Seminario AGCO

Victor Sanches Portella

October, 2025

ime.usp.br/~victorsp

for lower bounds in Differential Privacy

Fingerprinting Techniques

and a New Fingerprinting Lemma

Who am I?

Postdoc at USP - Brazil

ML Theory

Optimization

Randomized Algs

Optimization

p_t
1 - p_t

My interests according to a student:

"Crazy Algorithms"

Privacy? Why, What, and How

What do we mean by "privacy" in this case?

Informal Goal: Output should not reveal (too much) about any single individual

Different from security breaches (e.g., server invasion)

Output

Data Analysis

Trivial if output does not need to have information about the population

Real-life example - Netflix Dataset

Take Away from Examples

Privacy is quite delicate to get right

Hard to take into account side information

"Anonymization" is hard to define and implement properly

Different use cases require different levels of protection

Differential Privacy

Anything learned with an individual in the dataset

can (likely) be learned without

\displaystyle \mathcal{M}
\displaystyle \mathcal{M}

Indistinguishible

Differential Privacy (Formally)

\forall S

Any pair of neighboring datasets: they differ in one entry

\(\mathcal{M}\) is \((\varepsilon, \delta)\)-Differentially Private if

\mathbb{P}(\mathcal{M}(X) \in S) \leq e^{\varepsilon} \cdot \mathbb{P}(\mathcal{M}(X') \in S) + \delta

Definition:

\forall S

\((\varepsilon, \delta)\)-DP

\(\varepsilon \equiv \)  "Privacy leakage", constant (in theory \(\leq 1\))

\(\delta \equiv \)  "Chance of catastrophic privacy leakage"

                     usually \(\ll 1/|X|\)

\displaystyle \Bigg \{

Definition is a bit cryptic, but implies limit on power of hypothesis test of an adversary

\(\mathcal{M}\) needs to be randomized to satisfy DP

Interpretation of DP: Hard to Hypothesis Test

\(H_0:\) Output is from \(\mathcal{M}(X)\)

\(H_1:\) Output is from \(\mathcal{M}(X')\)

Some Advantages of Differential Privacy

Worst case: No assumptions on the adversary

Composable: DP guarantees compose nicely

Loose!

\mathcal{M}_1
\mathcal{M}_2

\((\varepsilon_1, \delta_1)\)-DP

\((\varepsilon_2, \delta_2)\)-DP

\(\implies\)

Both together are

\((\varepsilon_1 +\varepsilon_2, \delta_1 + \delta_2)\)-DP

DP and Other Areas of ML and TCS

Online Learning

Adaptive Data Analysis and Generalization in ML

Robust statistics

An Example: Computing the Mean

Goal:

 is small

\mathcal{M}

\((\varepsilon, \delta)\)-DP such that approximates the mean:

Algorithm:

\displaystyle \mathcal{M}(x) = \mathrm{Mean}(x) + Z

Gaussian or Laplace noise

X = (x_1, \dotsc, x_n)
x_i \in [-1,1]^d

with

\mathbb{E}\Big[\lVert \mathcal{M}(X) - \mathrm{Mean}(x)\rVert \Big]

Example 2: Computing the Mean of Gaussian

Goal:

 is small

\mathcal{M}

\((\varepsilon, \delta)\)-DP such that approximates the mean \(\mu\):

X = (x_1, \dotsc, x_n)
x_i \sim \mathcal{N}(\mu, 1)

with

\mathbb{E}\Big[\lVert \mathcal{M}(X) - \mu\rVert \Big]

DP guarantee is still worst-case

Accuracy is good only for Gaussian input

Lower Bounds: How many samples \(n\) do we need to get \(\alpha\) error with privacy?

