Mechanism%20Design%20via%20Differential%20Privacy

1
Mechanism Design viaDifferential Privacy

• Eric Shou
• Stat/CSE 598B

2
What is Game Theory?

• Game theory is a branch of applied mathematics
  that is often used in the context of economics.
• Studies strategic interactions between agents.
• Agents maximize their return, given the
  strategies the other agents choose (Wikipedia).

3
Example
Player 2 Player 2
Left Right
Player 1 Up 10,10 2,15
Player 1 Down 15, 2 5, 5
Dominant strategy for Player 1 is to choose down
and the dominant strategy for Player 2 is to
choose right. When Player 1 chooses down and
Player 2 chooses right, they are in equilibrium
because neither player will gain utility if
he/she changes his/her position given the other
players position.
4
What is Mechanism Design?

• In economics, mechanism design is the art of
  designing rules of a game to achieve a specific
  outcome.
• Each player has an incentive to behave as the
  designer intends.
• Game is said to implement the desired outcome.
  strength of such a result depends on the solution
  concept used in the game (Wikipedia).

5
Unlimited Supply Goods

• A seller is considered to have an unlimited
  supply of a good if the seller has at least as
  many identical items as the number of consumers,
  or the seller can reproduce items at a negligible
  marginal cost (Goldberg).
• Examples digital audio files, pay-per-view
  television.

6
Pricing of Unlimited Supply Goods

• Use market analysis and then set a fixed price.
• Fixed pricing often does not lead to optimal
  fixed price revenue due to inaccuracies in market
  analysis.

7
Pricing of Unlimited Supply Goods
Revenue
8
Pricing of Unlimited Goods

• Use auctions to take input bids from bidders to
  determine what price to sell at and which bidders
  to give a copy of the item to.
• Assume bidders in the auction each have a private
  utility value, the maximum value they are willing
  to pay for the good.
• Assume each bidder is rational each bidder bids
  so as to maximize their own personal welfare,
  i.e., the difference between their utility value
  and the price they must pay for the good.

9
Digital Goods Auctions

• n bidders
• Each bidder has private utility of a good at hand
• Bidders submit bids in 0,1
• Auctioneer determines who receives good and at
  what prices.

10
Truthful Auctions

• Most common solution concept for mechanism design
  is truthfulness.
• Mechanism designed so that truthfully reporting
  ones value is dominant strategy.
• Bid auctions are considered truthful if each
  bidders personal welfare is maximized when
  he/she bids his/her true utility value.

11
Truthful Mechanisms

• Mechanisms that are truthful simplifies analysis
  by removing need to worry about potential gaming
  users might apply to raise their utility.
• Thus, truthfulness as a solution concept is
  desired!

12
Setting of Truthful Auctions

• Collusion among multiple players is prohibited.
• Utility functions of bidders are constrained to
  simple classes.
• Mechanisms are executed once.

• These strong assumptions limit domains in which
  these mechanisms can be implemented.
• How do you get people to truthfully bid the price
  they are willing to pay without the assumptions?

13
Mechanism Design

• Differential Privacy
• Main idea of paper Strong privacy guarantees,
  such as given by differential privacy, can inform
  and enrich the field of Mechanism Design.
• Differential privacy allows the relaxation of
  truthfulness where the incentive to misrepresent
  a value is non-zero, but tightly controlled.

14
What is Differential Privacy?

• A randomized function M gives e-differential
  privacy if for all data sets D1 and D2 differing
  on a single user, and all S ? Range(M),
• PrM(D1) ? S exp(e) PrM(D2) ? S
• Previous approaches focus on real valued
  functions whose values are insensitive to the
  change in data of a single individual and whose
  usefulness is relatively unaffected by additive
  perturbations.

15
Game Theory Implications

• Differential Privacy implies many game theoretic
  properties
• Approximate truthfulness
• Collusion Resistance
• Composability (Repeatability)

16
Approximate Truthfulness

• For any mechanism M giving e-differential privacy
  and any non-negative function g of its range, for
  any D1 and D2 differing on a single input,
• Eg(M(D1)) exp(e) Eg(M(D2))
• Example In an auction with .001-differential
  privacy, one bidder can change the sell price of
  the item so that the sell price if the bidder was
  truthful was at most exp(.001)1.001 times the
  sell price if the bidder was untruthful.

