ID: 338231
Download Pdf The PPT/PDF document "Differentially private filtering" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
348IEEETRANSACTIONSONAUTOMATICCONTROL,VOL.59,NO.2,FEBRUARY2014Consideringasintheprevioussubsectionthesensitivitylter soutputtoachangefromastatetrajectory toanadjacentone accordingto(11),andletting ,weseethatthechangeintheoutputoflter followsthedynamics: Hence,the -sensitivitycanbemeasuredbythe normofthetransferfunction ReplacingtheKalmanlterinTheorem5,theMSEforthere-sultingoutputperturbationmechanismguaranteeing -pri-vacyisthen .Thus,minimizingthisMSEleadsustothefollowingoptimizationproblem: Assumewithoutlossofgeneralitythat forall ,sincetheprivacyconstraintforthesignal vanishesif .Thefollowingtheoremgivesaconvexsufcientconditionintheformoflinearmatrixinequalities(LMIs)guaranteeingthatachoiceofltermatrices estheconstraintsTheorem6:Theconstraints(16)-(17),forsome aresatisedifthereexistsmatrices suchthat where .Iftheseconditionsaresatised,onecanrecoveradmissibleltermatrices where areanytwononsingularmatricessuchthat Proof:Forsimplicityofnotation,letusremovethesub- intheconstraints(16)-(17),sinceweareconsideringthedesignoftheltersindividually.Also,de Thecondition(16)issatisedifandonlyifthereexistmatrices suchthat[31] Fortheconstraint(17),rstnotethatwehaveequalityofthetransferfunctions foranymatrix ,inparticularfor thezeromatrixofthesamedimensionsas .Withthischoice,denote Thentheconstraint(17)canberewritten andissatisedifandonlyifthereexistsamatrix ,ofthesamedimensionsas ,suchthat[31] Thesufcientconditionofthetheoremisobtainedbyaddingtheconstraint andusingthechangeofvariablesuggestedin[32,p.902].Namely,assumethattherearematrices ,and satisfying(19),(20),and(21).Wepartitionthepositivedematrix anditsinverseas Notethat .De Thenwehave .Moreover LENYANDPAPPAS:DIFFERENTIALLYPRIVATEFILTERING351 Fig.5.Twodifferentiallyprivateaveragevelocityestimates:inputperturbationandcompensatingKalmanlter(top),outputperturbationandoriginalKalmanlter(bottom),for .Theltersareinitializedwiththesameincorrectinitialmeanvelocity(70km/h,insteadof35km/h).Theinputpertur-bationmechanismshowsbetterasymptoticperformancebutworseconvergencetime. Fig.6.Timetakenbythemechanisms,startingfromanincorrectinitialaveragevelocityestimateof70km/h,toapproachthetrueaveragevehiclevelocity(35km/hat )within10%forthersttime.Theconvergencetimeisestimatedbyaveragingover20simulationsforeachvalueof ,asillustratedonFig.5.Here driverssufcientlysoon.For ,theoutputperturbationmechanismconvergesinfewseconds,whereastheinputperturbationmechanismtakesmorethanaminutetocon-verge.Inthiscase,thehigherasymptoticRMSEofthemechanism,whichnonethelessremainsbelow2km/h,mightverywellbeacceptableinviewofthemuchimprovedconver-gencespeed.Fig.6showsthedependenceoftheconvergencetimeforthesetwomechanismsas VI.FILTERINGVENTTREAMSThissectionconsidersanapplicationscenariomotivatedbytheworkof[13]and[14].Assumenowthataninputsignalisintegervalued,i.e., forall .Suchasignalcanrecordtheoccurrencesofeventsofinterestovertime,e.g.,thenumberoftransactionsonacommercialwebsite,orthenumberofpeoplenewlyinfectedwithavirus.Asin[13],[14],twosig- areadjacentifandonlyiftheydifferbyoneatasingletime,orequivalently Themotivationforthisadjacencyrelationisthatagivenindi-vidualcontributesasingleeventtothestream,andwewanttoevent-levelprivacy[13],thatis,hidetosomeextentthepresenceorabsenceofaneventataparticulartime.Thiscouldforexamplepreventtheinferenceofindividualtransac-tionsfrompubliclyavailablecollaborativelteringoutputs,asin[5].Now,eventhoughindividualeventsshouldbehidden,wearestillinterestedinproducingapproximatelteredver-sionsoftheoriginalsignal,e.g.,aprivacy-preservingmovingaverageoftheinputtrackingthefrequencyofevents.Thepapers[13],[14]considerspecicallythedesignofaprivatecounteroraccumulator,i.e.,asystemproducinganoutputsignal with ,where isbinaryvalued.Notethatthissystemisunstable.Anumberofotherlterswithslowlyandmono-tonicallydecreasingimpulseresponsesareconsideredin[15],usingatechniquesimilarto[14]basedonbinarytrees.HerewedevelopcertainapproximationsofgeneralstableLTIsystemsthatpreserveevent-levelprivacy.WerstmakethefollowingLemma3:Let beaSISOLTIsystemwithimpulseresponse .Thenfortheadjacencyrelation(30)oninteger-valuedinputsignals,the sensitivityof .Inparticularfor ,wehave ,the normof Proof:Fortwoadjacentbinary-valuedsignals ,wehavethat isapositiveornegativeimpulsesignal ,andhence WecontinuetomeasuretheutilityofspecicschemesthroughoutthissectionbytheMSEbetweenthepublishedanddesiredoutputs.SimilarlytoourdiscussionattheendofSectionIII,therearetwostraightforwardmechanismsthatprovidedifferentiallyprivateapproximationsof .Onecanaddwhitenoise directlyontheinputsignal,with fortheLaplacemechanismand fortheGaussianmechanism.Oronecanaddnoiseattheoutputofthe ,with fortheLaplacemechanism fortheGaussianmechanism.FortheGaussianmechanism,oneobtainsinbothcasesanMSEequalto .FortheLaplacemechanism,itisalwaysbettertoaddthenoiseattheinput.Indeed,weobtaininthiscaseanMSEof insteadofthegreater ifthenoiseisaddedattheoutput.WenowgeneralizethesemechanismstotheapproximationsetupshownonFig.7.Thepreviousmechanismsarerecovered istheidentityoperator.Toshowthatonecan LENYANDPAPPAS:DIFFERENTIALLYPRIVATEFILTERING343 -differentiallyprivatefor ifforall suchthat ,wehave (1) ,themechanismissaidtobe -differentiallyprivate.Inwords,thisdenitionsaysthatfortwoadjacentdatasets,thedistributionsovertheoutputsofthemechanismshouldbeclose.Thechoiceoftheparameters issetbytheprivacypolicy.Typically istakentobeasmallconstant,e.g., orperhapseven .Theparameter shouldbekeptsmallasitcontrolstheprobabilityofcertainsignicantlossesofprivacy,e.g.,whenazeroprobabilityeventforinput becomesaneventwithpositiveprobabilityforinput in(1).Remark1:Thedenitionofdifferentialprivacydependsontheadjacencyrelation .However,weoftenomittomentionitwhen isclearfromthecontext.Denition1alsodependsonthechoiceof -algebra .Whenweneedtostatethis -al-gebraexplicitly,wewrite .Inparticular,this -algebrashouldbesufcientlylarge,since(1)istriviallyedbyanymechanismif