Fingerprinting Codes

A Lower Bound Strategy

Assume \(\mathcal{M}\) is

accurate

Adversary can detect some \(x_i\)
with high probability

Feed to \(\mathcal{M}\) a marked input \(X\)

\((\varepsilon,\delta)\)-DP implies adversary detects \(x_i\) on \(\mathcal{M}(X')\) with
\(X' = X - \{x_i\} + \{z\}\)

CONTRADICTION

(false positive)

Avoiding Pirated Movies via Fingerprinting

Movie may leak!

Movie Owner

Can we detect one          ?

?

Idea: Mark some of the scenes (Fingerprinting)

Fingerprinting Codes

\(d\) scenes

\(n\) copies of the movie

1 = marked scene

0 = unmarked scene

Code usually randomized

We can do with \(d = 2^n\). Can \(d\) be smaller?

Example of pirating:

\begin{pmatrix} 1 \\ 0 \\ 1 \end{pmatrix}
\begin{pmatrix} 1 \\ 1 \\ 0 \end{pmatrix}
\begin{pmatrix} 1 \\ 0 \\ 0 \end{pmatrix}

\(0\) or \(1\)

\(0\) or \(1\)

Only 1

\displaystyle \Bigg (
\displaystyle \Bigg )

Goal of fingerprinting

Given a copy, trace back one   with prob. false positive \(\ll 1/n\)
 

\begin{pmatrix} 1\\ 0 \\ 0 \\ \vdots\\ 1 \\ \end{pmatrix}
\begin{pmatrix} 1\\ 1 \\ 0 \\ \vdots\\ 1 \\ \end{pmatrix}
\begin{pmatrix} 1\\ 1 \\ 0 \\ \vdots\\ 1 \\ \end{pmatrix}
\begin{pmatrix} 0\\ 0 \\ 1 \\ \vdots\\ 0 \\ \end{pmatrix}
\cdots
\begin{pmatrix} 1\\ 0 \\ 1 \\ \vdots\\ 1 \\ \end{pmatrix}

Fingerprinting Codes for Lower Bounds

Assume \(\mathcal{M}\) is

accurate

Adversary can detect some \(x_i\)
with high probability

Feed to \(\mathcal{M}\) a marked input \(X\)

\((\varepsilon,\delta)\)-DP implies adversary detects \(x_i\) on \(\mathcal{M}(X')\) with
\(X' = X - \{x_i\} + \{z\}\)

CONTRADICTION

FP codes with \(d = \tilde{O}(n^2)\)

Output -> Pirated Movie

Breaks False Positive Guarantee

[Tardos '08]

The Good, The Bad, and The Ugly of Codes

The Ugly:

Black-box use of FP codes \(\implies\) hard to adapt to specific use cases

The Bad:

Very restricted to binary inputs

The Good:

Leads to optimal lower bounds for a variety of problems

Fingerprinting Lemmas

Fingerprinting Lemma - Mean Estimation 

\displaystyle \mathbb{E}[(\mathcal{M}(X) - \mu) \cdot (x_i - \mu)]

If \(\mathcal{M}\) is accurate (approximates \(\mu\))

is large (on average)

\displaystyle \mu
\displaystyle x_3
\displaystyle x_2
\displaystyle x_4
\displaystyle \mathcal{M}(X)
\displaystyle x_1

Not true for all \(\mathcal{M}\) if \(x_i\) and \(\mu\) are not randomized

Idea: For some distribution on the input, 

the output is highly correlated with the input

(\(\mathcal{M}\) can "memorize" the input \(X\) or the anwer \(\mu\))

"Correlation" of output \(\mathcal{M}(X)\) and input \(x_i\)

\mathbb{E}[x_i] = \mu

Fingerprinting Lemma - Picture

\displaystyle \mathbb{E}[\mathcal{A}(x_i, \mathcal{M}(X))]

If \(\mathcal{M}\) is accurate

large

\displaystyle \mathbb{E}[|\mathcal{A}(z, \mathcal{M}(X))|]

