Data-Dependent Differentially Private Parameter Learning for DirectedGraphical Models

Amrita Roy Chowdhury 1 Theodoros Rekatsinas 1 Somesh Jha 1 2

AbstractDirected graphical models (DGMs) are a classof probabilistic models that are widely used forpredictive analysis in sensitive domains such asmedical diagnostics. In this paper, we presentan algorithm for differentially private learningof the parameters of a DGM. Our solution op-timizes for the utility of inference queries overthe DGM and adds noise that is customized tothe properties of the private input dataset and thegraph structure of the DGM. To the best of ourknowledge, this is the first explicit data-dependentprivacy budget allocation algorithm in the contextof DGMs. We compare our algorithm with a stan-dard data-independent approach over a diversesuite of benchmarks and demonstrate that our so-lution requires a privacy budget that is roughly3× smaller to obtain the same or higher utility.

1. IntroductionDirected graphical models (DGMs) are a class of probabilis-tic models that are widely used in causal reasoning and pre-dictive analytics (Koller & Friedman, 2009). A typical usecase for these models is answering “what-if” queries overdomains that often work with sensitive information. For ex-ample, DGMs are used in medical diagnosis for answeringquestions, such as what is the most probable disease given aset of symptoms (Pearl, 1998). In learning such models, itis common that the underlying graph structure of the modelis publicly known. For instance, in the case of medical data,the dependencies between several physiological symptomsand diseases are well established, standardized, and publiclyavailable. However, the parameters of the model have to belearned from observations. These observations may containsensitive information as in the case of medical applications.

1Department of Computer Sciences, University of Wisconsin-Madison, USA 2XaiPient, USA. Correspondence to: Amrita RoyChowdhury <amrita@cs.wisc.edu>.

Proceedings of the 37 th International Conference on MachineLearning, Vienna, Austria, PMLR 119, 2020. Copyright 2020 bythe author(s).

Hence, learning and publicly releasing the parameters of theprobabilistic model may lead to privacy violations (Shokriet al., 2017; Zhang et al., 2016a), and thus, the need forprivacy-preserving learning mechanisms for DGMs.

In this paper, we focus on the problem of privacy-preservinglearning of the parameters of a DGM. For our privacy defini-tion, we use differential privacy (DP) (Dwork & Roth, 2014)– currently the de-facto standard for privacy. We considerthe setting when the structure of the target DGM is publiclyknown and the parameters of the model are learned fromfully observed data. In this case, all parameters can be esti-mated via counting queries over the input observations (alsoreferred to as data set in the remainder of the paper). Thedirect way to ensure differential privacy is to add suitablenoise to the observations using the standard Laplace mecha-nism (Dwork & Roth, 2014). Unfortunately, this method isdata-independent, i.e., the noise added to the base observa-tions is oblivious of the properties of the input data set andthe structure of the DGM, resulting in sub-optimal utility.To address this issue, we turn to data-dependent methodswhich add noise that is customized to the properties of theinput data sets (Li et al., 2014; Zhang et al.; Cormode et al.,2012b; Acs et al., 2012; Xu et al., 2012; Xiao et al., 2012;Kotsogiannis et al., 2017b).

We propose a data-dependent, ε-DP algorithm for learningthe parameters of a DGM over fully observed data. Our goalis to minimize errors in arbitrary inference queries that aresubsequently answered over the learned DGM. The maincontributions are:

(1) Explicit data-dependent privacy-budget allocation:Our algorithm computes the parameters of the conditionalprobability distribution of each random variable in the DGMvia separate measurements from the input data set. This letsus optimize the privacy budget allocation across the dif-ferent variables with the objective of reducing the error ininference queries. We formulate this optimization objectivein a data-dependent manner – our optimization objective isinformed by both the private input data set and the publicgraph structure of the DGM. To the best of our knowledge,this is the first work to propose explicit data-dependentprivacy-budget allocation in the context of DGMs. We eval-uate our algorithm on four DGM benchmarks and demon-

arX

iv:1

905.

1281

3v3

[cs

.LG

] 1

0 Ju

l 202

0

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

strate that our scheme only requires a privacy budget ofε = 1.0 to yield the same utility that a data-independentbaseline achieves with a much higher ε = 3.0. Specifically,our baseline is based on (Zhang et al., 2016b) which is themost recent work that explicitly deals with differentiallyprivate parameter estimation for DGMs.

(2) New theoretical results: To preserve privacy, we addnoise to the parameters of the DGM. To understand how thisnoise propagates to inference queries, we provide two newtheoretical results on the upper and lower bound of the errorof inference queries. The upper bound has an exponentialdependency on the treewidth of the DGM while the lowerbound depends on its maximum degree. We also providea formulation to compute the sensitivity (Laskey, 1995) ofthe parameters associated with a node of a DGM targetingthe probability distribution of its child nodes only. To thebest of our knowledge, these theoretical results are novel.

2. BackgroundIn this section, we review basic background material rele-vant to this paper.

Directed Graphical Models: A directed graphical model(DGM) or a Bayesian network is a probabilistic modelthat is represented as a directed acyclic graph, G.

A

B

C

D

E

F

Figure 1: An example directedgraphical model

The nodes of the graphrepresent random vari-ables and the edges en-code conditional depen-dencies between the vari-ables. The graphicalstructure of the DGM rep-resents a factorization ofthe joint probability dis-tribution of these randomvariables. Specifically,given a DGM with graph G, let X1, . . . , Xn be the randomvariables corresponding to the nodes of G and Xpai denotethe set of parents in G for the node corresponding to variableXi. The joint probability distribution factorizes as

P [X1, . . . , Xn] =∏ni=1 P [Xi|Xpai ] (1)

where each factor P [Xi|Xpai ] corresponds to a con-ditional probability distribution (CPD). For exam-ple, for the DGM depicted by Fig. 1, we haveP [A,B,C,D,E, F ] = P [A] · P [B] · P [C|A,B] · P [D|C] · P [E|C]·P [F |D,E]. For DGMs with discrete random variables,each CPD can be represented as a table of parametersΘxi|xpai where each parameter corresponds to a conditionalprobability and xi and xpai denote variable assignmentsXi = xi and Xpai = xpai .

A key task in DGMs is parameter learning. Given a DGMwith a graph structure G, the goal of parameter learning is

to estimate each Θxi|xpai , a task solved via maximum likeli-hood estimation (MLE). In the presence of fully observeddata D (i.e., data corresponding to all the nodes of G1 isavailable), the maximum likelihood estimates of the CPDparameters take the closed-form (Koller & Friedman, 2009)

Θxi|xpai = C[xi, xpai ]/C[xpai ] (2)

where C[xi] is the number of records in D with Xi = xi.

After learning, the DGM is used to answer inferencequeries, i.e., queries that compute the probabilities of cer-tain events (variables) of interest. Inference queries can alsoinclude evidence (a subset of the nodes has a fixed assign-ment). There are three types inference queries in general:

(1) Marginal inference: This is used to answer queriesof the type "what is the probability of a given vari-able if all others are marginalized". An examplemarginal inference query for the DGM in Fig. 1 isP [F = 0] =

∑A

∑B

∑C

∑D

∑F P [A,B,C,D,E, F = 0].

(2) Conditional Inference: This type of query answers theprobability distribution of some variable conditioned onsome evidence e. An example conditional inference queryfor the DGM in Fig. 1 is P [A|F = 0] =

P [A,F=0]P [F=0] .

(3) Maximum a posteriori (MAP) inference: This typeof query asks for the most likely assignment of vari-ables. An example MAP query for the DGM in Fig. 1is maxA,B,C,D,E{P [A,B,C,D,E, F = 0]}.

For DGMs, inference queries can be answered exactly by thevariable elimination (VE) algorithm (Koller & Friedman,2009) which is described in detail in Appx. 8.1.1. The basicidea is that we "eliminate" one variable at a time followinga predefined order ≺ over the graph nodes. Let Φ denote aset of probability factors φ (initialized with all the CPDs ofthe DGM) and Z denote the variable to be eliminated. First,all probability factors involving Z are removed from Φ andmultiplied together to generate a new product factor. Next,Z is summed out from this combined factor, generating anew factor φ that is entered into Φ. Thus, VE correspondsto repeated sum-product computations: φ =

∑Z

∏φ∈Φ φ.

Additionally, we define a term Markov blanket which isused in Sec. 3.3.

Definition 2.1 (Markov Blanket). The Markov blanket, de-noted by P (X), for a node X in a graphical model is theset of all nodes such that given P (X), X is conditionallyindependent of all the other nodes. (Pearl, 1988).

In a DGM, the Markov blanket of a node consists of its childnodes, parent nodes, and the parents of its child nodes. Forexample, in Fig. 1, P(D) = {C,E, F}.

1The attributes of the data set become the nodes of the DGM’sgraph. For the remainder of the paper we use them interchangeably.

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

Differential Privacy: We formally define differential pri-vacy (DP) as follows:

Definition 2.2 (Differential Privacy). A randomized algo-rithm A satisfies ε-differential privacy (ε-DP), where ε > 0is a privacy parameter, iff for any two data sets D and D′that differ in a single record, we have

∀t ∈ Range(A), P[A(D) = t

]≤ eεP

[A(D′) = t

](3)

In our setting,A (in Eq. (3)) corresponds to an algorithm forlearning the parameters of a DGM with a publicly knowngraph structure from a fully observed data set D.

When applied multiple times, the DP guarantee degradesgracefully as follows.

Theorem 2.1 (Sequential Composition). If A1 and A2 areε1-DP and ε2-DP algorithms that use independent random-ness, then releasing the outputs (A1(D),A2(D)) on databaseD satisfies (ε1 + ε2)-DP.

Any post-processing computation performed on the noisyoutput of a DP algorithm does not degrade privacy.

Theorem 2.2 (Post-processing). Let A : D 7→ R be a ε-DPalgorithm. Let f : R 7→ R′ be an arbitrary randomized map-ping. Then f ◦ A : D 7→ R′ is ε-DP.

The privacy guarantee of a DP algorithm can be amplifiedby a preceding sampling step (Kasiviswanathan et al., 2011;Li et al., 2012). Let A be an ε-DP algorithm and D be a dataset. Let A′ be an algorithm that runs A on a random subsetof D obtained by sampling it with probability β.

Lemma 2.3 (Privacy Amplification). Algorithm A′ will sat-isfy ε′-DP where ε′ = ln(1 + β(eε − 1))

The Laplace mechanism is a standard algorithm to achievedifferential privacy (Dwork & Roth, 2014). In thismechanism, in order to output f(D) where f : D 7→ R,an ε-DP algorithm A publishes f(D) + Lap

(∆fε

)where

∆f = maxD,D′ ||f(D)− f(D′)||1 is known as the sensitivityof the function. The probability density function of Lap(b) isgiven by f(x) = 1

2be(− |x−µ|b ). The sensitivity of the function

f is the maximum magnitude by which an individual’s datacan change f . The sensitivity of counting queries is 1.

Next, we define two terms, namely marginal table and mu-tually consistent marginal tables, that are used in Sec. 3.3.

Let D be a data set defined over attributes X and X bean attribute set such that X = {X1, · · · , Xk},X ⊆ X . Lets =

∏ki=1 |dom(Xi)| and dom(X) = {v1, · · · , vs} represent

the domain of X. The marginal table for the attributeset X denoted by MX, is computed as follows:

(1) Populate the entries of table TX of size s from D suchthat each entry j ∈ [s], TX[j] = # records in D with X = vj .This step is also called materialization.

(2) Compute MX from TX such thatMX[j] = TX[j]/

∑si=1 TX[i], j ∈ [s].

Thus the entries of MX corresponds to the values of the jointprobability distribution over the attributes in X.

Let Attr(M) denote the set of attributes on which a marginaltable M is defined and M1 ≡M2 denote that the twomarginal tables have the same values for every entry.Definition 2.3 (Mutually Consistent Marginal Tables). Twonoisy marginal tables M̃i and M̃j are defined to be mutu-ally consistent iff the marginal table over the attributes inAttr(M̃i) ∩Attr(M̃j) reconstructed from M̃i is exactly thesame as the one reconstructed from M̃j , i.e.,

M̃i[Attr(M̃i) ∩Attr(M̃j)] ≡ M̃j [Attr(M̃i) ∩Attr(M̃j)](4)

3. Data-Dependent Differentially PrivateParameter Learning for DGMs

In this section, we describe our proposed solution for differ-entially private learning of the parameters of a fully observedDGM by adding data and structure dependent noise.