Thenextlemmaprovidesalternativetechnicalcharacteriza-tionsofdifferentialprivacyandappearstobepartiallynew.First,weintroducesomenotation.Wecallasignedmeasure -boundedifitsatis forall measureissometimescalledpositivemeasureforemphasis.For ameasurablespace,wedenoteby thespaceofboundedreal-valuedmeasurablefunctionson andwede for apositivemeasureon Lemma1:Let ,and amechanism,where isaspaceequippedwithanadjacencyrelation .Thefollowingareequivalent: -differentiallyprivate,satisfying(1).Forall suchthat ,thereexistsa -boundedpositivemeasure suchthatwehave,forall (2)Forall suchthat ,thereexistsa -boundedpositivemeasure suchthatforall ,wehave (3)Proof: Supposethat -differentiallypri-vate.Denethesignedmeasure .Bythedenition(1), -bounded.Let bethepositivevariationof ,forall .Then isapositivemeasure[24,Th.5.6.1],and -boundedsince is.Since forall ,wehave(2). beaboundon .Forany wedividetheinterval into consecutiveintervals oflength ,andwelet bethemid-pointoftheinterval .Then(c)holdsforthesimplefunction ,andthesefunctionsapproximate .Weconcludeusingthedominatedconvergencetheorem. Take andusethefactthat -bounded.Finally,wementionthatforthespecialcase ,theim- isshownin[25]. Afundamentalpropertyofthenotionofdifferentialprivacyisthatnoadditionalprivacylosscanoccurbysimplymanipulatinganoutputthatisdifferentiallyprivate.Thisresultissimilarinspirittothedataprocessinginequalityfrominformationtheory[26].Tostateit,recallthataprobabilitykernelbetweentwomeasurablespaces isafunction suchthat ismeasurableforeach isaprobabilitymeasureforeach Theorem1(ResiliencetoPostprocessing):Let .Let bean -differentiallyprivatemechanism.Let beanothermecha-nism,suchthatthereexistsaprobabilitykernel verifying,forall and (4) -differentiallyprivate.Notethatin(4),thekernel isnotallowedtodependonthe .Inotherwords,thisconditionsaysthatonce isknown,thedistributionof doesnotfurtherdependon .Thetheoremsaysthatamechanism accessingadatasetonlyindirectlyviatheoutputofadifferentiallyprivatemech- cannotweakentheprivacyguarantee.Hence,post-processingcanbeusedfreelytoimprovetheofanoutput,asinSectionVIforexample,withoutworryingaboutapossiblelossofprivacy.Similarly,anadversaryprocessingadifferentiallyprivateoutputwithoutaccessingtheoriginaldatacannotweakentheguarantee.Proof:Tothebestofourknowledge,thereisnopreviousproofoftheresiliencetopostprocessingtheoremavailableforthecaseofrandomizedpostprocessingand .Let -differentiallyprivate.Wehave,fortwoadjacentelements andforany rstequalityisjustthesmoothingpropertyofconditionalexpectations,andtheinequalitycomesfrom(3)appliedtothe .Since isaprobabilitykernel,theintegralonthesecondlinedenesameasure ,whichis -boundedsince A.BasicDifferentiallyPrivateMechanismsAmechanismthatthrowsawayalltheinformationinadatasetisobviouslyprivate,butnotuseful,andingeneralonehastotradeoffprivacyforutilitywhenansweringspeciqueries.Werecallbelowtwobasicmechanismsthatcanbeusedtoanswerqueriesinadifferentiallyprivateway.Weareonlyconcernedinthissectionwithqueriesthatreturnnumer-icalanswers,i.e.,hereaqueryisamap ,wherethe IEEETRANSACTIONSONAUTOMATICCONTROL,VOL.59,NO.2,FEBRUARY2014341DifferentiallyPrivateFilteringJeromeLeNy,Member,IEEE,andGeorgeJ.Pappas,Fellow,IEEEAbstractEmergingsystemssuchassmartgridsorintelli-genttransportationsystemsoftenrequireend-userapplicationstocontinuouslysendinformationtoexternaldataaggregatorsperformingmonitoringorcontroltasks.Thiscanresultinanundesirablelossofprivacyfortheusersinexchangeofthebeneprovidedbytheapplication.Motivatedbythistrend,thispaperintroducesprivacyconcernsinasystemtheoreticcontext,andaddressestheproblemofreleasinglteredsignalsthatrespecttheprivacyoftheuserdatastreams.Ourapproachrelieson 352IEEETRANSACTIONSONAUTOMATICCONTROL,VOL.59,NO.2,FEBRUARY2014 Fig.7.Differentiallyprivatelterapproximationsetup.improvetheutilityofthemechanismwiththissetup,considerthefollowingchoiceoflters .Let beacausalLTIsystemwithacausalinversedenoted ,suchthatboth haveasquaresummableimpulseresponse.Inthefollowing,weusethetermminimumphasetorefertosucha .Let .Wecallthisparticularchoiceoftersazeroforcingequalization(ZFE)mechanism.Toguarantee -differentialprivacy,thenoise ischosentobewhiteGaussianwith .TheMSEforaZFEmech-anismwithinputlter Hence,weareledtoconsiderthefollowingproblem: wheretheminimizationisovertheminimumphasetransferfunctions Theorem8:Let beSISOLTIsystemwith .Wehave,foranyminimumphasesystem Ifmoreover satisesthePaleyWienercondition ,thislowerboundonthemean-squarederroroftheZFEmechanismcanbeattainedbysomeminimumphasesystem suchthat ,foralmostevery Proof:BytheCauchySchwarzinequality hencethebound.Moreover,equalityisattainedifandonlyifthereexists suchthat,foralmostevery isanonnegativefunctionontheunitcircle,andifitsatisesthePaleyWienercondition,ithasaminimumphasespectralfactor satisfying almostev-erywhere[38,p.242],andthustheperformanceboundcanbe TheMSEobtainedforthebestZFEmechanisminTheorem8cannotbeworsethantheMSEfortheschemeaddingnoiseattheinput,andisgenerallystrictlysmaller,sincebyJensensinequalitywehave Inaddition,theMSEoftheZFEmechanismisindependentoftheinputsignal .However,betterperformancecouldbeob-tainedwithotherschemes,inparticularschemesthatexploitsomeknowledgeabouttheinputsignal.Notethatonce chosen,designing isastandardequalizationproblem[39].ThenameoftheZFEmechanismismotivatedbythechoiceoftryingtocanceltheeffectof byusingitsinverse(zeroforcingequalizer).Nonlinearcomponentscanbeveryusefulaswell.Inparticularifweaddthehypothesisthattheinputsignalisbinaryvalued,asin[13]and[14],wecanmodifythesimpleschemeaddingnoiseattheinputbyincludingadetector infrontofthesystem ,namely,for Thisexploitstheknowledgethattheinputsignalisbinaryvalued,preservesdifferentialprivacybyTheorem1,andsome-timessignicantlyimprovestheMSE,dependingonothercharacteristicsofthesignal.A.ExploitingAdditionalPublicKnowledgeTofurtherillustratetheideaofexploitingpotentiallyavail-ableadditionalknowledgeabouttheinputsignal,considerusinganMMSEestimatorfor ratherthanemploying sincethelattercansignicantlyamplifythenoiseatfrequencies issmall.Letusassumethat isalreadychosen,e.g.,accordingtoTheorem8(thischoiceisnotoptimalanymoreif isnot ).Moreover,assumethatitispubliclyknownthat