If \(z\) indep. of \(X\)

small

\mathcal{A}(z, \mathcal{M}(X)) = (\mathcal{M}(X) - \mu) \cdot (z - \mu)
\displaystyle \mu
\displaystyle \mathcal{M}(X)
\displaystyle z
\displaystyle z
\displaystyle z
\displaystyle z
\displaystyle \mu
\displaystyle x_3
\displaystyle x_2
\displaystyle x_4
\displaystyle \mathcal{M}(X)
\displaystyle x_1

Depends on distribution of \(X\) and \(\mu\)

Fingerprinting Lemmas

Idea: For some distribution on the input, 

the output is highly correlated with the input

Lemma (A 1D Fingerprinting Lemma, [Bun, Stein, Ullman '16])

\(\mu \sim \mathrm{Unif}(\{-1,1\})\)

\(x_1, \dotsc, x_n \in \{\pm 1\}\) with \(\mathbb{E}[x_i] = \mu\)

\displaystyle \mathbb{E}\Big [\sum_{i = 1}^n (\mathcal{M}(X) - \mu) \cdot (x_i - \mu) \Big ] \geq \frac{1}{10}

"Correlation" between \(x_i\) and \(\mathcal{M}(X)\)

\(\mathcal{A}(x_i, \mathcal{M}(X))\)

If \(\mathcal{M}\) estimates \(\mu\) well,

From 1D Lemma to a Code(-Like) Object

Fingerprinting Lemma leads to a kind of fingerprinting code

Bonus: quite transparent and easy to describe

Key Idea: Make \(d = \tilde{O}(n^2)\) independent copies

\(\mu \sim \mathrm{Unif}(\{-1,1\})^d\) a random vector

\(x_1, \dotsc, x_n \in \{\pm 1\}^d\) such that \(\mathbb{E}[x_i] = \mu\)

\displaystyle \mathbb{P}\Big [\sum_{i = 1}^n \mathcal{A}(x_i, \mathcal{M}(X)) \leq d/20 \Big ] \leq \frac{1}{n^3}

for \(d = \Omega(n^2 \log n)\)

Insight: we do not need to go back to codes to get lower bounds

From Lemma to Lower Bounds

\displaystyle \mathbb{E}\Big [\sum_{i = 1}^n \mathcal{A}(x_i, \mathcal{M}(X)) \rangle \Big ] \gtrsim d
\displaystyle \mathbb{E}\Big [\sum_{i = 1}^n \mathcal{A}(x_i, \mathcal{M}(X)) \Big ] \lesssim n \varepsilon \cdot \sqrt{\mathbb{E}[{\lVert\mathcal{M}(X) - p\rVert_2^2}]}
\displaystyle \mathbb{E}[ \mathcal{A}(x_i, \mathcal{M}(X))] \approx \mathbb{E}[\mathcal{A}(x_i, \mathcal{M}(X_{-i}))]
\displaystyle \implies\frac{d}{n} \lesssim \sqrt{\mathbb{E}[{\lVert\mathcal{M}(X) - p\rVert_2^2}]}

If \(\mathcal{M}\) is accurate, correlation is high

If \(\mathcal{M}\) is \((\varepsilon, \delta)\)-DP, correlation is low

Independence of coordinates of \(\mu\) helps a lot here

Lower Bound to Distribution Estimation

Different from codes, structure of input is clear in FP Lemmas

\(\mu \sim \mathrm{Unif}(\{-1,1\})^d\) a random vector

\(x_1, \dotsc, x_n \in \{\pm 1\}^d\) such that \(\mathbb{E}[x_i] = \mu\)

Implies lower bounds for Radamacher inputs (easier than worst-case)

We can adapt to other settings!