3.1. Problem Setting

Let D be a sensitive data set of size m with attributesX = 〈X1, · · · , Xn〉 and let N = 〈G,Θ〉 be the DGM of in-terest. The graph structure G of N defined over the attributeset X is publicly known. Our goal is to learn the parametersΘ, i.e., the CPDs ofN , in a data-dependent differentially pri-vate manner from D such that the error in inference queriesover the ε-DP DGM is minimized.

3.2. Key Ideas

Our solution is based on the following two key observations:

(1) The parameters Θ[Xi|Xpai ] of the DGM N can be esti-mated separately via counting queries over the empiricalmarginal table of the attribute set Xi ∪Xpai .

(2) The factorization over N decomposes the overall ε-DPlearning problem into a set of separate ε-DP learning sub-problems (one for each CPD). For example, for the DGM inFig. 1, the following six CPDs have to be learned separately{P [A], P [B], P [C|A,B], P [D|C], P [E|C], P [F |D,E]}. Thusthe total privacy budget has to be divided among these sub-problems. However, due to the structure of the graph andthe data set, some nodes will have more impact on inferencequeries than others. Hence, allocating more budget (andthus, getting better accuracy) to these nodes will result inreduced overall error for the inference queries.

Our method is outlined in Alg. 1 and proceeds in two stages.In the first stage, we obtain preliminary noisy measurementsof the parameters of N which are used along with some

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

graph specific properties (the height and out-degree of eachnode) to formulate a data-dependent optimization objectivefor privacy budget allocation. The solution of this objec-tive is then used in the second stage to compute the finalparameters. For instance, for the DGM in Fig. 1, node A(root node) would typically have a higher privacy budgetthan node F (leaf node). In summary, if εB is the totalprivacy budget available, we spend εI to obtain prelimi-nary parameter measurements in Stage I and the remainingεB − εI is used for the final parameter computation in StageII, after optimal allocation across the marginal tables. As aresult, our scheme only requires a privacy budget of ε = 1.0to yield the same utility that a standard data-independentmethod achieves with ε = 3.0 (Sec. 5).

Next, we describe our algorithm in detail and highlight howwe address the two core technical challenges in our solution:

(1) how to reduce the privacy budget cost for the first stageεI (equivalently increase εB-εI ) (Alg. 1, Lines 1-3), and

(2) what properties of the data set and the graph should theoptimization objective be based on (Alg. 1, Lines 5-11).

3.3. Algorithm Description

We now describe the two stages of our technique:

Stage I – Formulation of optimization objective: First,we handle the trade-off between the two parts of the totalprivacy budget εI and εB − εI . While we want to maximizeεB − εI to reduce the amount of noise in the final parameters,sufficient budget εI is required to obtain good estimates ofthe statistics of the data set to form the data-dependentbudget allocation objective. To handle this trade-off, weuse the sampling strategy from Lemma 2.3 to improve theaccuracy of the optimization objective computation (Alg. 1,Lines 1-2). This allows us to assign a relatively low value toεI increasing our budget for the final parameter computation.

Next, we estimate the parameters Θ̂ on the sampled dataset D′ via the procedure ComputeParameters (describedbelow and outlined in Procedure 1) using budget allocationE (Alg. 1, Lines 3-4). Note that Θ̂ is only required for theoptimization objective formulation and is different from thefinal parameters Θ̃ (Alg. 1, Line 18). Hence, for Θ̂ we use anaive allocation policy of equal privacy budget for all tables.

Finally, we compute the privacy budget optimization objec-tive FD,G that depends on the data set D and graph structureG (Alg. 1, Line 5-12). The details are discussed in Sec. 3.4.

Stage II – Final parameter computation: We solve forthe optimal privacy budget allocation E∗ from FD,G and useit to compute a copy of the parameters Θ (Alg. 1, Lines13-14). We obtain the final parameters Θ̃ by computing theweighted average of the corresponding values in Θ and thepreliminary estimate Θ̂ (Alg. 1, Lines 15-20). Note that

Algorithm 1 Differentially private learning of the parame-ters of a directed graphical model

Input: D - Input data set of size m with attributesX = 〈X1, · · · , Xn〉;

G - Graph Structure of DGMN ;εB- Total privacy budget;β - Sampling rate for Stage I;εI - Privacy budget for Stage I

Output: Θ̃ - Noisy parameters ofNStage I: Optimization objective formulation for privacy

budget allocation

1: ε = ln(eεI−1β

+ 1)

B Computing privacy parameter2: Construct a new dataset D′ by sampling D with probability β3: E = [ ε

n, · · · , ε

n]

4: Θ̂, T̂ , T̂pa = ComputeParameters(D′,E)

5: for i = 1 to n6: δ̃i = ComputeError(i, T̂i, T̂pai)

B Estimating error of parameters for Xi using Eq. (12)7: hi = Height of node Xi8: oi = Out-degree of node Xi9: ∆̃Ni = ComputeSensitivity(i, Θ̂)

B Computing sensitivity of the parameters using Eq. (7)10: W [i] = (hi + 1) · (oi + 1) · (∆̃Ni + 1)11: end for12: FG,D =

∑n−1i=1 W [i] · δ̃i/εi +W [n] · δ̃n/(εB − εI −

∑n−1i=1 εi)

B Optimization ObjectiveStage II: Final computation of the parameter Θ

13: Solve for E∗ = {ε∗i } from minimizing FG,D using Eq. (13)14: Θ, T , T pa = ComputeParameters(D,E∗)15: Θ̃ = ∅16: for Xi ∈ X

B Assuming Θ̂ =⋃

Xi∈XΘ̂[Xi|Xpai ] and Θ =

⋃Xi∈X

Θ[Xi|Xpai ]

17: ε̂i = (εI/n)/(E∗[i] + εI/n), εi = E∗[i]/(E∗[i] + εI/n)

18: Θ̃[Xi|Xpai ] = ε̂i · Θ̂[Xi|Xpai ] + εi ·Θ[Xi|Xpai ]BWeighted Mean

19: Θ̃ = Θ̃⋃

Θ̃[Xi|Xpai ]20: end for21: Return Θ̃

E∗[i] + εI/n is the total privacy budget spent on the CPD ofnode Xi in the two rounds.

Procedure 1 ComputeParameters: The goal of this pro-cedure is, given a privacy budget allocation E , to derive theparameters of N under DP. First, we materialize the tablesfor the attribute setsXi ∪Xpai andXpaii ∈ [n] (Proc. 1, Line2), and then inject noise drawn from Lap( 2

E[i] ) (using halfof the privacy budget E[i]

2 for each table) into each of theircells (Proc. 1, Line 3) to generate T̃i and T̃pai respectively.Next, we convert T̃i and T̃pai to a marginal table M̃i, i.e.,joint distribution PN [Xi, Xpai ] (Proc. 1, Line 4) as

M̃i[xi, xpai ] =T [xi,xpai ]/Tpai [xpai ]∑

v∈dom(Xi)T [v,xpai ]/Tpai [xpai ]

The denominator in the above equation is for normaliza-

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

Procedure 1 ComputeParametersInput: D - Data set with attributes X = 〈X1, · · · , Xn〉;

E [1, · · · , n] - Array of privacy budget allocation1: for i = 1 to n2: Materialize tables Ti and Tpai for the attribute sets

Xi ∪Xpai and Xpai respectively for D3: Add noise ∼ Lap( 2

E[i]) to each entry of Ti and Tpai

to generate noisy tables T̃i and T̃pai respectively

4: Convert T̃i into noisy marginal table M̃i using T̃pai5: end for6: MutualConsistency(

⋃Xi∈X M̃i)

BEnsures mutual consistency (Def. 2.3) among the noisymarginal tables sharing subsets of attributes

7: for i = 1 to n8: Construct Θ̃[Xi|Xpai ] from M̃i B Using Eq. 29: end for

10: Return Θ̃ =⋃

Xi∈XΘ̃[Xi|Xpai ], T̃ =

⋃Xi∈X

T̃i, T̃pa =⋃

Xi∈XT̃pai

tion. This is followed by ensuring that all M̃is are mutuallyconsistent (Def. 2.3) on all the attribute subsets (Proc. 1,Line 6). For this, we follow the techniques outlined in (Hayet al., 2010a; Qardaji et al., 2014) and further described inAppx. 8.2.1. Finally, we derive Θ̃[Xi|Xpai ] (the noisy esti-mate of PN [Xi|Xpai ]) from M̃i (Proc. 1, Lines 7-10). Notethat although M̃i could have been derived from T̃i alone, wealso use T̃pai for its computation to ensure independence ofthe added noise in Eq. (5).

3.4. Optimal Privacy Budget Allocation

Our goal is to find the optimal privacy budget allocation overthe marginal tables, M̃i, i ∈ [n] for N such that the error inthe subsequent inference queries on N is minimized.

Observation I: A more accurate estimate of the parametersof N will result in better accuracy for the subsequent infer-ence queries. Hence, we focus on reducing the total error ofthe parameters of N . From Eq. (2) and our Laplace noiseinjection (Proc. 1, Line 3), for a privacy budget of ε, thevalue of a parameter of the DGM computed from the noisymarginal tables M̃i is expected to be

Θ̃[xi|xpai ] =(C[xi, xpai ]︸ ︷︷ ︸

True count for recordswithXi = xi

andXpai = xpai

± 2√

2

ε︸ ︷︷ ︸Noise due to

Laplacemechanism

)/(C[xpai ]±

2√

2ε

)(5)

Thus, from the rules of standard error propagation (err), theerror in Θ[xi, xpai ] is

δΘ[xi,xpai ]= Θ[xi, xpai ]

√8/(ε · C[xpai ])

2 + 8/(ε · C[xi, xpai ])2 (6)

where C[xi] denotes the number of records in D with Xi = xi.Hence, the mean error for the parameters of Xi is

δi=1

|dom(Xi∪Xpai )|∑xi,xpai

δΘ[xi|xpai ]

where dom(S) is the domain of the attribute set S. Sinceusing the true counts, C[xi], would violate privacy, Alg. 1uses the noisy estimates from T̃i and T̃pai (Alg. 1, Line 6).

Observation II: Depending on the data set and the graphstructure, different nodes will have different impact on infer-encing. This information can be captured by a correspond-ing weighting coefficient W [i], i ∈ [n] for each node.

Computation of weighting coefficient W [i]: For a givennode Xi, the weighting coefficient W [i] is computed fromthe following three node features:

(1) Height of the node hi: The height of a node Xi is thelength of the longest path between Xi and a leaf node. Dueto the factorization of the joint distribution over a DGM, themarginal probability distribution of a node depends only onthe set of its ancestor nodes (as is explained in the followingdiscussion on the computation of sensitivity). Thus, a nodewith large height will affect the inference queries on morenodes (all its successors) than say a leaf node.

(2) Out-degree of the node oi: A node causally affects allits children nodes. Thus the impact of a node with highout-degree on inferencing will be more than say a leaf node.

(3) Sensitivity ∆Ni : Sensitivity of a parameter in a DGMmeasures the impact of small changes in the parameter valueon a target probability. Laskey (Laskey, 1995) proposed amethod of computing sensitivity by using the partial deriva-tive of output probabilities with respect to the parameterbeing varied. However, previous works have mostly focusedon the target probability to be a joint distribution of all thevariables. In this paper, we present a method to computesensitivity by targeting the probability distribution of childnodes only. Let ∆Ni denote the mean sensitivity of the pa-rameters of Xi on target probabilities of all the nodes inChild(Xi)= {set of all the child nodes of Xi}. Formally,

∆Ni = 1|dom(Xi∪Xpai )|

( ∑xi,xpai

1|Child(Xi)|

(∑

Y ∈Child(Xi)

1|dom(Y )| (

∑y∂PN [Y=y]∂Θ[xi|xpai ]

)))

︸ ︷︷ ︸computing the partial derivatives

of the parameters of the child nodes only

(7)

A node Xi can affect another node Y only iff it is in itsMarkov blanket (Defn. 2.1), i.e., Y ∈ P (Xi). However dueto the factorization of the joint distribution over a DGM,∀Y ∈ P (Xi), Y 6∈ Child(Xi), PN [Y ] can be expressed with-out Θ[xi|xpai ]. Thus just computing the mean sensitivityof the parameters over the set of child nodes ∆Ni turns outto be a good weighting metric for our setting. ∆Ni for leafnodes is thus 0. Note that ∆Ni is distinct from the notion ofsensitivity of a function in the Laplace mechanism (Sec. 2).