iswide-sensestationarywithmeanandautocorrelationdenoted Fromthisdata,thesecond-orderstatisticsof onFig.1arealsoknown,inparticular istheimpulsesignal, aretheimpulseresponsesof and ,and .Wethen tominimizetheMSE LENYANDPAPPAS:DIFFERENTIALLYPRIVATEFILTERING347appropriatespaceofdatasets.Let denotetheglobalstateandmeasurementsignals.Assumesaythatthemechanismisrequiredtoguar-anteedifferentialprivacyforasubset ofthecoordinatesofthestatetrajectory .Lettheselectionmatrix bethediagonalmatrixwith ,and otherwise.Hence setsthecoordinatesofavector donotbelongtotheset tozero.Fixavector .Theadjacencyrelationconsideredhereis iffforsome (11) forall Inwords,twoadjacentglobalstatetrajectoriesdifferbythevaluesofasingleparticipant,say .Moreover,fordifferen-tialprivacyguaranteesweareconstrainingtherangeinenergyvariationinthesignal ofparticipant tobeatmos Hence,thedistributiononthereleasedresultsshouldbees-sentiallythesameifaparticipantsstatesignalvalue atsomesinglespecictime werereplacedby ,buttheprivacyguaranteeshouldalsoholdforsmallerinstantaneousdeviationsonlongersegmentsofInthelanguageoftheprevioussections,thedatasetconsistshereofthestatetrajectories ehavethead-jacencyrelation(11)denedonthisspace,andthequeryofin-terest(i.e.,intheabsenceofprivacyconstraint)isthesignal obtainedviaKalmanltering.Notehow-evertheslightvariationduetotheadditionalconstraint:herethedataaggregatoritselfdoesnothavedirectaccesstothedata onwhichtheadjacencyrelationisdenedbutonlytothemea- .Otheradjacencyrelationscouldbeconsidered,inparticular,thesecouldbedeneddirectlyontheoutputspaceofmeasuredsignals .Finally,weaimatdesigningamechanism producingasignal oachingascloselyaspossibletheMMSEestimate ,whilemaintainingdifferentialprivacyfor(11).First,intherestofthissubsection,wefollowtheapproachofSectionIII-C,whichsimplyconsistsinperturbingtheorig-inalKalmanlterbyaddingprivacy-preservingwhiteGaussiannoisetocertainsignals.Fortheinputnoiseinjectionmecha-nism,thenoisecanbeaddedbyeachparticipantdirectlytotheirtransmittedsignal .Namely,sincefortwostatetrajectories adjacentaccordingto(11)wehave thevariationforthecorrespondingmeasuredsignalscanbeboundedasfollow Hence,differentialprivacycanbeguaranteedifparticipant addsto awhiteGaussiannoisewithcovariancematrix ,where isthedimensionof Notethatinthissensitivitycomputationthemeasurementnoise hasthesamerealizationindependentlyoftheconsideredvariationin .Withthisperturbation,thesignalstransmittedbytheparticipantsarealreadydifferentiallyprivate.More-over,incontrasttothebasicinputperturbationmechanismofSectionIII-C,thedataaggregatorherecanmodifytheoriginallters byviewingtheprivacy-preservingnoiseasadditionalmeasurementnoiseandimprovetheasymptoticestimationperformance,seeSectionV.Next,considertheoutputnoiseinjectionmechanism.Sinceweassumethat ispublicinformation,theinitialcondition ofeachstateestimatorisxed.Considernowtwostatetra- ,adjacentaccordingto(11),andlet bethecorrespondingestimatesproducedbytheKalmanlters.Wehave isthe normofthetransferfunction .Thuswehavethefollowingthe-orem.Theorem5:Let .Amechanismreleasing ,where isastandardwhiteGaussiannoiseindependentof ,and ,with normof ,is -differentiallyprivatefortheadjacencyrelation(11).B.FilterRedesignforStableSystemsIntherestofSectionIV,weaimatimprovingtheoutputper-turbationmechanismofTheorem5,byredesigningtheltertooptimizetheoverallMSEperformance.ThisMSEiscontrolledbothbythedynamicsofthelteraswellastheamountofpri-vacy-preservingnoiseintroducedattheoutput,whichisafunc-tionofthe normofthelter.Hence,wepursuethedesignofalterthatbalancesqualityofestimationandsizeofits norm.Weconsiderthedesignof ltersoftheform (13) ,where arematricestodetermine.Theoverallsysteminfrontoftheprivacy-preservingnoisesourceproducestheestimate ofthesignal Assumerstinthissectionthatthesystemmatrices stable,inwhichcasewealsorestricttheltermatrices bestable.Moreover,weonlyconsiderthedesignoffullorderlters,i.e.,thedimensionsof aregreaterorequaltothose ,forall Denotetheoverallstateforeachsystemandassociatedlter .Thecombineddynamicsfrom totheestimationerror canbewritten Thesteady-stateMSEforthe estimatoristhen .Letusnowconsidertheadditionalimpactoftheprivacy-preservingnoiseontheoverallMSE. LENYANDPAPPAS:DIFFERENTIALLYPRIVATEFILTERING349 Similarly, , .Let .Considerrstthecongru-encetransformationsoftherstLMIin(19)by andthenby ofthesecondLMIin(19)by ,andthenby andoftheLMI(20)by ,andthenby Then,thetransformation , ,betweentheltermatrixvariables andthenewvariables leadstotheLMIsofthetheorem.HencetheseLMIsarenecessarilysatisediftheconstraints(19),(20)areedtogetherwith(21).NowsupposethattheLMIsofthetheoremaresatised.Since ,wecande .Moreover,since ,wehave bytakingtheSchurcomplement,andso isnonsingular.Hence,wecanndtwo nonsin-gularmatrices suchthat .Thendethenonsingularmatrices asin(22),let ,andnethematrices asin(18).Since isnonsin-gular,wecanthenreversethecongruencetransformationstorecover(19),(20),whichshowsthattheconstraints(16),(17)aresatis Remark2:Notethattheproblem(15)isalsolinearin ThesevariablescanthenbeminimizedsubjecttotheLMIcon-straintsofTheorem6inordertodesignagoodltertradingoffestimationerrorand -sensitivitytominimizetheoverallMSE.However,includingthesevariablesdirectlyintheoptimizationproblemcanleadtoill-conditioningintheinversionofthema-trices in(18),aphenomenondiscussedtogetherwitharecommendedxin[32,p.903].Inaddition,minimizingtheobjective(15)subjecttotheLMIconstraintsisdifferentfromsolving(15)(17),duetotheconservativenessoftheconditionsinTheorem6.Asinmixed problems,onecouldcon-sidermorecomplexalgorithmstoreducethisconservativeness[33].Considernow,insteadof(15),theobjective wheretheparameter ,subjecttotheLMIsofTheorem6.Bysetting ,werecoverexactlythelter.Hencebyperformingaone-dimensionalsearchover wecanattempttoimprovetheoverallMSEoftheoutputmechanismoverthebasicKalmanlterdesign.C.UnstableSystemsIfthedynamics(9)arenotstable,thelinearlterdesignapproachpresentedinthepreviousparagraphisnotvalid.Tohandlethiscase,wecanfurtherrestricttheclassoflters.Asbe-foreweminimizetheestimationerrorvariancetogetherwiththesensitivitymeasuredbythe