Example:

\(\mu \sim \mathcal{N}(0, I_{d \times d})\) a random vector

\(x_1, \dotsc, x_n \in \mathcal{N}(\mu, I_{d \times d})\)

Lower Bounds for Gaussian

Covariance Matrix Estimation

Work done in collaboration with Nick Harvey

Privately Estimating a Covariance Matrix

\displaystyle x_1, x_2, \dotsc, x_n \sim \mathcal{N}(0, \Sigma)
\displaystyle \Sigma \succ 0

Unknown Covariance Matrix

\displaystyle X \in \mathbb{R}^{d \times n}

\((\varepsilon, \delta)\)-differentially private \(\mathcal{M}\) to estimate \(\Sigma\)

on \(\mathbb{R}^d\)

Goal:

Required even without privacy

Required even for \(d = 1\)

Is this tight?

Exists \((\varepsilon, \delta)\)-DP  \(\mathcal{M}\) such that

\displaystyle n = \tilde O\Big(\frac{d^2}{\alpha^2} + \frac{\log(1/\delta)}{\varepsilon} + \frac{d^2}{\alpha \varepsilon}\Big)
\displaystyle \mathbb{E}[\lVert\mathcal{M}(X) - \Sigma\rVert_F^2] \leq \alpha^2

samples

Known algorithmic results

with

Our Results - New Lower Bounds

Theorem

For any \((\varepsilon, \delta)\)-DP algorithm \(\mathcal{M}\) such that

\displaystyle \mathbb{E}\big[\lVert\mathcal{M}(X) - \Sigma\rVert_F^2\big] \leq \alpha^2 = O(d)

and

\displaystyle \delta = O\Big( \frac{1}{n \ln n}\Big)

we have

\displaystyle n = \Omega\Big(\frac{d^2}{\alpha\varepsilon}\Big)

Above 1/n, DP may not be meaningful

Previous                   

\displaystyle n = \Omega\big(\tfrac{d^2}{\alpha\varepsilon}\big)

Lower Bounds

\displaystyle \tilde{O}(\tfrac{1}{n})
\displaystyle \delta
\displaystyle O(1)
\displaystyle O(d)

Accuracy  \(\alpha^2\)

New Fingerprinting Lemma using

Stokes' Theorem

Follow up:

LBs for other problems

[Lyu & Talwar ´25]

Roadblocks to Fingerprinting Lemmas

\displaystyle x_1, x_2, \dotsc, x_n \sim \mathcal{N}(0, \Sigma)
\displaystyle \Sigma \succ 0

Unknown Covariance Matrix

on \(\mathbb{R}^d\)

To get a Fingerprinting Lemma, we need random \(\Sigma\)

How can we make \(\Sigma\) random, \(\succeq 0\), and with independent entries?

[Kamath, Mouzakis, Singhal '22]

Diagonally dominant matrices

Problem: 0 matrix has error \(O(1)\)

\mathbb{E}[\lVert \mathcal{M}(X) - 0 \rVert_F^2 ] = O(1)

Can't lower bound accuracy of algorithms with \(\omega(1)\) error

Diagonal

= \frac{3}{4} \pm \frac{1}{4d}

Off-diagonal

= \pm \frac{1}{2d}

How to avoid independent entries?

Which Distribution to Use?

Wishart Distribution

Our results use a very natural distribution:

\displaystyle \Sigma = \frac{1}{2d} \; G \; G^{T}

\(d \times 2d\) random Gaussian matrix

\displaystyle \succeq 0

Natural distribution over PSD matrices

Entries are highly correlated

A Different Correlation Statistic

\displaystyle \mathcal{A}(z, \mathcal{M}(X)) = \big\langle\mathcal{M}(X) - \Sigma, \mathrm{Score}(z \;|\; \Sigma))\big\rangle

Gaussian Score function

Score Attack Statistic

"Usual" choice

\displaystyle \mathcal{A}(z, \mathcal{M}(X)) = \langle\mathcal{M}(X) - \Sigma, z z^{\intercal} - \Sigma \rangle
\displaystyle zz^{\intercal}
\displaystyle \mathcal{M}(X)
\displaystyle \Sigma

[Cai et al. 2023]

\displaystyle I
\displaystyle \mathcal{M}(X)
\displaystyle zz^{\intercal}
\displaystyle \Sigma^{-1/2}
\displaystyle \Sigma^{-1/2}
\displaystyle \Sigma^{-1/2}
\displaystyle \Sigma^{-1/2}

Original paper does not handle dependent entries!