Computing Sensitivity ∆Ni : Let Y ∈ Child(Xi) andΓ(Y ) = {Y1, · · · ,Yt}, t < n denote the set of all nodes such

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

that there is a directed path from Yi to Y . In other wordsΓ(Y ) denotes the set of ancestors of Y in G. From the fac-torization of the joint distribution over N , we have

PN [Y1, · · · ,Yt, Y ] = PN [Y |Ypa] ·∏

Yi∈Γ(Y ) PN [Yi|Ypai ]

PN [Y ] =∑

Y1...∑

YtPN [Y1, · · · ,Yt, Y ]

Therefore, using our noisy preliminary parameter estimates(Alg. 1, Line 4), we compute

∂P̃N [Y=y]∂Θ[xi|xpai ]

=∑

yi∈dom(Yi),ypai∈dom(Ypai

),

Yi∈Γ(Y )

( ∏Yi∈Γ(Y )

Θ̂[Yi = yi|Ypaiypai ]·

ζxi,xpai

(Yi = yi,Ypai= ypai))· Θ̂[Y= y|Ypa= ypa] ·ζ

xi,xpai

(Ypa = ypa)

ζxi,xpai

(Z1 = z1, · · · , Zt = zt)︸ ︷︷ ︸indicator variable to ensure

only relevant terms are retained

=

1 if

⋃i=1

tZi⋂{Xi ∪Xpai}=∅

1 if ∀Zi, Zi ∈ {X ∪Xpai}⇒zi ∈ {x, xpai}

0 otherwise

(8)where ζxi,xpai is an indicator variable which ensures thatonly the product terms

∏Yi∈Γ(Y ) Θ̂[yi|ypai ] involving param-

eters with attributes in {Xi, Xpai , Y } that match up with thecorresponding values in {xi, xpai , y} are retained in the com-putation (as all others terms have partial derivative 0). Thus,the noisy mean sensitivity estimate for the parameters ofnode Xi, ∆̃Ni , can be computed from Eq. (7) and (8).

Optimization Objective: Let εi denote the privacy budgetfor node Xi. Thus from the above discussion, the optimiza-tion objective FD,G is formulated as a weighted sum of theparameter error and the optimization problem is given by

minimizeεi

FD,G

subject to εi > 0,∀i ∈ [n] (9)

FD,G =(∑n−1

i=1 W [i]︸︷︷︸weight

· δ̃iεi︸︷︷︸

mean error

+W [n]· δ̃nεB−εI−

∑n−1i=1 εi

)(10)

W [i] = ( hi︸︷︷︸height

+1) · ( oi︸︷︷︸out-degree

+1) · ( ∆̃Ni︸︷︷︸sensitivity

+1) (11)

δ̃i = 1|dom(Xi∪Xpai )|

∑xi,xpai

(Θ̂[xi|xpai ]

√1/T̂ [xpai ]

2 + 1/T̂ [xi, xpai ]2

)(12)

T̂ [xi, xpai ], T̂ [xpai ] ∈ T̂i

where hi and oi are the height and out-degree of the nodeXi respectively, ∆Ni is the sensitivity of the parameters ofXi, δ̃iεi gives the measure for estimated mean error for theparameters (CPD) ofXi and the denominator of the last termof Eq. (10) captures the linear constraint

∑ni=1 εi = εB − εI .

As stated by Eq. (11), the weighting coefficient W [i] isdefined as the product of the aforementioned three features.The extra additive term 1 is used to handle leaf nodes toensure non-zero weighting coefficients. Let ε∗i denote theoptimal privacy budget for node Xi. The objective FD,G hasa closed form solution as follows

cj = 1/(W [j] · δ̃j), j ∈ [n], εII = εB − εI

ε∗i =εII

∏n

j=1,j 6=i

√cj∑

j∈[n]

∏n

l=1,l 6=j

√cl, i∈ [n− 1], ε∗n = εII −

n−1∑i=1

ε∗i (13)

Discussion: There are two sources of information to beconsidered for a DGM - (1) graph structure G (2) data set D.hi and oi are purely graph characteristics that summarisethe graphical properties of the node Xi. ∆̃Ni captures theinteractions of the graph structure with the actual parametervalues thereby encoding the data set dependent information.Hence, we theorize that the aforementioned three featuresare sufficient for constructing the weighting coefficients.

Also note that it is trivial to modify our proposed al-gorithm to allow estimation with Dirichlet priors (themost popular choice for a prior (Koller & Friedman,2009)). Specifically, R.H.S of Eq. (2) changes to(C[xi, xpai] + αk)/(C[xpai] +

∑k(αk) where αk are the pa-

rameters of the publicly known prior.

Illustration of Algorithm 1: Here we illustrate Alg. 1 onthe example DGM of Fig. 1. The parameters Θ of thisDGM are the CPDs {P [A], P [B], P [C|A,B], P [D|C], P [E|C],P [F |D,E]}. Thus we need to construct 6 marginal ta-bles over the attribute sets 〈{A}, {B}, {C,A,B}, {D,C},{E,C}, {F,D,E}〉. First, we compute a preliminary esti-mate of the above parameters from a sampled dataset D′(Alg. 1, Line 1-4). For this, we need to ensure mutualconsistency between M̃A and M̃C on attribute A, M̃B andM̃C on attribute B and so on (Proc. 1, Line 6). Thisis followed by the formulation of FD,G . (Alg. 1, Line5-12). Here we show the computation of W [i] for nodeA. For simplicity, we assume binary attributes. hA = 3

and oA = 1 trivially. For ∆NA , we need to compute thesensitivity of the parameters of A on the target probabil-ity of C, i.e., ∂P [C=0]

∂Θ[A=0] ,∂P [C=0]∂Θ[A=1] ,

∂P [C=1]∂Θ[A=1] , and ∂P [C=1]

∂Θ[A=0] which

is computed as ∂P̃ [C=0]∂Θ[A=0] =Θ̂[B = 0]Θ̂[C = 0|A = 0, B = 0]+

Θ̂[B = 1]Θ̂[C = 0|A = 0, B = 1]. The rest of the partialderivatives are computed in a similar manner to give us

∆NA = 14

(∂P [C=0]∂Θ[A=0] +∂P [C=0]

∂Θ[A=1] + ∂P [C=1]∂Θ[A=1] + ∂P [C=1]

∂Θ[A=0]

)Finally, we use the solution of FD,G to compute the finalparameters (Alg. 1, Line 13-21).

3.5. Privacy Analysis

Theorem 3.1. The proposed algorithm (Alg. 1) for learningthe parameters of a DGM with a publicly known graph

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

structure over fully observed data is εB-DP.

The proof of the above theorem follows from Thms. 2.1 and2.2 and is presented in Appx. 8.2.2. The DGM learned viaour algorithm can be released publicly and any inferencequery run on it will still be εB-DP (Thm. 2.2).

4. Error Analysis for Inference QueriesAs discussed in Sec. 3.4, our optimization objective min-imizes a weighted sum of the parameter errors. To under-stand how the error propagates from the parameters to theinference queries, we present two general results boundingthe error of a sum-product term of the VE algorithm, giventhe errors in the factors.

Theorem 4.1. [Lower Bound] For a DGM N , for any sum-product term of the form φA =

∑x

∏ti=1 φi, t ∈ {2, · · · , η} in

the VE algorithm,

δφA ≥√η − 1 · δminφi[a,x](φ

mini [a, x])η−2 (14)

where X is the attribute being eliminated, δφ denotesthe error in the factor φ, Attr(φ) is the set of at-tributes in φ, A =

⋃φi{Attr(φi)}/X, x ∈ dom(X), a ∈

dom(A), φ[a, x] denotes that V alue(Attr(φ)) ∈ {a}∧X = x,δminφi[a,x] = mini,a,x{δφi[a,x]}, φmini [a, x] = mini,a,x{φi[a, x]}and η = maxXi{in-degree(Xi)+ out-degree(Xi)}+ 1.

Theorem 4.2. [Upper Bound] For a DGM N , for any sum-product term of the form φA =

∑x

∏ti=1 φi, t ∈ {2, · · · , n}

in the VE algorithm with the optimal elimination order,

δφA ≤ 2 · η · dκδmaxφi[a,x] (15)

where X is the attribute being eliminated, δφ denotesthe error in the factor φ, κ is the treewidth of G, dis the maximum domain size of an attribute, Attr(φ)

is the set of attributes in φ, A =⋃ti{Attr(φi)}/X,

a ∈ dom(A), x ∈ dom(X), φ[a, x] denotes thatV alue(Attr(φ)) ∈ {a} ∧X = x, δmaxφi[a,x] = maxi,a,x{δφi[a,x]}and η = max

Xi{in-degree(Xi) + out-degree(Xi)}+ 1.

For proving the lower bound, we introduce a specific in-stance of the DGM based on Lemma 8.1 (Appx. 8.1.1). Forthe upper bound, with the optimal elimination order of theVE algorithm, the maximum error has an exponential depen-dency on the treewidth κ. For example, for the DGM in Fig.1, the maximum error is bounded by 2 · η · d2 · δmaxφi[a,x]. Thisis very intuitive as even the complexity of the VE algorithmhas the same dependency on κ. The answer of a marginalinference query is the factor generated from the last sum-product term. Also, since the initial set of φis for the firstsum-product term computation are the actual parametersof the DGM, all the errors in the subsequent intermediatefactors and hence the inference query itself can be boundedby functions of parameter errors using the above theorems.

5. EvaluationWe evaluate the utility of the DGM learned via our algorithmby studying the following three questions:

(1) Does our scheme lead to low error estimation of theDGM parameters?

(2) Does our scheme result in low error inference queryresponses?

(3) How does our scheme fare against data-independentapproaches?

Evaluation Highlights: First, focusing on the parametersof the DGM, we find that our scheme achieves low L1 error(at most 0.2 for ε = 1) and low KL divergence (at most0.13 for ε = 1) across all test data sets. Second, we findthat for marginal and conditional inferences, our schemeprovides low L1 error and KL divergence (both around0.05 at max for ε = 1) for all test data sets. Our schemealso provides high accuracy for MAP queries (93.5% ac-curacy for ε = 1 averaged over all test data sets). Finally,our scheme achieves strictly better utility than the data-independent baseline; our scheme only requires a privacybudget of ε = 1.0 to yield the same utility that the data-independent baseline achieves with ε = 3.0.