normofthelter.Startingfromthegenerallinearlterdynamics(12),(13),wecanconsiderde-signswhere isanestimateof ,andset that isanestimateof .Theerrordynamics thensatis Setting givesanerrordynamicsindependent andleavesthematrix astheonlyremainingdesignvariable.Notehoweverthattheresultingclassoflterscontainsthe(one-stepdelayed)Kalmanlter.Toobtainaboundederror,thereisanimplicitconstrainton shouldbestable.Now,followingthediscussionintheprevioussubsection,minimizingtheMSEwhileenforcingdifferentialprivacyleadstothefollowingoptimizationproblem: s.t. (26) Again,onecanefcientlycheckasufcientcondition,intheformoftheLMIsofthefollowingtheorem,guaranteeingthattheconstraints(25),(26)aresatised.Optimizingoverthevariables canthenbedoneusingsemideniteprogramming.Theorem7:Theconstraints(25)-(26),forsome aresatisedifthereexistsmatrices suchthat Iftheseconditionsaresatised,onecanrecoveranadmissibleltermatrix bysetting Proof:AsinTheorem(6),wesimplifythenotationbelowbyomittingthesubscript .First,fromtheerrordynamics(23),theconstraint(25)issatisedifandonlyifthereexistsapositivenitematrix suchthat[31] .Byletting ,introducingtheslackvariable ,thechangeofvariable ,andusingtheSchurcomplement,theseconditionsareequivalenttotheexistenceoftwopositivedenitematrices suchthat(27)issatised.TheLMI(28)derivedfrom(26)isstandard[31],seealso(20).AsinTheorem6,werestrictthesearchinthisLMIto LENYANDPAPPAS:DIFFERENTIALLYPRIVATEFILTERING353 Fig.8.SamplepathfortheMMSEmechanism.Forsimplicity,considerthecasewhere isrestrictedtobeanite-impulseresponselter,i.e., theorderofthelter.Thevector thesolutionoftheWienerHopfequations[38] ........... ... AccordingtoTheorem1,differentialprivacyispreservedsincethe onlyprocessesthealreadydifferentiallyprivate .Evenifthestatisticalassumptionsturnoutnottobeedby ,theprivacyguaranteestillholdsandonlyperfor-manceisimpacted.1)Example5:Fig.8illustratesthedifferentiallyprivateoutputobtainedbytheMMSEmechanismapproximatingthe ,with thebilineartransformation Theinputsignalisbinaryvaluedandtheprivacyparametersaresetto .Forthisspecicinput,theem-piricalMSEoftheZFEis5.8,comparedto4.6fortheMMSEmechanism.Thesimplerschemewithnoiseaddedattheinputisessentiallyunusable,sinceitsMSEis AddingadetectorreducesthisMSEtoabout17.B.RelatedWorkSomepaperscloselyrelatedtotheeventlteringproblemconsideredinthissectionare[13][15],[40].Aspreviouslymentioned,[13],[40]consideranunstablelter,theaccumu-lator.Thetechniquesemployedtherearequitedifferent,relyingessentiallyonbinarytreestokeeptrackofintermediatecalcula-tionsandreducetheamountofnoiseintroducedbytheprivacymechanism.Bolotetal.[15]extendthistechniquetothediffer-entiallyprivateapproximationofcertainlterswithmonotonic,slowlydecayingimpulseresponse.Infact,thistechniquecanbeextendedtogenerallinearsystemsbyusingastate-spacereal-izationandkeepingtrackofthesystemstateatcarefullychosentimesinabinarytree.However,theusefulnessofthisapproachseemstobelimitedformostpracticalstablelters,theresultingMSEbeingtypicallytoolargeandtheimplementationoftheschemesignicantlymorecomplexthanforasimplerecursivelter.Finally,aswiththeMMSEestimationmechanism,onecantrytouseadditionalinformationabouttheinputsignalstocali-bratetheamountofnoiseintroducedbytheprivacymechanism.Forexample,ifthereexistsasparserepresentationofthesignalinsomebasis(suchasaFourierorawaveletbasis),thenonecantrytoperturbtherepresentationcoefcientsinthisalternatebasis.Forexample,[40]perturbsthelargestcoefcientsofthediscreteFouriertransformofthesignal.Adifcultywithsuchapproachesisthattheyaretypicallynotcausalandnotrecursive,requiringanamountofprocessingthatincreaseswithtime.VII.CONCLUSIONWehavediscussedmechanismsforpreservingthedifferentialprivacyofindividualuserstransmittingtime-varyingsignalstoatrustedcentralserverreleasingsanitizedlteredoutputsbasedontheseinputs.DecentralizedversionsofthemechanismofSectionIIIcaninfactbeimplementedintheabsenceoftrustedserverbymeansofcryptographictechniques[40].Webelievethatresearchonprivacyissuesiscriticaltoencouragethedevel-opmentoffuturecyber-physicalsystems,whichtypicallyrelyontheusersdatatoimprovetheirefciency.Numerousdirec-tionsofstudyareopentodevelopprivacy-preservingsignalprocessingsystems,includingdesigningbetterlteringmech-anisms,andunderstandingdesigntradeoffsbetweenprivacyorsecurityandperformanceinlarge-scalecontrolsystems.CKNOWLEDGMENTTheauthorswouldliketothankA.Rothforprovidingvalu-ableinsightintothenotionofdifferentialprivacy.EFERENCES[1]J.LeNyandG.J.Pappas,DifferentiallyprivateKalmanltering,Proc.50thAnnu.AllertonConf.Commun.,Control,Comput.,Oct.2012,pp.16181625.[2]J.LeNyandG.J.Pappas,Differentiallyprivateltering,inProc.Conf.DecisionControl,Maui,HI,USA,Dec.2012.[3]G.W.Hart,Nonintrusiveapplianceloadmonitoring,Proc.IEEEvol.80,no.12,pp.18701891,Dec.1992.[4]A.NarayananandV.Shmatikov,Robustde-anonymizationoflargesparsedatasets(howtobreakanonymityoftheNetixPrizedataset),Proc.IEEESymp.SecurityandPrivacy,2008,pp.111125.[5]J.A.Calandrino,A.Kilzer,A.Narayanan,E.W.Felten,andV.Shmatikov,youmightalsolike:Privacyrisksofcollaborativeltering,inProc.IEEESymp.SecurityPrivacy,Berkeley,CA,USA,May2011,pp.231246.[6]B.Hoh,T.Iwuchukwu,Q.Jacobson,M.Gruteser,A.Bayen,J.-C.Her-rera,R.Herring,D.Work,M.Annavaram,andJ.Ban,Enhancingpri-vacyandaccuracyinprobevehiclebasedtrafcmonitoringviavirtualtriplines,IEEETrans.MobileComput.,vol.11,no.5,pp.849864,May2012. 