divergence: Another example is ``SmoothedMaxDivergence``. The smoothed max divergence measure corresponds to approximate differential privacy, where distances are ``(epsilon, delta)`` tuples. Every Measurement (:ref:`see listing `) contains an output_measure, and compositors are always typed by a Measure. .. _maps: Stability/Privacy Map --- A map is a function that takes some ``d_in`` and returns a ``d_out`` that is (``d_in``, ``d_out``)-close. ``d_in`` is a distance in terms of the input metric, and ``d_out`` is a distance in terms of the output metric or measure. Refer to :ref:`distances` below for more details on what ``d_in`` and ``d_out`` are. If a measurement is (``d_in``, ``d_out``)-close, then the output is ``d_out``-DP when the input may change by at most ``d_in``. If a transformation is (``d_in``, ``d_out``)-close, then the output can change by at most ``d_out`` when the input may change by at most ``d_in``. The ``d_out`` returned is not necessarily the smallest value that is still "close", but every effort is made to make it as small as provably possible. Maps are a useful tool to find stability or privacy properties directly. Putting this to practice, the following example invokes the stability map on a clamp transformation. .. testsetup:: from opendp.mod import enable_features enable_features('contrib') .. doctest:: >>> from opendp.transformations import make_clamp >>> from opendp.domains import vector_domain, atom_domain >>> from opendp.metrics import symmetric_distance ... >>> clamper = make_clamp(vector_domain(atom_domain(T=int)), symmetric_distance(), bounds=(1, 10)) ... >>> # The maximum number of records that any one individual may influence in your dataset >>> in_symmetric_distance = 3 >>> # clamp is a 1-stable transformation, so this should pass for any symmetric_distance >= 3 >>> clamper.map(d_in=in_symmetric_distance) 3 There is also a relation check predicate function that simply compares the output of the map with ``d_out`` as follows: ``d_out >= map(d_in)``. .. doctest:: >>> # reusing the prior clamp transformation >>> assert clamper.check(d_in=3, d_out=3) This should be sufficient to make use of the library, but a more mathematical treatment may help give a more thorough understanding. Consider ``d_X`` the input metric, ``d_Y`` the output metric or measure, and ``f`` the function in the Transformation or Measurement. If the relation check passes, then it tells you that, for all ``x``, ``x'`` in the input domain: * if ``d_X(x, x') <= d_in`` (if neighboring datasets are at most ``d_in``-close) * then ``d_Y(f(x), f(x')) <= d_out`` (then the distance between function outputs is no greater than ``d_out``) Notice that if the relation passes at ``d_out``, it will pass for any value greater than ``d_out`` (so long as the relation doesn't throw an error due to numerical overflow). The usefulness of this property is shown in the :ref:`parameter-search` section. .. _distances: Distance -------- You can determine what units ``d_in`` and ``d_out`` are expressed in based on the ``input_metric``, and ``output_metric`` or ``output_measure``. Follow the links into the example metrics and measures to get more detail on what the distances mean for that kind of metric or measure. On Transformations, the ``input_metric`` will typically be a dataset metric like :ref:`SymmetricDistance `. The ``output_metric`` will typically be either some dataset metric (on dataset transformations) or some kind of global sensitivity metric like :ref:`AbsoluteDistance ` (on aggregations). The ``input_metric`` of Measurements is initially only some kind of global sensitivity metric. However, once you chain the Measurement with a Transformation, the resulting Measurement will have whatever ``input_metric`` was on the Transformation. The ``output_measure`` of Measurements is some kind of privacy measure like :ref:`MaxDivergence ` or :ref:`SmoothedMaxDivergence `. In some cases, distances may not form a total order. For example, in :math:`(\epsilon, \delta)`-DP, :math:`(\epsilon_1, \delta_1) = (1.5, 1e-6)` is incomparable to :math:`(\epsilon_2, \delta_2) = (1.0, 1e-7)`, so neither :math:`(\epsilon_1, \delta_1) \ge (\epsilon_2, \delta_2)` nor :math:`(\epsilon_2, \delta_2) \ge (\epsilon_1, \delta_1)` holds. However, :math:`(1.5, 1e-6) \ge (1.0, 1e-6)` would still hold, as both elements compare greater than or equal. It is critical that you choose the correct ``d_in`` for the relation, whereas you can use :ref:`binary search utilities ` to find the tightest ``d_out``. Practically speaking, the smaller the ``d_out``, the tighter your analysis will be. You might find it surprising that metrics and measures are never actually evaluated! The framework does not evaluate these because it only needs to relate a user-provided input distance to another user-provided output distance. Even the user should not directly compute input and output distances: they are :ref:`solved-for `, :ref:`bisected `, or even :ref:`contextual `. Be careful: even a dataset query to determine the greatest number of contributions made by any one individual can itself be private information.