5.1. Experimental Setup

Data sets: We evaluate our proposed scheme on four bench-mark DGMs (BN) namely Asia, Sachs, Child and Alarm.For all four DGMs, the evaluation is carried out on cor-responding synthetic data sets (D1, 2014; D2) with 10Krecords each. These data sets are standard benchmarksfor evaluating DGM inferencing and are derived from real-world use cases (BN). Due to space constraints, we presentthe results for only two of the data sets (Sachs and Child)here; the rest are presented in Appx. 9.1. The details ofSachs and Child are as follows:

Sachs: Number of nodes – 11; Number of arcs – 17; Num-ber of parameters – 178

Child: Number of nodes – 20; Number of arcs – 25; Num-ber of parameters – 230

Baseline: We compare our results with a data-independentbaseline (denoted by D-Ind) which corresponds to executingProc. 1 on the entire input data set D with privacy budgetarray E = [ ε

B

n , · · · , εB

n ]. D-Ind is in fact based on (Zhanget al., 2016b) (see Sec. 6 for details) which is the mostrecent work that explicitly deals with parameter estimationfor DGMs. D-Ind is also identical (it has an additionalconsistency step) to an algorithm used in PrivBayes (Zhanget al., 2017) which uses DGMs to generate high-dimensionaldata. Other candidate baselines from the differential privacyliterature include MWEM (Hardt et al., 2012), HDMM

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.0

0.1

0.2

0.3

0.4

0.5

Mea

nδ L

1

D-Ind Scheme: δL1

Our Scheme: δL1

(a) Sachs: Parameter δL1

1.0 1.5 2.0 2.5 3.0

Total Privacy Budget ε

0.0

0.1

0.2

0.3

Mea

nDKL

D-Ind Scheme: DKL

Our Scheme: DKL

(b) Sachs: Parameter DKL

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.00

0.04

0.08

0.12

0.16

Mea

nδ L

1

D-Ind Scheme: δL1

Our Scheme: δL1

(c) Sachs: δL1 Inference

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.00

0.02

0.04

0.06

0.08

0.10

Mea

nDKL

D-Ind Scheme: DKL

Our Scheme: DKL

(d) Sachs: Inference DKL

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.00

0.03

0.06

0.09

0.12

0.15

Mea

nδ L

1

(e) Child: Parameter δL1

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.00

0.01

0.02

0.03

0.04

0.05

Mea

nDKL

(f) Child: Parameter DKL

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.000

0.005

0.010

0.015

0.020

0.025

Mea

nδ L

1

(g) Child: δL1 Inference

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.000

0.002

0.004

0.006

0.008

0.010

0.012

Mea

nDKL

(h) Child: Inference DKL

Figure 2: Parameter and Inference (Marginal and Conditional) Error Analysis: We observe that our scheme only requires a privacybudget of ε = 1.0 to yield the same utility that D-Ind achieves with ε = 3.0.

Table 1: MAP Inference Error Analysis

ε

ρAsia Sachs Child Alarm

D-Ind Our D-Ind Our D-Ind Our D-Ind OurScheme Scheme Scheme Scheme Scheme Scheme Scheme Scheme

1 0.88 1 0.81 0.86 0.79 0.93 0.89 0.951.5 0.93 1 0.87 0.93 0.83 0.95 0.92 0.982 1 1 0.92 0.98 0.89 0.97 0.95 1

2.5 1 1 0.96 1 1 1 1 13 1 1 1 1 1 1 1 1

Table 2: Error Bound Analysis

µAsia Sachs Child Alarm

D-Ind 0.008 0.065 0.0035 0.0046SchemeOur 0.0035 0.04 0.0014 0.0012Scheme

(McKenna et al., 2018), Ding et al’s work (Ding et al.,2011a) and PriView (Qardaji et al., 2014). However, evenwith binary attributes, MWEM, (Ding et al., 2011a) andHDMM have run time O(2n), O(2n) and O(4n) respectivelyfor marginal queries in our setting. Our scheme uses a subprotocol (MutualConsistency()) from PriView. However,PriView works best for answering all

(nk

)k-way marginals

(for k = 2 or 3). In contrast, our setting computes only nmarginals of varying size (often greater than 3). Hence PriV-iew gives lower accuracy than our baseline as the privacybudget is wasted in computing irrelevant marginals. Forexample, we have empirically verified that for dataset Sachs,the mean error of the parameters for our baseline is an ordersmaller than that of PriView.

Metrics: For conditional and marginal inferencequeries we compute the following two metrics: L1-error, δL1 =

∑x,y |P [x|y]− P̃ [x|y]|and KL divergence,

DKL =∑x,y P̃ [x|y] ln

(P̃ [x|y]P [x|y]

)where P [x|y] is either a true

CPD of the DGM (parameter) or a true marginal/conditionalinference query response and P̃ [x|y] is the correspondingnoisy estimate obtained from our scheme. For answeringMAP inferences, we compute ρ = # Correct answers

#Total runs .

Setup: We evaluate each data set on 20 random inference

queries (10 marginal inference, 10 conditional inference)and report mean error over 10 runs. For MAP queries, werun 20 random queries and report the mean result over 10runs. The queries are of the form P [X|Y ] where attributesubsets X and Y are varied from being singletons up tothe full attribute set. We compare our results with a stan-dard data-independent baseline (denoted by D-Ind) (Zhanget al., 2016b; 2017) which corresponds to executing Proce-dure 1 on the entire input data set D and the privacy budgetarray E = [ ε

B

n , · · · , εB

n ]. All the experiments have been im-plemented in Python and we set eI = 0.1 · eB , β = 0.1.

5.2. Experimental Results

Fig. 2 shows the mean δL1 and DKL for the noisy param-eters, and the marginal and conditional inferences for thedata sets Sachs and Child. The main observation is thatour scheme achieves strictly lower error than that of D-Ind.Specifically, our scheme only requires a privacy budget ofε = 1.0 to yield the same utility that D-Ind achieves withε = 3.0. In most practical scenarios, the value of ε typ-ically does not exceed 3 (Hsu et al., 2014). In Table 1,we present our experimental results for MAP queries. Wesee that our scheme achieves higher accuracy than D-Ind.For example, our scheme provides an accuracy of at least

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

86% while D-Ind achieves 81% accuracy for ε = 1. Finally,given a marginal inference query Q, we compute the scalenormalized error in Q as µ = δL1[Q]−LB

UB−LB where UB andLB are the upper and lower bound computed using Thm.4.2 and Thm. 4.12 respectively. Clearly, the lower the valueof µ, the closer it is to the lower bound and vice versa. Wereport the mean value of µ for 20 random inference queries(marginal and conditional) for ε = 1 in Table 2. We observethat the errors are closer to their respective lower bounds.This is more prominent for the errors obtained from ourdata-dependent scheme than those of D-Ind.

Thus, we conclude that the non-uniform budget

asia

tub

xray

either

smoke

lung

dysp

bronc

Figure 3: Graph Structure ofDGM Asia

allocation in our data-dependent scheme givesbetter utility than uniformbudget allocation. Forexample, for DGM Asia(Fig. 3), our scheme al-locates the privacy budgetin the following order:"asia">"smoke">"bronc">"lung">"tub">"xray">"either">"dysp". Asexpected, nodes with greater height and out-degree areassigned higher budget than leaf nodes.

6. Related WorkHere we briefly discuss the related literature (see Appx. 9for a detailed review). There has been a fair amount of workin differentially private Bayesian inferencing (Dimitrakakiset al., 2014; Wang et al., 2015b; Foulds et al., 2016; Zhanget al., 2016b; Geumlek et al., 2017; Bernstein & Sheldon,2018; Heikkilä et al., 2017; Wang et al., 2015a; Dziugaite& Roy, 2018; Zhang & Li, 2019; Schein et al., 2018; Parket al., 2016b; Jälkö et al., 2016; Barthe et al., 2016; Bernsteinet al., 2017; Zhang et al., 2020). All of the above workshave different setting/goal from our paper. Specifically, in(Zhang et al., 2016b) the authors propose algorithms forprivate Bayesian inference on graphical models. However,their proposed solution does not add data-dependent noise.In fact, their proposed algorithms (Alg. 1 and Alg. 2 in(Zhang et al., 2016b)) are essentially the same in spirit asour baseline solution, D-Ind. Moreover, some proposalsfrom (Zhang et al., 2016b) can be combined with D-Ind.For example, to ensure mutual consistency, (Zhang et al.,2016b) adds Laplace noise in the Fourier domain whileD-Ind uses techniques of (Hay et al., 2010a). D-Ind isalso identical (it has an additional consistency step) to analgorithm used in (Zhang et al., 2017) which uses DGMsto generate high-dimensional data. Data-dependent noise

2UB and LB are computed separately for each run of theexperiment from their respective empirical parameter errors.

addition is a popular technique in differential privacy (Acset al., 2012; Xu et al., 2012; Zhang et al.; Xiao et al., 2012;Hardt et al., 2012; Li et al., 2014; Kotsogiannis et al., 2017a).

7. ConclusionIn this paper, we have proposed an algorithm for differen-tially private learning of the parameters of a DGM with apublicly known graph structure over fully observed data.The noise added is customized to the private input dataset as well as the public graph structure of the DGM. Tothe best of our knowledge, we propose the first explicitdata-dependent privacy budget allocation mechanism in thecontext of DGMs. Our solution achieves strictly higherutility than that of a standard data-independent approach;our solution requires roughly 3× smaller privacy budget toachieve the same or higher utility.

ReferencesBn repository. URL http://www.bnlearn.com/bnrepository/.

Data repository. URL https://www.ccd.pitt.edu/wiki/index.php/Data_Repository.

Propagation of errors. URL https://www.lockhaven.edu/~dsimanek/scenario/errorman/propagat.htm.

Data. 2014. URL https://github.com/albertofranzin/data-thesis.

Abadi, M., Chu, A., Goodfellow, I., McMahan, H. B.,Mironov, I., Talwar, K., and Zhang, L. Deep learningwith differential privacy. In Proceedings of the 2016ACM SIGSAC Conference on Computer and Commu-nications Security, CCS ’16, pp. 308–318, New York,NY, USA, 2016. ACM. ISBN 978-1-4503-4139-4. doi:10.1145/2976749.2978318. URL http://doi.acm.org/10.1145/2976749.2978318.

Acs, G., Castelluccia, C., and Chen, R. Differentially privatehistogram publishing through lossy compression. In 2012IEEE 12th International Conference on Data Mining, pp.1–10, Dec 2012. doi: 10.1109/ICDM.2012.80.

Agarwal, N., Suresh, A. T., Yu, F. X. X., Kumar, S.,and McMahan, B. cpsgd: Communication-efficientand differentially-private distributed sgd. In Ben-gio, S., Wallach, H., Larochelle, H., Grauman,K., Cesa-Bianchi, N., and Garnett, R. (eds.), Ad-vances in Neural Information Processing Systems31, pp. 7564–7575. Curran Associates, Inc., 2018.URL http://papers.nips.cc/paper/7984-cpsgd-communication-efficient-and-

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

differentially-private-distributed-sgd.pdf.

Barak, B., Chaudhuri, K., Dwork, C., Kale, S., McSherry,F., and Talwar, K. Privacy, accuracy, and consistencytoo: A holistic solution to contingency table release. InProceedings of the Twenty-sixth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems,PODS ’07, pp. 273–282, New York, NY, USA, 2007.ACM. ISBN 978-1-59593-685-1. doi: 10.1145/1265530.1265569. URL http://doi.acm.org/10.1145/1265530.1265569.

Barthe, G., Farina, G. P., Gaboardi, M., Arias, E. J. G.,Gordon, A., Hsu, J., and Strub, P.-Y. Differentially privatebayesian programming. In Proceedings of the 2016 ACMSIGSAC Conference on Computer and CommunicationsSecurity, CCS ’16, pp. 68–79, New York, NY, USA, 2016.ACM. ISBN 978-1-4503-4139-4. doi: 10.1145/2976749.2978371. URL http://doi.acm.org/10.1145/2976749.2978371.

Bernstein, G. and Sheldon, D. R. Differentially privatebayesian inference for exponential families. In Bengio, S.,Wallach, H., Larochelle, H., Grauman, K., Cesa-Bianchi,N., and Garnett, R. (eds.), Advances in Neural Infor-mation Processing Systems 31, pp. 2919–2929. CurranAssociates, Inc., 2018. URL http://papers.nips.cc/paper/7556-differentially-private-bayesian-inference-for-exponential-families.pdf.

Bernstein, G., McKenna, R., Sun, T., Sheldon, D., Hay,M., and Miklau, G. Differentially private learning ofundirected graphical models using collective graphicalmodels. In Proceedings of the 34th International Con-ference on Machine Learning - Volume 70, ICML’17, pp.478–487. JMLR.org, 2017. URL http://dl.acm.org/citation.cfm?id=3305381.3305431.

Chaudhuri, K., Monteleoni, C., and Sarwate, A. D. Differ-entially private empirical risk minimization. J. Mach.Learn. Res., 12:1069–1109, July 2011. ISSN 1532-4435. URL http://dl.acm.org/citation.cfm?id=1953048.2021036.

Cormode, G., Procopiuc, C., Srivastava, D., Shen, E., andYu, T. Differentially private spatial decompositions. InProceedings of the 2012 IEEE 28th International Con-ference on Data Engineering, ICDE ’12, pp. 20–31,Washington, DC, USA, 2012a. IEEE Computer Soci-ety. ISBN 978-0-7695-4747-3. doi: 10.1109/ICDE.2012.16. URL http://dx.doi.org/10.1109/ICDE.2012.16.