342IEEETRANSACTIONSONAUTOMATICCONTROL,VOL.59,NO.2,FEBRUARY2014thusasinglevector,buttheupdatemechanismsubjecttopri-vacyattacksisdynamic.Information-theoreticapproacheshavealsobeenproposedtoguaranteesomelevelofprivacywhenre-leasingtimeseries[17],[18].However,theresultingprivacyguaranteesonlyholdifthestatisticsoftheparticipantsdatastreamsobeytheassumptionsmade(typicallystationarity,de-pendenceanddistributionalassumptions),andrequiretheex-plicitstatisticalmodelingofallavailablesideinformation.Thistaskisverydifcultingeneralasnewsideinformationcanbe-comeavailableafterreleasingtheresults.Incontrast,differen-tialprivacyisaworst-casenotionthatholdsindependentlyofanyprobabilisticassumptiononthedataset,andprovidesguar-antees(differentfromthoseof[17],[18])againstadversarieswitharbitrarysideinformation[9].Oncesuchaprivacyguar-anteeisenforced,onecanstillleveragepotentialadditionalsta-tisticalinformationaboutthedatasettoimprovethequalityoftheoutputs.Themaincontributionofthispaperistointroduceprivacyconcernsinthecontextofsystemstheory.SectionIIprovidessometechnicalbackgroundondifferentialprivacy.WethenformulateinSectionIIItheproblemofreleasingtheoutputofadynamicalsystemwhilepreservingdifferentialprivacyforthedrivinginputs,assumedtooriginatefromdifferentparticipants.Itisshownthataccurateresultscanbepublishedforsystemswithsmallincrementalgainswithrespecttotheindividualinputchannels.TheseresultsareextendedinSectionIVtotheproblemofdesigningadifferentiallyprivateKalmanlter,asanexampleofsituationwhereadditionalinformationabouttheprocessgeneratingtheindividualsignalscanbeleveragedtopublishmoreaccurateresults.Finally,SectionVIismotivatedbytherecentworkondifferentialprivacyundercontinualobservation[13],[14],andconsiderssystemsprocessingasingleinteger-valuedsignaldescribingtheoccurrenceofeventsoriginatingfrommanyindividualparticipants.Throughoutthepaper,differentiallyprivateapproximationsofthesystemsareproposedwiththegoalofminimizingthemeansquarederror(MSE)introducedbytheprivacypreservingmechanisms.II.DIFFERENTIALRIVACYInthissection,wereviewthenotionofdifferentialpri-vacy[8]aswellassomebasicmechanismsthatcanbeusedtoachieveitwhenthereleaseddatabelongstoanite-dimensionalvectorspace.Intheoriginalpapersondifferentialprivacy[8],[10],[19],asanitizingmechanismhasaccesstoadatabaseandprovidesnoisyanswerstoqueriessubmittedbydataanalystswishingtodrawinferencefromthedata.However,thenotionofdifferentialprivacycanbedenedforfairlygeneraltypesofdatasets.Mostoftheresultsinthissectionareknown,butinsomecasesweprovidemorepreciseorslightlydifferentversionsofsomestatementsmadeinpreviouswork.WereferthereadertothesurveysbyDwork,e.g.,[20],foradditionalbackgroundondifferentialprivacy.Letusxsomeprobabilityspace .Let beaspaceofdatasetsofinterest(e.g.,aspaceofdatatables,orasignalspace).Amechanismisjustamap ,forsomemeasurableoutputspace ,where denotesa -algebra,suchthatforanyelement isarandomvariable,typicallywrittensimply .Amechanismcanbeviewedasaprobabilisticalgorithmtoansweraquery ,whichisamap .Insomecases,weindexthemechanismbythequery ofinterest,writing 1)Example1: ,witheachreal-valuedentry correspondingtosomesensitiveinformationforanindividualcontributingherdata,e.g.,hersalary.Adataana-lystwouldliketoknowtheaverageoftheentriesof ,i.e.,thequeryis .AsdetailedinSectionII-B,atypicalmechanism toanswerthisqueryinadifferentiallyprivatewaycomputes andblurstheresultbyaddingarandomvariable ,sothat .Notethatintheabsenceofper-turbation ,anadversarywhoknows andall canrecovertheremainingentry exactlyifhelearns Thiscandeterpeoplefromcontributingtheirdata,eventhoughbroaderparticipationimprovestheaccuracyoftheanalysisandthuscanprovideusefulknowledgetothepopulation.2)Example2:Adatabasecouldrecord,for participants, -tupleofbinaryvaluesforthepresenceorabsenceof tributes,e.g.,beinglessthat50yearsold.Forstatisticalanalysispurposes,itistypicallysufcienttoconsiderthisdatasetasa ,where representsthenumberofoccurrencesofthek-tuple .Whilethishistogramrepresentationremovescertainobviousformsofidentication,e.g.,names,publishingitstillcarriesconsiderableprivacyrisksduetothepossibilityoflinkingitsinformationtootherpublicdatasets,inordertore-identifyindividualsforexample[21].Smallentriesinthe ,correspondingtoattributescharacterizingfewpeoples,areparticularlysensitive[22].Analternativetopublishing aperturbedversionofit,istokeep secureandforceanalyststodirectlysendtheirquery tothedatabaseserver,whichcanthenprovideanapproximateanswerandbettercontroltheleakageofprivateinformation[8],[23].Forexample,alinearqueryoftheform for canbeusedtorequestsimultaneously marginals,partialhistograms,etc.Muchworkhasbeendoneonansweringsuchstatisticalqueriesinadiffer-entiallyprivateway,see,e.g.,[12]and[19].3)Example3:WeconsiderinSectionVaroadtrafcmon-itoringsystem,whereindividualssendtheirlocationtoadataaggregatoratdiscretetimeintervals,andreceiveadynamices-timateoftheaveragetrafcvelocityonaroadsegmentofin-terest.For users,thedatasetconsistsof discrete-timeposi-tionsignals ,with ,andaqueryisalsoasignal ,where denotestheindicatorfunctionand theroadsegment.Next,weintroducethenotionofdifferentialprivacy[8],[10].Inthefollowingdenition,wehaveasymmetricbinaryrela-tion onaspaceofdatasets ,calledadjacency.Intuitively ifandonlyif differbythedataofasingleparticipant.nition1: beaspaceequippedwithasymmetricbinaryrelationdenoted ,andlet beameasurablespace.Let .Amechanism 346IEEETRANSACTIONSONAUTOMATICCONTROL,VOL.59,NO.2,FEBRUARY2014 Fig.2.Twoarchitecturesfordifferentialprivacy.(a)Inputperturbation.(b)Outputperturbation.Proof:Considertwoadjacentsignals ,differingsayintheir component.Then,for ,wehave Thisleadstoaboundonthe sensitivityof ,validforall .TheresultisthenanapplicationofTheorems2and3andLemma2,since(7)issatisedforall Corollary1:Let bedenedasin(8),with anLTI ,and ,forall .Thenthemechanism ,where isawhiteGaussiannoisewith and ,is -differentiallypri-vatefor(5).C.FilterApproximationSet-UpsforDifferentialPrivacy forall beanLTIsystemasinCorollary1,andassumeforsimplicitythesamebound fortheallowedvariationsinenergyofeachinputsignal.Wehavethentwosimplemechanismsproducingadifferentiallyprivateversionof ,depictedonFig.2.Therstonedirectlyperturbseachinputsignal byaddingtoitawhiteGaussiannoise with Theseperturbationsoneachinputchannelarethenpassedthrough ,leadingtoameansquarederror(MSE)fortheoutputequalto Alternatively,wecanaddasinglesourceofnoiseattheoutput accordingtoCorollary1,inwhichcasetheMSEis .Bothoftheseschemesshouldbeevaluateddependingonthesystem andthenumber ofparticipants,asnoneoftheerrorboundisbetterthantheotherinallcircumstances.Forexample,if issmallorifthebandwidthsoftheindividualtransferfunctions donotoverlap,theerrorboundfortheinputperturbationschemecanbesmaller.Anotheradvantageofthisschemeisthattheuserscanreleasedifferentiallyprivatesignalsthemselveswithoutrelyingonatrustedserver.However,therearecryptographicmeansforachievingtheoutputperturbationschemewithoutcentralizedtrustedserveraswell,see,e.g.,[29].1)Example4:Consideragaintheproblemofreleasingtheaverageoverthepast