Distributed Private Data Analysis: Lower Bounds and Practical Constructions.

We consider a distributed private data analysis setting, where multiple parties each hold some sensitive data and they wish to run a protocol to learn some aggregate statistics over the distributed dataset, while protecting each user’s privacy. As an initial effort, we consider a distributed summation problem. We first show a lower bound, that is, under information-theoretic differential privacy, any multi-party protocol with a small number of messages must have large additive error. We then show that by adopting a computational differential privacy notion, one can circumvent this lower bound and design practical protocols for the periodic distributed summation problem. Our construction has several desirable features. First, it works in the client-server model and requires no peer-to-peer communication among the clients. Second, our protocol is fault tolerant and can output meaningful statistics even when a subset of the participants fail to respond. Our constructions guarantee the privacy of honest parties even when a fraction of the participants may be compromised and colluding. In addition, we propose a new distributed noise addition mechanism that guarantees small total error.