Cormode, G., Procopiuc, C., Srivastava, D., Shen, E., andYu, T. Differentially private spatial decompositions. In

Proceedings of the 2012 IEEE 28th International Con-ference on Data Engineering, ICDE ’12, pp. 20–31,Washington, DC, USA, 2012b. IEEE Computer Soci-ety. ISBN 978-0-7695-4747-3. doi: 10.1109/ICDE.2012.16. URL http://dx.doi.org/10.1109/ICDE.2012.16.

Diakonikolas, I., Hardt, M., and Schmidt, L. Dif-ferentially private learning of structured discretedistributions. In Cortes, C., Lawrence, N. D., Lee,D. D., Sugiyama, M., and Garnett, R. (eds.), Ad-vances in Neural Information Processing Systems28, pp. 2566–2574. Curran Associates, Inc., 2015.URL http://papers.nips.cc/paper/5713-differentially-private-learning-of-structured-discrete-distributions.pdf.

Dimitrakakis, C., Nelson, B., Mitrokotsa, A., and Rubin-stein, B. I. P. Robust and private bayesian inference.In Auer, P., Clark, A., Zeugmann, T., and Zilles, S.(eds.), Algorithmic Learning Theory, pp. 291–305, Cham,2014. Springer International Publishing. ISBN 978-3-319-11662-4.

Ding, B., Winslett, M., Han, J., and Li, Z. Differentiallyprivate data cubes: Optimizing noise sources and consis-tency. In Proceedings of the 2011 ACM SIGMOD Inter-national Conference on Management of Data, SIGMOD’11, pp. 217–228, New York, NY, USA, 2011a. Associa-tion for Computing Machinery. ISBN 9781450306614.doi: 10.1145/1989323.1989347. URL https://doi.org/10.1145/1989323.1989347.

Ding, B., Winslett, M., Han, J., and Li, Z. Differentiallyprivate data cubes: Optimizing noise sources and consis-tency. pp. 217–228, 01 2011b. doi: 10.1145/1989323.1989347.

Dwork, C. and Roth, A. The Algorithmic Foundations ofDifferential Privacy, volume 9. August 2014.

Dwork, C., Rothblum, G. N., and Vadhan, S. Boosting anddifferential privacy. In Proceedings of the 2010 IEEE51st Annual Symposium on Foundations of ComputerScience, FOCS ’10, pp. 51–60, Washington, DC, USA,2010. IEEE Computer Society. ISBN 978-0-7695-4244-7.doi: 10.1109/FOCS.2010.12. URL http://dx.doi.org/10.1109/FOCS.2010.12.

Dziugaite, G. K. and Roy, D. M. Data-dependentpac-bayes priors via differential privacy. In Ben-gio, S., Wallach, H., Larochelle, H., Grauman,K., Cesa-Bianchi, N., and Garnett, R. (eds.), Ad-vances in Neural Information Processing Systems31, pp. 8430–8441. Curran Associates, Inc., 2018.URL http://papers.nips.cc/paper/8063-

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

data-dependent-pac-bayes-priors-via-differential-privacy.pdf.

Foulds, J., Geumlek, J., Welling, M., and Chaudhuri,K. On the theory and practice of privacy-preservingbayesian data analysis. In Proceedings of the Thirty-Second Conference on Uncertainty in Artificial Intelli-gence, UAI’16, pp. 192–201, Arlington, Virginia, UnitedStates, 2016. AUAI Press. ISBN 978-0-9966431-1-5. URL http://dl.acm.org/citation.cfm?id=3020948.3020969.

Geumlek, J., Song, S., and Chaudhuri, K. Rényi differentialprivacy mechanisms for posterior sampling. In Proceed-ings of the 31st International Conference on Neural In-formation Processing Systems, NIPS’17, pp. 5295–5304,Red Hook, NY, USA, 2017. Curran Associates Inc. ISBN9781510860964.

Gupta, A., Hardt, M., Roth, A., and Ullman, J. Privatelyreleasing conjunctions and the statistical query barrier. InProceedings of the Forty-third Annual ACM Symposiumon Theory of Computing, STOC ’11, pp. 803–812, NewYork, NY, USA, 2011. ACM. ISBN 978-1-4503-0691-1.doi: 10.1145/1993636.1993742. URL http://doi.acm.org/10.1145/1993636.1993742.

Gupta, A., Roth, A., and Ullman, J. Iterative construc-tions and private data release. In Proceedings of the9th International Conference on Theory of Cryptogra-phy, TCC’12, pp. 339–356, Berlin, Heidelberg, 2012.Springer-Verlag. ISBN 978-3-642-28913-2. doi: 10.1007/978-3-642-28914-9_19. URL http://dx.doi.org/10.1007/978-3-642-28914-9_19.

Hardt, M., Ligett, K., and McSherry, F. A simple andpractical algorithm for differentially private data release.In Proceedings of the 25th International Conferenceon Neural Information Processing Systems - Volume 2,NIPS’12, pp. 2339–2347, USA, 2012. Curran AssociatesInc. URL http://dl.acm.org/citation.cfm?id=2999325.2999396.

Hay, M., Rastogi, V., Miklau, G., and Suciu, D. Boostingthe accuracy of differentially private histograms throughconsistency. Proceedings of the VLDB Endowment, 3(1-2):1021–1032, Sep 2010a. ISSN 2150-8097. doi:10.14778/1920841.1920970. URL http://dx.doi.org/10.14778/1920841.1920970.

Hay, M., Rastogi, V., Miklau, G., and Suciu, D. Boostingthe accuracy of differentially private histograms throughconsistency. Proc. VLDB Endow., 3(1-2):1021–1032,September 2010b. ISSN 2150-8097. doi: 10.14778/1920841.1920970. URL http://dx.doi.org/10.14778/1920841.1920970.

Heikkilä, M., Lagerspetz, E., Kaski, S., Shimizu, K.,Tarkoma, S., and Honkela, A. Differentially privatebayesian learning on distributed data. In Guyon, I.,Luxburg, U. V., Bengio, S., Wallach, H., Fergus, R.,Vishwanathan, S., and Garnett, R. (eds.), Advancesin Neural Information Processing Systems 30, pp.3226–3235. Curran Associates, Inc., 2017. URLhttp://papers.nips.cc/paper/6915-differentially-private-bayesian-learning-on-distributed-data.pdf.

Hsu, J., Gaboardi, M., Haeberlen, A., Khanna, S., Narayan,A., Pierce, B. C., and Roth, A. Differential privacy:An economic method for choosing epsilon. 2014 IEEE27th Computer Security Foundations Symposium, Jul2014. doi: 10.1109/csf.2014.35. URL http://dx.doi.org/10.1109/CSF.2014.35.

Jälkö, J., Honkela, A., and Dikmen, O. Differentially privatevariational inference for non-conjugate models. CoRR,abs/1610.08749, 2016.

Kasiviswanathan, S. P., Lee, H. K., Nissim, K., Raskhod-nikova, S., and Smith, A. What can we learn privately?SIAM J. Comput., 40(3):793–826, June 2011. ISSN0097-5397. doi: 10.1137/090756090. URL http://dx.doi.org/10.1137/090756090.

Koller, D. and Friedman, N. Probabilistic Graphical Mod-els: Principles and Techniques - Adaptive Computationand Machine Learning. The MIT Press, 2009. ISBN0262013193, 9780262013192.

Kotsogiannis, I., Machanavajjhala, A., Hay, M., and Mik-lau, G. Pythia: Data dependent differentially privatealgorithm selection. In Proceedings of the 2017 ACMInternational Conference on Management of Data, SIG-MOD ’17, pp. 1323–1337, New York, NY, USA, 2017a.ACM. ISBN 978-1-4503-4197-4. doi: 10.1145/3035918.3035945. URL http://doi.acm.org/10.1145/3035918.3035945.

Kotsogiannis, I., Machanavajjhala, A., Hay, M., and Mik-lau, G. Pythia: Data dependent differentially privatealgorithm selection. In Proceedings of the 2017 ACMInternational Conference on Management of Data, SIG-MOD ’17, pp. 1323–1337, New York, NY, USA, 2017b.ACM. ISBN 978-1-4503-4197-4. doi: 10.1145/3035918.3035945. URL http://doi.acm.org/10.1145/3035918.3035945.

Laskey, K. B. Sensitivity analysis for probability assess-ments in bayesian networks. IEEE Transactions on Sys-tems, Man, and Cybernetics, 25(6):901–909, June 1995.ISSN 0018-9472. doi: 10.1109/21.384252.

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

Lei, J. Differentially private m-estimators. In Shawe-Taylor,J., Zemel, R. S., Bartlett, P. L., Pereira, F., and Wein-berger, K. Q. (eds.), Advances in Neural InformationProcessing Systems 24, pp. 361–369. Curran Associates,Inc., 2011. URL http://papers.nips.cc/paper/4376-differentially-private-m-estimators.pdf.

Li, C., Hay, M., Rastogi, V., Miklau, G., and McGre-gor, A. Optimizing linear counting queries under dif-ferential privacy. In Proceedings of the Twenty-ninthACM SIGMOD-SIGACT-SIGART Symposium on Prin-ciples of Database Systems, PODS ’10, pp. 123–134,New York, NY, USA, 2010. ACM. ISBN 978-1-4503-0033-9. doi: 10.1145/1807085.1807104. URL http://doi.acm.org/10.1145/1807085.1807104.

Li, C., Hay, M., Miklau, G., and Wang, Y. A data- andworkload-aware algorithm for range queries under dif-ferential privacy. Proceedings of the VLDB Endow-ment, 7(5):341–352, Jan 2014. ISSN 2150-8097. doi:10.14778/2732269.2732271. URL http://dx.doi.org/10.14778/2732269.2732271.

Li, N., Qardaji, W. H., and Su, D. On sampling, anonymiza-tion, and differential privacy or, k-anonymization meetsdifferential privacy. In 7th ACM Symposium on Infor-mation, Compuer and Communications Security, ASI-ACCS ’12, Seoul, Korea, May 2-4, 2012, pp. 32–33,2012. doi: 10.1145/2414456.2414474. URL https://doi.org/10.1145/2414456.2414474.

McKenna, R., Miklau, G., Hay, M., and Machanava-jjhala, A. Optimizing error of high-dimensional sta-tistical queries under differential privacy. Proc. VLDBEndow., 11(10):1206–1219, June 2018. ISSN 2150-8097. doi: 10.14778/3231751.3231769. URL https://doi.org/10.14778/3231751.3231769.

Park, M., Foulds, J., Chaudhuri, K., and Welling, M. Dp-em:Differentially private expectation maximization, 2016a.

Park, M., Foulds, J. R., Chaudhuri, K., and Welling,M. Variational bayes in private settings (vips). CoRR,abs/1611.00340, 2016b.

Pearl, J. Probabilistic Reasoning in Intelligent Systems:Networks of Plausible Inference. Morgan KaufmannPublishers Inc., San Francisco, CA, USA, 1988. ISBN0-934613-73-7.

Pearl, J. Graphical Models for Probabilistic and CausalReasoning, pp. 367–389. Springer Netherlands, Dor-drecht, 1998. ISBN 978-94-017-1735-9. doi: 10.1007/978-94-017-1735-9_12. URL https://doi.org/10.1007/978-94-017-1735-9_12.

Qardaji, W., Yang, W., and Li, N. Priview: Practical dif-ferentially private release of marginal contingency ta-bles. In Proceedings of the 2014 ACM SIGMOD In-ternational Conference on Management of Data, SIG-MOD ’14, pp. 1435–1446, New York, NY, USA, 2014.ACM. ISBN 978-1-4503-2376-5. doi: 10.1145/2588555.2588575. URL http://doi.acm.org/10.1145/2588555.2588575.

Schein, A., Wu, Z. S., Zhou, M., and Wallach, H. M. Lo-cally private bayesian inference for count models. CoRR,abs/1803.08471, 2018.