17
Collusion Resistance

• One fortunate property of differential privacy is
  that it degrades smoothly with the number of
  changes in the data set.
• For any mechanism M giving e-differential privacy
  and any non-negative function g of its range, for
  any D1 and D2 differing on at most t inputs,
• Eg(M(D1)) exp(et) Eg(M(D2))

18
Example

• If a mechanism has .001-differential privacy, and
  there were a group of 10 bidders trying to
  improve their utility by underbidding, the 10
  bidders can change the sell price of the item so
  that the sell price if they were truthful was at
  most exp(10.001)1.01 times the sell price if
  the bidders were untruthful.
• If the auctioned item was a music file, which was
  supposed to be sold at 1 if the bidders were
  truthful, the most the 10 bidders can lower it to
  is .99.
• 1 / .99 1.01

19
Composability

• The sequential application of mechanismsMi,
  each giving ei-differential privacy, gives (Si
  ei)-differential privacy.
• Example If an auction with .001-differential
  privacy is rerun daily for a week, the seven
  prices of the week ahead can be skewed by at most
  exp(7.001)1.007 by a single bidder

20
General Differential Privacy Mechanism

• Goal randomly map a set of n inputs from a
  domain D to some output in a range R.
• Mechanism is driven by an input query function
• q Dn R -gt that assigns any a score to
  any pair (d,r) from Dn R given that higher
  scores are more appealing.
• Goal of mechanism is to return an r ? R given d ?
  D such that q(d,r) is approximately maximized
  while guaranteeing differential privacy.
• Example Revenue is q(d,r) r i di gt r.

R
21
General Differential Privacy Mechanism

• Choose r with probability
  proportional to
• exp(eq(d,r)) µ(r) probability
  measure
• Let (d) output r with probability a
  exp(eq(d,r))
• A change to q(d,r) caused by a single participant
  has a small multiplicative influence on the
  density of any output, thus guaranteeing
  differential privacy.
• Example p(r) a exp(e r i di gt r)

22
General Differential Privacy Mechanism

• Let (d) output r with probability a
  exp(eq(d,r))
• Higher scores are more probable because
  probability associated with a score increases as
  eeq(d,r) increases.
• ex is an increasing function.
• Thus in an auction with e-differential privacy,
  the expected revenue is close to the optimal
  fixed price revenue (OPT).

23
General Differential Privacy Mechanism

• Two properties
• Privacy
• Accuracy

24
Privacy

• (d) gives (2e?q)-differential privacy.
• ?q is the largest possible difference in the
  query function when applied to two inputs that
  differ only on a single users value, for all r.
• Proof Letting µ be a base measure, the density
  of at r is equal to
• exp(q(d, r))µ(r) / ?exp(q(d, r))µ(r)dr
• Single change in d can change q by at most ?q ,
• By a factor of at most exp(e?q) in the
  numerator and at least exp(-e?q) in the
  denominator.
• exp(e?q) / exp(-e?q) exp(2e?q)
• Example ?q 1

25
Accuracy
Good outcomes
Set value

• Lemma Let St r q(d, r) gt OPT- t,
• Pr(S2t) lt exp(-t)/µ(St)
• Theorem (Accuracy)
• For those t ln(OPT/tµ(St))/e,
• Eq(d, eq?(d)) gt OPT - 3t
• Size of µ(St) as a function of t defines how
  large t must before exponential bias can overcome
  small size of µ(St).

Bad outcomes
26
Graph of Price vs. Revenue
OPT
µ(St) width
Pr(S2t) lt exp(-t)/µ(St) small
Source Mcsherry, Talwar
27
Applications to Pricing and Auctions

• Unlimited supply auctions
• Attribute auctions
• Constrained pricing problems

28
Unlimited Supply Auctions
R

• Bidder has demand curve bi 0,1
  describing how much of an item they want at a
  given price, p.
• Demand is non-increasing with price, and
  resources of a bidder are limited such that pbi
  1 for all i, p.
• q(b,p) pSibi(p) dollars in revenue
• Mechanism gives 2e-differential privacy,
  and has expected revenue at least
• OPT 3ln(e e2OPTm)/ e, where m is the number
  of items sold in OPT.

Cost of approximate truthfulness
29
Attribute Auctions

• Introduce public attributes to each of the
  bidders (e.g. age, gender, state of residence).
• Attributes can be used to segment the market. By
  offering different prices to different segments
  and leading to larger optimal revenue.
• SEGk of different segmentations into k
  markets
• OPTk optimal revenue using k market segments
• Taking q to be the revenue function over
  segmentations into k markets and their prices,
• has expected revenue at least
• OPTk 3(ln(e ek1OPTkSEGkmk)/e

30
Constrained Pricing Problem

• Limited set of offered prices that can go to
  bidders.
• Example A movie theater must decide which movie
  to run.
• Solicit bids from patrons on different films.
• Theater only collects revenue from bids for one
  film.

31
Constrained Pricing Problem

• Bidders bid on k different items
• Demand curve bij 0,1 for each item j ? k
• Demand non-increasing and bidders resources
  limited so that pbij(p) 1 for each i, j, p.
• For each item j, at price p, revenue
• q(b, (j, p)) pSibij(p)
• Expected revenue at least
• OPT - 3 ln(e e2OPTkm)/e

32
Comments

• Tradeoff between approximate truthfulness and
  expected revenue.
• Attribute auctions price discrimination?
• Application of mechanism to other games?
• Parallels with disclosure limitation?

33
Conclusions

• General different privacy mechanism, , is
  more robust than truthful mechanisms.
• Approximate truthfulness
• Collusion resistance
• Repeatability
• Properties
• Privacy
• Accuracy
• Applications
• Unlimited supply auctions
• Attribute auctions
• Constrained pricing

34
Questions?