periodsofthesumoftheinputsignals, with ,forall .Then ,whereas ,for Fig.3.Kalmanlteringsetup. .TheMSEfortheschemewiththenoiseattheinputisthen .Withthenoiseattheoutput,theMSEis ,whichisbetterexactlywhen ,i.e.,thenumberofusersislargerthantheaveragingwindow.IV.DIFFERENTIALLYRIVATEALMANILTERINGWenowdiscusstheKalmanlteringproblemsubjecttoadifferentialprivacyconstraint.ComparedtoSectionIII,itisas-sumedherethatmoreispubliclyknownaboutthedynamicsoftheprocessesproducingtheindividualinputsignals,andthisknowledgecanbeexploitedinthedesignofprivacymecha-nismswithbetterperformance.SectionVdescribesanapplica-tionofthemechanismspresentedheretoatrafcmonitoringproblem.A.DifferentiallyPrivateKalmanFilterConsiderasetof linearsystems,eachwithindependentdynamics (9) isastandardzero-meanGaussianwhitenoiseprocesswithcovariance ,andtheinitialcondition isaGaussianrandomvariablewithmean ,independentofthenoiseprocess .System ,for ,sendsmea- toadataaggregator.Weassumeforsimplicitythatthematrices arefullrowrank.Fig.3showsthisinitialsetup.Thedataaggregatoraimsatreleasingasignalthatasymptot-icallyminimizestheMSEwithrespecttoalinearcombinationoftheindividualstates.Thatis,thequantityofinteresttobeestimatedateachperiodis ,where aregivenmatrices,andwearelookingforacausales-timator constructedfromthesignals solutionof Thedata areassumedtobepublicin-formation.Forall ,weassumethatthepairs aredetectableandthepairs arestabilizable.Intheabsenceofprivacyconstraint,theminimummeansquarederror(MMSE)estimatoris ,with providedbythesteady-stateKalmanlterestimatingthestateofsystem from [30],anddenoted inthefollowing.Supposenowthatthepubliclyreleasedestimateshouldguaranteethedifferentialprivacyoftheparticipants.Thisrequiresthatwerstspecifyanadjacencyrelationonthe 350IEEETRANSACTIONSONAUTOMATICCONTROL,VOL.59,NO.2,FEBRUARY2014thesamematrix asin(27),whichresultsinaconvexproblembutintroducessomeconservatism. V.TRAFFICONITORINGXAMPLEA.SystemDescriptionConsiderasimplieddescriptionofatrafcmonitoringsystem,inspiredbyreal-worldimplementationsandassoci-atedprivacyconcernsasdiscussedin[6],[34]forexample.Thereare participatingvehiclestravelingonastraightroadsegment.Vehicle ,for ,isrepresentedbyitsstate ,with itspositionandvelocity,respectively.Thisstateevolvesasasecond-ordersystemwithunknownrandomaccelerationinputs isthesamplingperiod, isastandardwhiteGaussiannoise,and .Assumeforsimplicitythatthenoisesignals fordifferentvehiclesareindependent.ThetrafcmonitoringservicecollectsGPSmeasurementsfromthevehicles[6],i.e.,receivesnoisyreadingsofthepositionsatthesamplingtimes with Thepurposeofthetrafcmonitoringserviceistocontinu-ouslyprovideanestimateofthetrafowvelocityontheroadsegment,whichisapproximatedbyreleasingateachsamplingperiodanestimateoftheaveragevelocityoftheparticipatingvehicles,i.e.,ofthequantity Withalargernumberofparticipatingvehicles,thesampleav-erage(29)representsthetrafowvelocitymoreaccurately.However,whileindividualsaregenerallyinterestedintheag-gregateinformationprovidedbysuchasystem,e.g.,toesti-matetheircommutetime,theydonotwishtheirowntrajec-toriestobepubliclyrevealed,sincethesemightcontainsen-sitiveinformationabouttheirdrivingbehavior,frequentlyvis-itedlocations,etc.Privacy-preservingmechanismsforsuchlo-cation-basedservicesareoftenbasedonad-hoctemporalandspatialcloakingofthemeasurements[6],[35].However,intheabsenceofaquantitativedenitionofprivacyandaclearmodeloftheadversaryscapabilities,itiscommonthatpro-posedtechniquesarelaterarguedtobedecient[36],[37].Thetemporalcloakingschemeproposedin[6]forexampleaggre-gatesthespeedmeasurementsof userssuccessivelycrossingagivenline,butdoesnotnecessarilyprotectindividualtrajec-toriesagainstadversariesexploitingtemporalrelationshipsbe-tweentheseaggregatedmeasurements[36].B.NumericalExampleWenowdiscusssomedifferentiallyprivateestimatorsintro-ducedinSectionIV,inthecontextofthisexample.Allindi-vidualsystemsareidentical,hencewedropthesubscript Fig.4.Steady-stateRMSEoftheaveragevelocityestimateforthreemecha-nisms,asafunctionoftheprivacyparameter thenotation.Assumethattheselectionmatrixis that min(11),andthatwehave participants. , .AsingleKalmanlterdenoted isdesignedtoprovideanestimate ofeachstatevector ,sothatinabsenceofprivacyconstrainttheestimatewouldbe WedesignedthefourmechanismsofSectionIVforvariousvaluesoftheprivacyparameters .Fortheoutputperturba-tionmechanisms,weusedtheapproachdescribedinRemark2totradeoffestimationerrorand -normofthelter.Forthisscenariohowever,the -normoftheKalmanlterisalreadyquitesmall,andwecouldonlyimprovemarginallytheMSEoftheKalmanlterbasedoutputperturbationmechanism,typi-callybylessthanonepercent(theimprovementcanbemoresig-cantforsmallervaluesof forexample).Hence,inthefol-lowing,werestrictourdiscussionofoutputperturbationmecha-nismstothesimplestschemethatdoesnotredesigntheoriginallter.Fig.4showsthesteady-stateroot-mean-squareerror(RMSE)ofthemechanismsfordifferentvaluesof ,with Theinputperturbationmechanism,whileessentiallyunusablewiththeoriginalKalmanlter,showsclearlythebestperfor-mancewhenthelterisredesignedbytakingtheprivacy-pre-servingnoiseintoaccountasadditionalmeasurementnoise.Thehigherperformanceofthismechanismisespeciallynoticeableinthehigh-privacy(hence,high-noise)regime,i.e.,as comessmall.However,othermeasuresofperformancearealsoofinterest,andinparticularFig.5illustratestheconvergencetimeoftheinputandoutputperturbationmechanisms.Here,theltersaresimplyinitializedwithanincorrectvalueoftheinitialaveragevelocity,butthisalsoservestoillustratesituationswherewecouldhaveasuddenchangeintrafcvelocity,e.g.,duetotheformationofatrafcjam.Insuchcases,itisdesirabletohavefastconvergenceofthelter,e.g.,inordertowarndownstream 354IEEETRANSACTIONSONAUTOMATICCONTROL,VOL.59,NO.2,FEBRUARY2014[7]H.ZhangandJ.Bolot,Anonymizationoflocationdatadoesnotwork:Alarge-scalemeasurementstudy,inProc.17thAnnu.Int.Conf.Mo-bileComput.andNetwork.,2011.[8]C.Dwork,F.McSherry,K.Nissim,andA.Smith,Calibratingnoisetosensitivityinprivatedataanalysis,inProc.3rdTheoryofCryptogr.Conf.,2006,pp.265284.