Shokri, R., Stronati, M., Song, C., and Shmatikov, V. Mem-bership inference attacks against machine learning mod-els. In 2017 IEEE Symposium on Security and Privacy(SP), pp. 3–18, May 2017. doi: 10.1109/SP.2017.41.

Thaler, J., Ullman, J., and Vadhan, S. Faster algorithms forprivately releasing marginals. Lecture Notes in ComputerScience, pp. 810–821, 2012. ISSN 1611-3349. doi: 10.1007/978-3-642-31594-7_68. URL http://dx.doi.org/10.1007/978-3-642-31594-7_68.

Wang, D., Ye, M., and Xu, J. Differentially private empiricalrisk minimization revisited: Faster and more general.In Guyon, I., Luxburg, U. V., Bengio, S., Wallach, H.,Fergus, R., Vishwanathan, S., and Garnett, R. (eds.),Advances in Neural Information Processing Systems30, pp. 2722–2731. Curran Associates, Inc., 2017.URL http://papers.nips.cc/paper/6865-differentially-private-empirical-risk-minimization-revisited-faster-and-more-general.pdf.

Wang, Y., Wang, Y.-X., and Singh, A. Differentially privatesubspace clustering. In Proceedings of the 28th Inter-national Conference on Neural Information ProcessingSystems - Volume 1, NIPS’15, pp. 1000–1008, Cambridge,MA, USA, 2015a. MIT Press. URL http://dl.acm.org/citation.cfm?id=2969239.2969351.

Wang, Y.-X., Fienberg, S. E., and Smola, A. J. Pri-vacy for free: Posterior sampling and stochastic gra-dient monte carlo. In Bach, F. R. and Blei, D. M.(eds.), ICML, volume 37 of JMLR Workshop andConference Proceedings, pp. 2493–2502. JMLR.org,2015b. URL http://dblp.uni-trier.de/db/conf/icml/icml2015.html#WangFS15.

Williams, O. and Mcsherry, F. Probabilistic inferenceand differential privacy. In Lafferty, J. D., Williams,C. K. I., Shawe-Taylor, J., Zemel, R. S., and Culotta,A. (eds.), Advances in Neural Information Process-ing Systems 23, pp. 2451–2459. Curran Associates,Inc., 2010. URL http://papers.nips.cc/

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

paper/3897-probabilistic-inference-and-differential-privacy.pdf.

Wu, X., Li, F., Kumar, A., Chaudhuri, K., Jha, S., andNaughton, J. Bolt-on differential privacy for scalablestochastic gradient descent-based analytics. Proceed-ings of the 2017 ACM International Conference on Man-agement of Data - SIGMOD ’17, 2017. doi: 10.1145/3035918.3064047. URL http://dx.doi.org/10.1145/3035918.3064047.

Xiao, X., Wang, G., and Gehrke, J. Differential privacy viawavelet transforms. IEEE Trans. on Knowl. and DataEng., 23(8):1200–1214, August 2011. ISSN 1041-4347.doi: 10.1109/TKDE.2010.247. URL http://dx.doi.org/10.1109/TKDE.2010.247.

Xiao, Y., Gardner, J., and Xiong, L. Dpcube: Releasingdifferentially private data cubes for health information.In 2012 IEEE 28th International Conference on DataEngineering, pp. 1305–1308, April 2012. doi: 10.1109/ICDE.2012.135.

Xu, J., Zhang, Z., Xiao, X., Yang, Y., and Yu, G. Dif-ferentially private histogram publication. In 2012 IEEE28th International Conference on Data Engineering, pp.32–43, April 2012. doi: 10.1109/ICDE.2012.48.

Yaroslavtsev, G., Procopiuc, C. M., Cormode, G., andSrivastava, D. Accurate and efficient private releaseof datacubes and contingency tables. In Proceedingsof the 2013 IEEE International Conference on DataEngineering (ICDE 2013), ICDE ’13, pp. 745–756,Washington, DC, USA, 2013. IEEE Computer Society.ISBN 978-1-4673-4909-3. doi: 10.1109/ICDE.2013.6544871. URL http://dx.doi.org/10.1109/ICDE.2013.6544871.

Yuan, G., Zhang, Z., Winslett, M., Xiao, X., Yang, Y., andHao, Z. Low-rank mechanism:optimizing batch queriesunder differential privacy. Proceedings of the VLDBEndowment, 5(11):1352–1363, Jul 2012. ISSN 2150-8097. doi: 10.14778/2350229.2350252. URL http://dx.doi.org/10.14778/2350229.2350252.

Zhang, C., Bengio, S., Hardt, M., Recht, B., and Vinyals, O.Understanding deep learning requires rethinking general-ization, 2016a.

Zhang, G. and Li, S. Research on differentially privatebayesian classification algorithm for data streams. In2019 IEEE 4th International Conference on Big DataAnalytics (ICBDA), pp. 14–20, March 2019. doi: 10.1109/ICBDA.2019.8713253.

Zhang, H., Kamath, G., Kulkarni, J., and Wu, Z. S. Privatelylearning markov random fields, 2020.

Zhang, J., Cormode, G., Procopiuc, C. M., Srivastava,D., and Xiao, X. Privbayes: Private data release viabayesian networks. ACM Trans. Database Syst., 42(4):25:1–25:41, October 2017. ISSN 0362-5915. doi:10.1145/3134428. URL http://doi.acm.org/10.1145/3134428.

Zhang, X., Chen, R., Xu, J., Meng, X., and Xie,Y. Towards accurate histogram publication un-der differential privacy. In Proceedings of the2014 SIAM International Conference on Data Min-ing, pp. 587–595. doi: 10.1137/1.9781611973440.68.URL https://epubs.siam.org/doi/abs/10.1137/1.9781611973440.68.

Zhang, Z., Rubinstein, B. I. P., and Dimitrakakis, C. Onthe differential privacy of bayesian inference. In Pro-ceedings of the Thirtieth AAAI Conference on ArtificialIntelligence, AAAI’16, pp. 2365–2371. AAAI Press,2016b. URL http://dl.acm.org/citation.cfm?id=3016100.3016229.

Data-Dependent Differentially Private Parameter Learning for DirectedGraphical Models – Supplementary Material

8. Appendix8.1. Background Cntd.

8.1.1. DIRECTED GRAPHICAL MODELS CNTD.

Variable Elimination Algorithm (VE): The complete VEalgorithm is given by Algorithm 3. The basic idea of thevariable elimination algorithm is that we "eliminate" onevariable at a time following a predefined order ≺ over thenodes of the graph. Let Φ denote a set of probability factorswhich is initialized as the set of all CPDs of the DGM andZ denote the variable to be eliminated. For the eliminationstep, firstly all the probability factors involving the variableto be eliminated, Z are removed from Φ and multipliedtogether to generate a new product factor. Next, the variableZ is summed out from this combined factor generating anew factor that is entered into Φ. Thus the VE algorithmessentially involves repeated computation of a sum-producttask of the form

φ =∑Z

∏φ∈Φ

φ (16)

The complexity of the VE algorithm is defined by the sizeof the largest factor. Here we state two lemmas regardingthe intermediate factors φ which will be used in Section 8.3.

Lemma 8.1. Every intermediate factor (φ in (16)) gener-ated as a result of executing the VE algorithm on a DGMNcorrespond to a valid conditional probability of some DGM(not necessarily the same DGM, N ). (Koller & Friedman,2009)

Lemma 8.2. The size of the largest intermediary factorgenerated as a result of running of the VE algorithm on aDGM is at least equal to the treewidth of the graph (Koller& Friedman, 2009).

Corollary. The complexity of the VE algorithm with theoptimal order of elimination depends on the treewidth of thegraph.

8.2. Data-Dependent Differentially Private ParameterLearning for DGMs Cntd.

8.2.1. CONSISTENCY BETWEEN NOISY MARGINALTABLES

The objective of this step is to input the set of noisy marginaltables M̃i and compute perturbed versions of these tables

Algorithm 2 Sum Product Variable Elimination Algorithm

Notations : Φ - Set of factorsX - Set of variables to be eliminated≺ - Ordering on XX - Variable to be eliminatedAttr(φ) - Attribute set of factor φ

Procedure Sum-Product-VE(Φ,X,≺)1: Let X1, · · · , Xk be an ordering of X such thatXi ≺ Xj iff i < j

2: for i = 1, · · · , k3: Φ← Sum-Product-Eliminate-Var(Φ, Zi)4: φ∗ ←∏

φ∈Φ φ5: return φ∗

Procedure Sum-Product-Eliminate-Var(Φ, X)6: Φ′ ← {φ ∈ Φ : Z ∈ Attr(φ)}7: Φ′′ ← Φ− Φ′

8: ψ ←∏φ∈Φ′ φ

9: φ←∑Z ψ

10: return Φ′′ ∪ {φ}

that are mutually consistent (Defn. 2.3. The followingprocedure has been reproduced from (Hay et al., 2010a;Qardaji et al., 2014) with a few adjustments.

Mutual Consistency on a Set of Attributes:

Assume a set of tables {M̃i, · · · , M̃j} and let A =

Attr(M̃i) ∩ · · · ∩ Attr(M̃j). Mutual consistency, i.e.,M̃i[A] ≡ · · · ≡ M̃j [A] is achieved as follows:

(1) First compute the best approximation for the marginaltable M̃A for the attribute set A as follows

M̃A[A′] =1∑jt=1 εt

j∑t=i

εt · M̃t[A′], A′ ∈ A (17)

(2) Update all M̃ts to be consistent with M̃A. Any countingquery c is now answered as

M̃t(c) = M̃t(c) +|dom(A)|

|dom(Attr(M̃)|

(M̃A(a)− M̃t(a))

(18)

where a is the query c restricted to attributes in A and M̃t(c)is the response of c on M̃t .

Overall Consistency:

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

(1) Take all sets of attributes that are the result of the inter-section of some subset of

⋃di=k+1{Xi ∪Xpai}; these sets

form a partial order under the subset relation.

(2) Obtain a topological sort of these sets, starting from theempty set.

(3) For each set A, one finds all tables that include A, andensures that these tables are consistent on A.

8.2.2. PRIVACY ANALYSIS

Theorem 3.1. The proposed algorithm (Algorithm 1) forlearning the parameters of a fully observed directed graphi-cal model is εB-differentially private.

Proof. The sensitivity of counting queries is 1. Hence, thecomputation of the noisy tables T̃i (Proc. 1, Line 2-3) is astraightforward application of Laplace mechanism (Sec. 2).This together with Lemma 2.3 makes the computation ofT̃i, εI -DP. Now the subsequent computation of the optimalprivacy budget allocation E∗ is a post-processing opera-tion on T̃i and hence by Thm. 2.2 is still εI -DP. The finalparameter computation is clearly (εB-εI )-DP. Thus by thetheorem of sequential composition (Thm. 2.1), Algorithm 1is εB-DP.

8.3. Error Bound Analysis Cntd.

In this section, we present the proofs of Thm. 4.1 and Thm.4.2.