But Why this \(\mathcal{A}\)?

Key Property in 1 Dimension for Estimating Mean

\displaystyle \mathbb{E}\Big [\sum_{i = 1}^n \mathcal{A}(M(X), x_i) \Big ] = g'(\mu)
\displaystyle g(\mu) = \mathbb{E}_{X}[\mathcal{M}(X) | \mu]

If \(g(\mu) = \mu\), done!

If \(\mathcal{M}(X)\) is accurate, we should have \(g(\mu) \approx \mu\)

Key Property in d Dimensions

\displaystyle \mathbb{E}\Big [\sum_{i = 1}^n \mathcal{A}(M(X), x_i) \Big ] =
\displaystyle \sum_{i,j }\frac{\partial}{\partial\Sigma_{ij}} \; g(\Sigma)_{ij}
\displaystyle g(\Sigma) = \mathbb{E}_{X}[\mathcal{M}(X) | \Sigma]

Divergence of \(g\)

Final Ingredient: Stein's identity

Key Step in 1D:

Stein's Identity

\displaystyle \mathbb{E}[g'(\mu)] = \mathbb{E}[g(\mu) \mu]

for \(\mu \sim \mathcal{N}(0, 1/2)\)

Something similar holds for \(\mu\) uniform

Follows from Integration by Parts

\displaystyle \mathbb{E}\Big[ \sum_{i,j }\partial_{ij} \; g(\Sigma)_{ij}\Big]

Going to High Dimensions

Integration by Parts in High Dimensions

Stokes' Theorem

\(\Sigma \sim\) Wishart leads to elegant analysis

Stein-Haff Identity

Takeaways

Differential Privacy is a mathematically formal definition of private algorithms

Interesting connections to other areas of theory

Fingerprinting Codes lead to many optimal lower bounds for DP

Fingerprinting Lemmas are more versatile for lower bounds and can be adapted to other settings

New Fingerprinting Lemma escaping the need to bootstrap a 1D result to higher dimensions with independent copies

Thanks!

Seminario AGCO

for Lower Bounds

Differential Privacy

An Introduction to

Fingerprinting Techniques

and

Victor Sanches Portella

October, 2025

ime.usp.br/~victorsp

Real-life example - NY Taxi Dataset

Summary: License plates were anonymized using MD5

Easy to de-anonymize due to lincense plate structure

By Vijay Pandurangan
https://www.vijayp.ca/articles/blog/2014-06-21_on-taxis-and-rainbows--f6bc289679a1.html

An Example: Computing the Mean

\mathbb{E}\Big[\lVert \mathcal{M}(X) - \mathrm{Mean}(x)\rVert \Big]

Goal:

 is small

\mathcal{M}

\((\varepsilon, \delta)\)-DP such that approximates the mean:

Algorithm:

\displaystyle \mathcal{M}(x) = \mathrm{Mean}(x) + Z

Gaussian or Laplace noise

X = (x_1, \dotsc, x_n)
x_i \in [-1,1]^d

with

OPTIMAL?

Theorem

\(Z \sim \mathcal{N}(0, \sigma^2 I)\) with

\sigma \approx \frac{d}{n} \frac{\sqrt{\ln(1/\delta)}}{\varepsilon}

\(\mathcal{M}\) is \((\varepsilon, \delta)\)-DP and

\mathbb{E}\Big[\lVert \mathcal{M}(X) - \mathrm{Mean}(x)\rVert_2\Big] \leq \sigma \approx \frac{d}{n} \frac{\sqrt{\ln(1/\delta)}}{\varepsilon}