[9]S.P.KasiviswanathanandA.Smith,Anoteondifferentialprivacy:ningresistancetoarbitrarysideinformation,2008,[Online].Available:http://arxiv.org/abs/0803.3946[10]C.Dwork,K.Kenthapadi,F.McSherry,I.M.M.Naor,andNaor,Ourdata,ourselves:Privacyviadistributednoisegeneration,inAdv.Cryptol.-EUROCRYPT06,2006,pp.486503.[11]A.Roth,Newalgorithmsforpreservingdifferentialprivacy,Ph.D.,CarnegieMellonUniv.,Pittsburgh,PA,USA,2010.[12]C.Li,M.Hay,V.Rastogi,G.Miklau,andA.McGregor,Optimizinglinearcountingqueriesunderdifferentialprivacy,inPrinciplesofDatabaseSyst.(PODS),2010.[13]C.Dwork,M.Naor,T.Pitassi,andG.N.Rothblum,Differentialprivacyundercontinualobservations,inProc.ACMSymp.TheoryComput.(STOC),Cambridge,MA,USA,Jun.2010.[14]T.-H.H.Chan,E.Shi,andD.Song,Privateandcontinualreleaseofstatistics,ACMTrans.Info.Syst.Security,vol.14,no.3,pp.26:126:24,Nov.2011.[15]J.Bolot,N.Fawaz,S.Muthukrishnan,A.Nikolov,andN.Taft,Privatedecayedsumestimationundercontinualobservation,2011[Online].Available:http://arxiv.org/abs/1108.6123[16]Z.Huang,S.Mitra,andG.Dullerud,Differentiallyprivateiterativesynchronousconsensus,inProc.CCSWorkshopPrivacyElectron.Soc.(WPES),Raleigh,NC,USA,Oct.2012.[17]D.VarodayanandA.Khisti,Smartmeterprivacyusingarechargeablebattery:Minimizingtherateofinformationleakage,inProc.IEEEInt.Conf.Acoust.,Speech,SignalProcess.,Prag,CzechRepublic,2011,pp.19321935.[18]L.Sankar,S.R.Rajagopalan,andH.V.Poor,Atheoryofprivacyandutilityindatabases,Tech.Rep.PrincetonUniv.,Princeton,NJ,USA,2011.[19]A.Blum,C.Dwork,F.McSherry,andK.Nissim,Practicalprivacy:TheSuLQframework,inProc.24thACMSIGMOD-SIGACT-SIGARTSymp.PrinciplesofDatabaseSyst.(PODS),NewYork,NY,USA,2005,pp.128138.[20]C.Dwork,Differentialprivacy,inProc.33rdInt.Colloq.Automata,Lang.,Programm.(ICALP),2006,vol.4052,LectureNotesinCom-puterScience.[21]L.Sweeney, -anonymity:Amodelforprotectingprivacy,Int.J.Un-certainty,Fuzziness,Knowl.-BasedSyst.,vol.10,no.05,pp.557570,2002.[22]G.DuncanandD.Lambert,Disclosure-limiteddatadissemination,J.Amer.Statist.Associat.,vol.81,no.393,pp.1028,Mar.1986.[23]S.Gomatam,A.F.Karr,J.P.Reiter,andA.P.Sanil,Datadissemi-nationanddisclosurelimitationinaworldwithoutmicrodata:Arisk-utilityframeworkforremoteaccessanalysisservers,Statist.Sci.,vol.20,no.2,pp.163177,2005.[24]R.M.Dudley,RealAnalysisandProbability,2nded.Cambridge,U.K.:CambridgeUniv.Press,2002.[25]F.McSherryandK.Talwar,Mechanismdesignviadifferentialpri-vacy,inProc.IEEESymp.Foundat.Comput.Sci.,2007,pp.94103.[26]T.M.CoverandJ.A.Thomas,ElementsofInformationTheory.NewYork,NY,USA:Wiley,1991.[27]L.Breiman,Probability.Philadelphia,PA,USA:SIAM,1992,Clas-sicsinAppl.Math..[28]A.vanderSchaft,L2-GainandPassivityTechniquesinNonlinearCon-trol.Berlin,Germany:Springer-Verlag,2000.[29]E.Shi,T.-HH.Chan,E.Rieffel,R.Chow,andD.Song,Privacy-preservingaggregationoftime-seriesdata,inProc.18thAnnu.Netw.Distrib.Syst.Sec.Symp.(NDSS11),Feb.2011.[30]B.D.O.AndersonandJ.B.Moore,OptimalFiltering.NewYork,NY,USA:Dover,2005.[31]R.E.Skelton,T.Iwasaki,andK.Grigoriadis,AUniedAlgebraicAp-proachtoLinearControlDesign.NewYork,NY,USA:Taylor&Francis,1998.[32]C.Scherer,P.Gahinet,andM.Chilali,Multiobjectiveoutput-feed-backcontrolviaLMIoptimization,IEEETrans.Autom.Control,vol.42,no.7,pp.896911,Jul.1997.[33]C.W.Scherer,Anefcientsolutiontomulti-objectivecontrolprob-lemswithLMIobjectives,Syst.ControlLett.,vol.40,pp.4357,2000.[34]X.Sun,L.Munoz,andR.Horowitz,MixtureKalmanlterbasedhighwaycongestionmodeandvehicledensityestimatoranditsappli-cation,inProc.Amer.ControlConf.,Jul.2004,pp.20982103.[35]M.GruteserandD.Grunwald,Anonymoususageoflocation-basedservicesthroughspatialandtemporalcloaking,inProc.1stInt.Conf.MobileSyst.,Applicat.Services(MobiSys03),2003,pp.3142.[36]R.Shokri,J.Freudiger,M.Jadliwala,andJ.-P.Hubaux,Adistortion-basedmetricforlocationprivacy,inProc.CCSWorkshopPrivacyElectron.Soc.(WPES),2009.[37]R.Shokri,C.Troncoso,C.Diaz,J.Freudiger,andJ.-P.Hubaux,Un-ravelinganoldcloak -anonymityforlocationprivacy,inProc.CCSWorkshopPrivacyElectron.Soc.(WPES),2010.[38]H.V.Poor,AnIntroductiontoSignalDetectionandEstimation,2nded.NewYork,NY,USA:Springer,1994.[39]J.Proakis,DigitalCommunications,4thed.NewYork,NY,USA:McGraw-Hill,2000.[40]V.RastogiandS.Nath,Differentiallyprivateaggregationofdis-tributedtime-serieswithtransformationandencryption,inProc.ACMConf.Manage.Data(SIGMOD),Indianapolis,IN,USA,Jun.2010. JeromeLeNy(S05M09)receivedtheB.S.degreefromtheEcolePolytechnique,Palaiseau,France,in2001,theM.Sc.degreeinelectricalengineeringfromtheUniversityofMichigan,AnnArbor,MI,USA,in2003,andthePh.D.degreeinaeronauticsandas-tronauticsfromtheMassachusettsInstituteofTech-nology,Cambridge,MA,USA,in2008.HehasbeenanAssistantProfessorintheDepart-mentofElectricalEngineering,ÉcolePolytechniquedeMontréal,Montreal,QC,Canada,sinceMay2012.From2008to2012,hewasaPostdoctoralResearcherwiththeGRASPLaboratoryattheUniversityofPennsylvania.Hisresearchin-terestsincluderobustandstochasticcontrol,schedulinganddynamicresourceallocationproblems,withapplicationstoautonomousandembeddedsystems,multi-robotsystems,andtransportationsystems. GeorgeJ.Pappas(S90M91SM04F09)re-ceivedthePh.D.degreeinelectricalengineeringandcomputersciencesfromtheUniversityofCalifornia,Berkeley,CA,USA,in1998,forwhichhereceivedtheEliahuJuryAwardforExcellenceinSystemsResearch.HeiscurrentlytheJosephMooreProfessorofElectricalandSystemsEngineeringattheUniversityofPennsylvania,Philadelphia,PA,USA.HeisamemberoftheGeneralRobotics,Automation,SensingandPerception(GRASP)LaboratoryandthePRECISECenterforEmbeddedSystems.Hiscurrentresearchinterestsincludehybridandembeddedsystems,hierarchicalcontrolsystems,distributedcontrolsystems,nonlinearcontrolsystems,withapplicationstorobotics,unmannedaerialvehicles,biomolecularnetworks,andgreenbuildings.Dr.Pappashasreceivednumerousawards,includingtheNationalScienceFoundation(NSF)CAREERAwardin2002,theNSFPresidentialEarlyCa-reerAwardforScientistsandEngineersin2002,the2009GeorgeS.AxelbyOutstandingPaperAward,andthe2010AntonioRubertiOutstandingYoungResearcherPrize. 