Preliminaries and Notations:For the proofs, we use the following notations. LetX be the attribute that is being eliminated and letA =

⋃φiAttr(φi)\X where Attr(φ) denotes the set of

attributes in φ. For some a ∈ dom(A), from the variableelimination algorithm (Sec. 8.1.1) for a sum-product term(Eq. (16)) we have

φA [a] =∑x

t∏i=1

φi[x, a] (19)

Let us assume that factor φ[a, x] denotes thatV alue(Attr(φ)) ∈ {a} and X = x. Recall that af-ter computing a sum-product task (given by Eq. (20)),for the variable elimination algorithm (Appx. Algo-rithm 2), we will be left with a factor term over theattribute set A . For example, if the elimination orderfor the variable elimination algorithm on our exampleDGM (Figure 1) is given by ≺= {A,B,C,D,E, F}and the attributes are binary valued, then the firstsum-product task will be of the following formA = {B,C}, dom(A) = {(0, 0), (0, 1), (1, 0), (1, 1)} andthe RHS φis in this case happen to be the true parameters

of the DGM,

φB,C [0, 0] = Θ[A = 0] ·Θ[C = 0|A = 0, B = 0] +

Θ[A = 1] ·Θ[C = 0|A = 1, B = 0]

φB,C [0, 1] = Θ[A = 0] ·Θ[C = 1|A = 0, B = 0] +

Θ[A = 1] ·Θ[C = 1|A = 1, B = 0]

φB,C [1, 0] = Θ[A = 0] ·Θ[C = 1|A = 0, B = 0] +

Θ[A = 1] ·Θ[C = 1|A = 1, B = 0]

φB,C [1, 1] = Θ[A = 0] ·Θ[C = 1|A = 0, B = 1] +

Θ[A = 1] ·Θ[C = 1|A = 1, B = 1]

φB,C = [φB,C [0, 0],φB,C [0, 1],φB,C [1, 0],φB,C [1, 1]]

8.3.1. LOWER BOUND

Theorem 4.1. For a DGM N , for any sum-product termof the form φA =

∑x

∏ti=1 φi, t ∈ {2, · · · , η} in the VE algo-

rithm,

δφA ≥√η − 1 · δminφi[a,x](φ

mini [a, x])η−2 (20)

where X is the attribute being eliminated, δφ de-notes the error in factor φ, Attr(φ) is the set of at-tributes in φ, A =

⋃φi{Attr(φi)}/X, x ∈ dom(X), a ∈

dom(A), φ[a, x] denotes that V alue(Attr(φ)) ∈ {a}∧X = x,δminφi[a,x] = mini,a,x{δφi[a,x]}, φmini [a, x] = mini,a,x{φi[a, x]}and η = maxXi{in-degree(Xi)+ out-degree(Xi)}+ 1.

Proof. Proof Structure:

The proof is structured as follows. First, we computethe error for a single term φA [a], a ∈ dom(A) (Eq.(21),(22),(23)). Next we compute the total error δφA

bysumming over ∀a ∈ dom(A). This is done by divid-ing the summands into two types of terms (a) Υφ1[a,x]

(b) δ∏ti=1 φi[a,x]

∏ti=1 φi[a, x] (Eq. (25),(26)). We prove

that the summation of first type of terms (Υφ1[x]) can belower bounded by 0 non-trivially. Then we compute a lowerbound on the terms of the form δ∏t

i=2 φi[a,x]

∏ti=2 φi[a, x]

(Eq. (31)) which gives our final answer (Eq. (32)).

Step 1: Computing error in a single term φA [a], δφA [a]

The error in φA [a], due to noise injection is given by ,

δφA [a] =

∣∣∣∣∣∑x

t∏i=1

φi[x, a]−∑x

t∏i=1

φ̃i[a, x]

∣∣∣∣∣=

∣∣∣∣∣∑x

(φ1[x, a]

t∏i=2

φi[x, a]− φ̃1[x, a]

t∏i=2

φ̃i[x, a])∣∣∣∣∣

=

∣∣∣∣∣∑x

(φ1[x, a]

∏ti=2 φi[x, a]− φ̃1[x, a]

∏ti=2(φi[x, a]± δφi[x,a])

)∣∣∣∣∣(21)

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

Using the rule of standard error propagation, we have

δ∏ti=2 φi[x,a] =

t∏i=2

φ̃i[x, a]

√√√√ t∑i=2

( δφi[x,a]

φi[x, a]

)2

(22)

Thus from the above equation (Eq. (22)) we can rewrite Eq.(21) as follows,

=

∣∣∣∣∣∑x

(φ1[x, a]

∏ti=2 φi[x, a]− ˜φ1[x, a]

∏ti=2 φi[x, a](1± δ∏t

i=2 φi[x,a]))∣∣∣∣∣

=

∣∣∣∣∣∑x

((φ1[a, x]− ˜φ1[a, x])

∏ti=2 φi[a, x]± δ∏t

i=1 φi[a,x]

∏ti=1 φi[a, x]

)∣∣∣∣∣(23)

Step 2: Compute total error δφA

Now, total error in φA is

δφA =∑a

δφA [a] (24)

Collecting all the product terms from the above equation(24) with φ1[a, x]− φ̃1[a, x] as a multiplicand, we get

Υφ1[a,x] = (φ1[a, x]− φ̃1[a, x])∑a

t∏i=2

φi[a, x] (25)

Thus δφAcan be rewritten as

δφA=∑a,x

Υφ1[a,x] ±∑a,x

t∏i=1

φi[a, x]δ∏ti=2 φi[a,x] (26)

First we show that for a specific DGM we have∑a,x Υφ1[a,x] = 0 as follows. Let us assume that the DGM

has Attr(φ1) = X . Thus φ1[a, x] reduces to just φ1[x].

Υφ1[x] = (φ1[x]− φ̃1[x])∑a

t∏i=2

φi[x]

= (φ1[x]− φ̃1[x])(∑ak

· · ·∑a1

t∏i=2

φi[a1, · · · , ak, x])

[A = 〈A1, · · ·Ak〉, aj ∈ dom(Aj), j ∈ [k]]

= (φ1[x]− φ̃1[x])(∑

ak· · ·∑a2

∏ti=3 φi[a2, · · · , ak, x]

∑a1φ2[a1, · · · , ak, x]

)[Assuming that φ2 is the only factor with attribute A1]

Now each factor φi is either a true parameter (CPD) ofthe DGM N or a CPD over some other DGM (lemma8.1). Thus, let us assume that φ2 represents a condi-tional of the form P [A1|A, X],A = A/A1. Thus wehave

∑a1φ2[a1, · · · , ak, x] =

∑a1P [A1 = a1|A2 =

a2, · · · ,Ak = ak, X = x] = 1. Now repeating the aboveprocess over all i ∈ {3, · · · , t}φis , we get

Υφ1[x] = φ1[x]− φ̃1[x] (27)

For the ease of understanding, we illustrate the above resulton our example DGM (Figure 1). Let us assume that theorder of elimination is given by ≺= 〈A,B,C,D,E, F 〉.For simplicity, again we assume binary attributes. Let φCbe the factor that is obtained after eliminating A and B.Thus the sum-product task for eliminating C is given by

φD,E [0, 0] = φC [C = 0] ·Θ[D = 0|C = 0]Θ[E = 0|C = 0]

+φC [C = 1] ·Θ[D = 0|C = 1]Θ[E = 0|C = 1]

φD,E [0, 1] = φC [C = 0] ·Θ[D = 0|C = 0]Θ[E = 1|C = 0]

+φC [C = 1] ·Θ[D = 0|C = 1]Θ[E = 1|C = 1]

φD,E [1, 0] = φC [C = 0] ·Θ[D = 1|C = 0]Θ[E = 0|C = 0]

+φC [C = 1] ·Θ[D = 1|C = 1]Θ[E = 0|C = 1]

φD,E [1, 1] = φC [C = 0] ·Θ[D = 1|C = 0]Θ[E = 1|C = 0]

+φC [C = 1] ·Θ[D = 1|C = 1]Θ[E = 1|C = 1]

Hence considering noisy φ̃D,E we have,

ΥφC [0] = (φC [C = 0]− φ̃C [C = 0]) · (Θ[D = 0|C = 0]Θ[E = 0|C = 0]

+Θ[D = 0|C = 0]Θ[E = 1|C = 0] + Θ[D = 1|C = 0]Θ[E = 0|C = 0]

+Θ[D = 1|C = 0]Θ[E = 1|C = 0])

= (φC [C = 0]− φ̃C [C = 0]) ·(

Θ[D = 0|C = 0](Θ[E = 0|C = 0] + Θ[E = 1|C = 0]

)+(

Θ[D = 1|C = 0](Θ[E = 0|C = 0] + Θ[E = 1|C = 0]

))= (φC [C = 0]− φ̃C [C = 0]) ·

(Θ[D = 0|C = 0] + Θ[D = 1|C = 0]

)[∵ Θ[E = 0|C = 0] + Θ[E = 1|C = 0] = 1

]= φC [C = 0]− φ̃C [C = 0] (28)[

∵ Θ[D = 0|C = 0] + Θ[D = 1|C = 0] = 1]

Similarly

ΥφC [1] = φC [C = 1]− φ̃C [C = 1] (29)

Now using Eq. (27) and summing over ∀x ∈ dom(X)∑x

Υφ1[x] =∑x

(φ1[x]− φ̃1[x])

= 0[∵∑x

φ1[x] =∑x

φ̃1[x] = 1]

(30)

Referring back to our example above, since φC [1]+φC [0] =φ̃C [C = 0] + φ̃C [C = 1], quite trivially

φC [C = 0] + φC [C = 1] = φ̃C [C = 0] + φ̃C [C = 1]

⇒ (φC [C = 0]− φ̃C [C = 0]) + (φC [C = 1]− φ̃C [C = 1]) = 0

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

Thus, from Eq. (26)

δφA =∑x

Υφ1[x] ±∑a,x

δ∏ti=2 φi[a,x]

t∏i=1

φi[a, x]

=∑a,x

δ∏ti=2 φi[a,x]

t∏i=1

φi[a, x][From Eq. (30) and dropping ± as we are dealing with errors

]≥ δmin∏t

i=2 φi[a,x]

∑a,x

t∏i=1

φi[a, x][δmin∏t

i=2 φi[a,x] = mina,x

{δ∏t

i=2 φi[a,x]

}]≥ δmin∏t

i=2 φi[a,x][∵ By Lemma 8.1 φA is a CPD, thus

∑a,x

t∏i=1

φi[a, x] ≥ 1]

= mina,x

{t∏i=2

φi[x, a]

√√√√ t∑i=2

( δφi[a,x]

φi[a, x]

)2}

≥ mina,x{

t∏i=2

φi[x, a]

√(t− 1)

( δminφi[a,x]

φi[x, a]

)2}

[δminφi[x,a] = mini,a,x

{δφi[a,x]

}]

≥ mina,x{√

(t− 1)δminφi[a,x]

φmaxi

t∏i=2

φi[a, x]

}[φmaxi = max

i{φi[a, x]}

]≥ δminφi[a,x]

√t− 1(φmini [a, x])t−2 (31)[

Assuming φmini [a, x] = mini,a,x{φi[a, x]}]

Now, recall from the variable elimination algorithm thatduring each elimination step, if Z is the variable being elim-inated then we the product term contains all the factors thatinclude Z. For a DGM with graph G, the maximum numberof such factors is clearly η = maxXi{out-degree(Xi) +in-degree(Xi)} + 1 of G, i.e., t ≤ η. Additionally wehave φmin[a, x] ≤ 1

dmin≤ 1

2 where dmin is the mini-mum size of dom(Attr(φ)) and clearly dmin ≥ 2. Since2t ≥

√t, t ≥ 2, under the constraint that t is an integer and

φmin[a, x] ≤ 12 , we have

δφA ≥√η − 1δminφi[a,x](φ

min[a, x])η−2 (32)

8.3.2. UPPER BOUND

Theorem 4.2. For a DGM N , for any sum-product termof the form φA =

∑x

∏ti=1 φi, t ∈ {2, · · · , n} in the VE algo-

rithm with the optimal elimination order,

δφA ≤ 2 · η · dκδmaxφi[a,x] (33)

where X is the attribute being eliminated, δφ de-notes the error in factor φ, κ is the treewidth ofG, d is the maximum attribute domain size, Attr(φ)

is the set of attributes in φ, A =⋃ti{Attr(φi)}/X,

a ∈ dom(A), x ∈ dom(X), φ[a, x] denotes thatV alue(Attr(φ)) ∈ {a} ∧X = x, δmaxφi[a,x] = maxi,a,x{δφi[a,x]}and η = max

Xi{in-degree(Xi) + out-degree(Xi)}+ 1.

Proof. Proof Structure:

The proof is structured as follows. First we computean upper bound for a product of t > 0 noisy factorsφ̃i[a, x], i ∈ [t] (Lemma 8.3). Next we use this lemma,to bound the error, δφA [a], for the factor, φA [a], a ∈ dom(A)(Eq. (34)). Finally we use this result to bound the total error,δφA , by summing over ∀a ∈ dom(A) (Eq. (35)).

Step 1: Computing the upper bound of the error of asingle term φ̃A [a], δφA [a]

Lemma 8.3. For a ∈ dom(A), x ∈ dom(X)

t∏i=1

φ̃i[a, x] ≤t∏i=1

φi[a, x] +∑i

δφi[a,x]

Proof. First we consider the base case when t = 2.

Base Case:

φ̃1[a, x]φ̃2[a, x] = (φ1[a, x]± δφ1[a,x])(φ2[a, x]± δφ2[a,x])

≤ (φ1[a, x] + δφ1[a,x])(φ2[a, x] + δφ2[a,x])

= (φ1[a, x] · φ2[a, x] + δφ1[a,x](φ2[a, x] + δφ2[a,x]) + δφ2[a,x] · φ1[a, x])

≤ (φ1[a, x] · φ2[a, x] + δφ1[a,x] + δφ2[a,x]φ1[a, x])[∵ (φ2[a, x] + δφ2[a,x]) ≤ 1 as φ̃i[a, x] is still

a valid probability distribution]

≤ φ1[a, x] · φ2[a, x] + δφ1[a,x] + δφ2[a,x][∵ φ1[a, x] < 1

]Inductive Case:

Let us assume that the lemma holds for t = k. Thus we

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

havek+1∏i=1

φ̃i[a, x] =

k∏i=1

φ̃i[a, x] · φ̃k+1[a, x]

≤ (

k∏i=1

φi[a, x] +∑i

δφi[a,x]) · (φk+1[a, x] + δφk+1[a, x])

≤k+1∏i=1

φi[a, x] +∑i

δφi[a,x] · (φk+1[a, x] + δφk+1[a, x])

+δφk+1[a, x]

k∏i=1

φi[a, x]

≤k+1∏i=1

φi[a, x] +

k+1∑i=1

δφi[a,x] + δφk+1[a, x]

k∏i=1

φi[a, x]

[∵ (φk+1[a, x] + δφk+1[a,x]) ≤ 1 as φ̃k+1[a, x] is still

a valid probability distribution]

≤k+1∏i=1

φi[a, x] +

k+1∑i=1

δφi[a,x][∵ ∀i, φi[a, x] ≤ 1]

Hence, we havet∏i=1

φ̃i[a, x] ≤t∏i=1

φi[a, x] +∑i

δφi[a,x]

Next, we compute the error for the factor, φA [a], a ∈dom(A) as follows

δφA[a] =∣∣∣∑x

t∏i=1

φi[a, x]−∑x

t∏i=1

φ̃i[a, x]∣∣∣

=∣∣∣∑x

t∏i=1

φi[a, x]− φ1[a, x]

t∏i=2

˜φi[a, x]∣∣∣

=∣∣∣∑x

t∏i=1

φi[a, x]− φ̃1[a, x]

t∏i=2

(φi[a, x]± δφi[a,x])∣∣∣

≤∣∣∣∑x

( t∏i=1

φi[a, x]− φ̃1[a, x](

t∏i=2

φi[a, x] +

t∑i=2

δφi[a,x]))∣∣∣[

Using Lemma 8.3]

≤∣∣∣∑x

((φ1[a, x]− φ̃1[a, x])

t∏i=2

φi[a, x]

+φ̃1[a, x]

t∑i=2

δφi[a,x]

)∣∣∣≤∣∣∣∑x

((φ1[a, x]− φ̃1[a, x])

t∏i=2

φi[a, x]

+ηφ̃1[a, x]δ∗φi[a,x]

)∣∣∣

[∵ t ≤ η and assuming δ∗φi[a,x] = max

i,x{δφi[a,x]}

]=∣∣∣∑x

(φ1[a, x]− φ̃1[a, x])

t∏i=2

φi[a, x]

+ηδ∗φi[a,x]

∑x

φ̃1[a, x]∣∣∣

≤∑x

∣∣∣φ1[a, x]− φ̃1[a, x]∣∣∣+ ηδ∗φi[a,x]

∑x

φ̃1[a, x] (34)[∵ φi[a, x] ≤ 1

]Step 2: Computing the upper bound of the total errorδφA

Now summing over ∀a ∈ dom(A),

δφA=∑a

δφA [a]

≤∑a

(∑x

|φ1[a, x]− φ̃1[a, x]|+ ηδ∗φi[a,x]

∑x

φ̃1[a, x])

[From Eq. (34)]

= δφ1 + ηδmaxφi[a,x]

∑a

∑x

φ̃1[a, x][δmaxφi[a,x] = max

a{δ∗φi[a,x]}

]Now by Lemma 8.2, maximum size of A ∪X is given bythe treewidth of the DGM, κ. Thus from the fact that φ1

is a CPD (Lemma 8.1), we observe that∑a

∑x φ̃1[a, x]

is maximized when φ1[a, x] is of the form P [A′|A], A′ ∈A ∪X, |A′| = 1,A = (A ∪X)/A′ and is upper boundedby dκ where d is the maximum domain size of an attribute.

δφA≤ δφ1

+ ηdκδmaxφi[a,x]

[By lemma 8.2 and that φ1 is CPD from lemma 8.1]

where κ is the treewidth of G and is the maximum domain size of an attribute

≤ 2 · η · dκδmaxφi[a,x]

[∵ δφ1 ≤ η · dκδmaxφi[a,x]

](35)

9. Related WorkIn this section, we review related literature. There has beena steadily growing amount work in differentially privatemachine learning models for the last couple of years. Welist some of the most recent work in this line (not exhaustivelist). (Abadi et al., 2016; Wu et al., 2017; Agarwal et al.,2018) address the problem of differentially private SGD.The authors of (Park et al., 2016a) present an algorithmfor differentially private expectation maximization. In (Lei,2011) the problem of differentially private M-estimators isaddressed. Algorithms for performing expected risk min-imization under differential privacy has been proposed in(Wang et al., 2017; Chaudhuri et al., 2011). In (Wang et al.,

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

2015a) two differentially private subspace clustering algo-rithms are proposed.

There has been a fair amount of work in differentially pri-vate Bayesian inferencing and related notions (Dimitrakakiset al., 2014; Wang et al., 2015b; Foulds et al., 2016; Zhanget al., 2016b; Geumlek et al., 2017; Bernstein & Sheldon,2018; Heikkilä et al., 2017; Zhang & Li, 2019; Schein et al.,2018; Park et al., 2016b; Jälkö et al., 2016; Barthe et al.,2016; Bernstein et al., 2017; Dziugaite & Roy, 2018; Zhanget al., 2017; 2020). In (Heikkilä et al., 2017) the authorspresent a solution for DP Bayesian learning in a distributedsetting, where each party only holds a subset of the data asingle sample or a few samples of the data. In (Dziugaite& Roy, 2018) the authors show that a data-dependent priorlearnt under ε-DP yields a valid PAC-Bayes bound. Theauthors in (Williams & Mcsherry, 2010) show that proba-bilistic inference over differentially private measurementsto derive posterior distributions over the data sets and modelparameters can potentially improve accuracy. An algorithmto learn an unknown probability distribution over a discretepopulation from random samples under ε-DP is presented in(Diakonikolas et al., 2015). In (Bernstein & Sheldon, 2018)the authors present a method for private Bayesian inferencein exponential families that learns from sufficient statistics.The authors of (Wang et al., 2015b) and (Dimitrakakis et al.,2014) show that posterior sampling gives differential pri-vacy "for free" under certain assumptions. In (Foulds et al.,2016) the authors show that Laplace mechanism based al-ternative for "One Posterior Sample" is as asymptoticallyefficient as non-private posterior inference, under general as-sumptions. A Rényi differentially private posterior samplingalgorithm is presented in (Geumlek et al., 2017). (Zhang &Li, 2019) proposes a differential private Naive Bayes clas-sification algorithm for data streams. (Zhang et al., 2016b)presents algorithms for private Bayesian inference on proba-bilistic graphical models. In (Park et al., 2016b), the authorsintroduce a general privacy-preserving framework for Vari-ational Bayes. An expressive framework for writing andverifying differentially private Bayesian machine learningalgorithms is presented in (Barthe et al., 2016). The problemof learning discrete, undirected graphical models in a dif-ferentially private way is studied in (Bernstein et al., 2017).(Schein et al., 2018) presents a general method for privacy-preserving Bayesian inference in Poisson factorization. In(Zhang et al., 2020), the authors consider the problem oflearning Markov Random Fields under differential privacy.In (Zhang et al., 2016b) the authors propose algorithms forprivate Bayesian inference on graphical models. However,their proposed solution does not add data-dependent noise.In fact their proposed algorithms (Algorithm 1 and Algo-rithm 2 as in (Zhang et al., 2016b)) are essentially the samein spirit as our baseline solution D-Ind. Moreover, someproposals from (Zhang et al., 2016b) can be combined with

D-Ind; for example to ensure mutual consistency, (Zhanget al., 2016b) adds Laplace noise in the Fourier domainwhile D-Ind uses techniques of (Hay et al., 2010a). D-Ind isalso identical (D-Ind has an additional consistency step) toan algorithm used in (Zhang et al., 2017) which uses DGMsto generate high-dimensional data.

A number of data-dependent differentially private algo-rithms have been proposed in the past few years. (Acs et al.,2012; Xu et al., 2012; Zhang et al.; Xiao et al., 2012) outlinedata-dependent mechanisms for publishing histograms. In(Cormode et al., 2012b) the authors construct an estimateof the dataset by building differentially private kd-trees.MWEM (Hardt et al., 2012) derives estimate of the datasetiteratively via multiplicative weight updates. In (Li et al.,2014) differential privacy is achieved by adding data andworkload dependent noise. (Kotsogiannis et al., 2017a)presents a data-dependent differentially private algorithmselection technique. (Gupta et al., 2012; Dwork et al., 2010)present two general data-dependent differentially privatemechanisms. Certain data-independent mechanisms attemptto find a better set of measurements in support of a givenworkload. One of the most prominent technique is the ma-trix mechanism framework (Yuan et al., 2012; Li et al.,2010) which formalizes the measurement selection problemas a rank-constrained SDP. Another popular approach is toemploy a hierarchical strategy (Hay et al., 2010b; Cormodeet al., 2012a; Xiao et al., 2011). (Yaroslavtsev et al., 2013;Barak et al., 2007; Ding et al., 2011b; Gupta et al., 2011;Thaler et al., 2012; Hay et al., 2010a) propose techniquesfor marginal table release.

9.1. Evaluation Cntd.

9.1.1. DATA SETS

As mentioned in Section 5, we evaluate our algorithm onthe following four DGMs.

(1) Asia: Number of nodes – 8; Number of arcs – 8; Numberof parameters – 18

(2) Sachs: Number of nodes – 11; Number of arcs – 17;Number of parameters – 178

(3) Child: Number of nodes – 20; Number of arcs – 25;Number of parameters – 230

(4) Alarm: Number of nodes – 37; Number of arcs – 46;Number of parameters – 509

The error analysis for the data sets Asia and Alarm arepresented in Fig. 4.

Data-Dependent Differentially Private Parameter Learning for Directed Graphical Models

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.00

0.02

0.04

0.06

0.08

0.10

Mea

nδ L

1

D-Ind Scheme: δL1

Our Scheme: δL1

(a) Asia: Parameters δL1

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.00

0.01

0.02

0.03

0.04

Mea

nDKL

D-Ind Scheme: DKL

Our Scheme: DKL

(b) Asia: Parameters DKL

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0

1 · 10−3

2 · 10−3

3 · 10−3

Mea

nδ L

1

D-Ind Scheme: δL1

Our Scheme: δL1

(c) Asia: Inference δL1

1.0 1.5 2.0 2.5 3.0

Total Privacy Budget ε

0

2 · 10−6

4 · 10−6

6 · 10−6

8 · 10−6

Mea

nDKL

D-Ind Scheme: DKL

Our Scheme: DKL

(d) Asia: Inference DKL

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.0

0.2

0.4

0.6

0.8

Mea

nδ L

1

(e) Alarm: Parameters δL1

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.0

0.1

0.2

0.3

0.4

0.5

0.6

Mea

nDKL

(f) Alarm: Parameters DKL

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.00

0.04

0.08

0.12

0.16

Mea

nδ L

1

(g) Alarm: Inference δL1

1.0 1.5 2.0 2.5 3.0Total Privacy Budget ε

0.00

0.05

0.10

Mea

nDKL

(h) Alarm: Inference DKL

Figure 4: Parameter and Inference (Marginal and Conditional) Error Analysis Cntd.