344IEEETRANSACTIONSONAUTOMATICCONTROL,VOL.59,NO.2,FEBRUARY2014outputspace forsome ,isequippedwithanormdenoted ,andthe -algebra istakentobethestandardBorel -algebra,denoted .Thefollowingquantityplaysanimportantroleinthedesignofdifferentiallyprivatemechanisms[8].nition2: beaspaceequippedwithanadjacencyrelation .Thesensitivityofaquery isde Inparticular,for equippedwiththe -norm ,wedenotethe -sensitivityby 1)LaplaceMechanism:Thismechanism,proposedin[8],modiesananswertoanumericalquerybyaddingindependentandidenticallydistributed(i.i.d.)zero-meannoisedistributedaccordingtoaLaplacedistribution.RecallthattheLaplacedis-tributionwithmeanzeroandscaleparameter ,denoted hasdensity andvariance .More-over,for i.i.d.and ,denoted ,wehave ,and Theorem2:Let beaquery,and .ThentheLaplacemechanism nedby ,with ,is -differentiallyNotethatthemechanismrequirescoordinateof tohavestandarddeviationproportionalto ,aswellasinverselyproportionaltotheprivacyparameter (here Forexample,if simplyconsistsof repetitionsofthesamescalarquery,then increaseslinearlywith ,andthequadraticallygrowingvarianceofthenoiseaddedtoeachcoordinatepreventsanadversaryfromaveragingoutthenoise.Proof:Wehave,for measurableand adjacentdatasetsin bythetriangleinequality.Withthechoiceof ,weobtainthedenition(1)ofdifferentialprivacy(i.e.,with 2)GaussianMechanism:Thismechanism,proposedin[10],issimilartotheLaplacemechanismbutaddsi.i.d.Gaussiannoisetoprovide -differentialprivacy,with buttyp-icallyasmaller forthesameutility.First,recallthedeofthe -function: Thefollowingtheoremtightenstheanalysisfrom[10].Theorem3:Let beaquery,and .ThentheGaussianmechanism ,with ,where and ,is -differentiallyProof: betwoadjacentelementsin ,anddenote .Weusethenotation forthe2-norminthisproof.For ,wehave Thelastintegraltermdenesameasure thatwewishtoboundby .Withthechangeofvariables andthechoice intheintegral,wecanrewriteitas with Inparticular, ,henceisequalto distribution,with .Wearethenledtoset cientlylargesothat ,i.e., .Theresultthenfollowsbystraight-forwardcalculation. Asanillustrationofthetheorem,toguarantee -differ-entialprivacywith ,thestandardde-viationoftheGaussiannoiseshouldbeabout2.65timesthe -sensitivityof .Fortherestofthepaper,wede sothatthestandarddeviation inThe-orem3canbewritten .Itcanbeshownthat canbeboundedby III.DIFFERENTIALLYRIVATEYNAMICYSTEMSInthissection,weintroducethenotionofdifferentialprivacyfordynamicsystems.Westartwithsomenotationsandtechnicalprerequisites.Allsignalsarediscrete-timesignals,startattime0,andallsystemsareassumedtobecausal.Linearandtime-in-variantisabbreviatedbyLTI,andsingle-inputsingle-outputbySISO.Foreachtime ,let bethetruncationoperator,sothatforanysignal wehave Hence,adeterministicsystem iscausalifandonlyif .Wedenoteby thespaceofsequenceswithvaluesin andsuchthat ifandonlyif -normforallintegers .The normand normofastabletransferfunction aredened,re-spectively,as ,where denotesthemaximumsingularvalueofamatrix Weconsidersituationsinwhichprivateparticipantscon-tributeinputsignalsdrivingadynamicsystemandthequeriesconsistofoutputsignalsofthissystem.First,inthissection,we LENYANDPAPPAS:DIFFERENTIALLYPRIVATEFILTERING345 Fig.1.Illustrativeexampleofasystemcomputingthesumofthemovingaver-ages(MA)ofinputsignalscontributedby individualparticipants.Adifferen-tiallyprivateversionofthissystem,fortheadjacencyrelation(5),guaranteesto thatthedistributionoftheoutputsignaldoesnotvarysignicantlywhenherinputvariesin -normbyatmost .Inparticular,thedistributionoftheoutputsignalwillnotchangesignicantlyifuser sinputiszero( ,e.g.,becausetheuserisnotpresent),orisnotzerobutsatis assumethattheinputofasystemconsistsof signals,oneforeachparticipant.Aninputsignalisdenoted forsome .Asimpleexampleisthatofadynamicsystemreleasingateachperiodtheaverageoverthepast periodsofthesumoftheinputvaluesoftheparticipants,i.e.,withoutput attime ,seeFig.1.For ,anadjacencyrelationcanbedenedon forexampleby ifandonlyif differbyexactlyonecomponentsignal,andmoreoverthisdeviationisbounded.Thatis,letusxasetofnonnegativenumbers ,andde iffforsome (5) forall A.Finite-TimeCriterionforDifferentialPrivacyToapproximatedynamicsystemsbyversionsrespectingthedifferentialprivacyoftheindividualparticipants,weconsidermechanismsoftheform ,i.e.,producingforanyinputsignal astochasticprocess withsamplepathsin .AsinSectionII,thisrequiresthatwerstspecifythemeasurablesetsof .Westartbydeninginastandardwaythemeasurablesetsof ,thespaceofse-quenceswithvaluesin ,tobethe -algebradenoted generatedbytheso-callednite-dimensionalcylindersetsoftheform denotesthevector (see,e.g.,[27,Ch.2]).Themeasurablesetsconsideredfortheoutputof arethenobtainedbyintersectionof withthesetsof .There-sulting -algebraisdenoted andisgeneratedbythesetsoftheform (6) .Asforthedynamicsystemsofinterest,weconstraininthispaperthemechanismstobecausal,i.e.,thedistributionof shouldbethesameasthatof forany andanytime .Inotherwords,thevalues donotuencethevaluesofthemechanismoutputuptotime .Thefollowingtechnicallemmaisusefultoshowthatamechanismonsignalspacesis -differentiallyprivatebyconsideringonlynitedimensionalproblems.Lemma2:Consideranadjacencyrelation .Let .Foramechanism ,thefollowingareequivalent -differentiallyprivate.Forall suchthat ,wehave (7) Proof: -differentiallyprivate,thenfor adjacent,andforall ,wehave .Inparticular,foragiveninteger wecanrestrictourattentiontothesets oftheform(6).Inthiscase,wehaveimmediately sincetheeventsarethesame. Conversely,considertwoadjacentsignal ,andlet ,forwhichwewanttoshow(1).Fix .Thereexists suchthat and ,where denotesthesymmetricdifference.Thisisaconsequenceforexampleofthefactthatthenite-dimensionalcylindersetsformanalgebraandoftheargumentintheproofof[24,Th.3.1.10].Wethenhave Since canbetakenarbitrarilysmall,thedifferentialprivacynition(1)holds. B.BasicDynamicMechanismsRecall(see,e.g.,[28])thatforasystem withinputsin andoutputin ,its -to- incrementalgain isde-nedasthesmallestnumber suchthat Nowconsider,for nedby (8) ,forall .ThenexttheoremgeneralizestheLaplaceandGaussianmechanismsofTheorems2and3tocausaldynamicsystems.Theorem4:Let bedenedasin(8)andconsiderthead-jacencyrelation(5).Thenthemechanism where isawhitenoisewith ,for and ,is -differentiallyprivate. ,themechanismis -differentiallyprivateif ,with