Private Frequency Estimation with Residue Number Systems: Methods, Privacy Guarantees, and Real-World Applications
Executive Summary: What You Will Learn
This article explores how Residue Number Systems (RNS) can be used for private frequency estimation. Key takeaways include:
- RNS-based private aggregation encodes counts as residues modulo pairwise coprime bases, enabling exact global reconstruction without exposing individual contributions.
- Three Local Differential Privacy (LDP)-adapted families—MSS, LDPLCM, and PGR—offer distinct privacy-utility trade-offs in RNS frequency estimation, with design choices on moduli, masking, and cohorts.
- The methodologies are anchored in established privacy research (e.g., Feldman & Talwar’s local-privacy trade-offs) and RS+FD-inspired masking.
- Evaluation designs target user counts (10k to 200k), domain sizes (100 to 10,000), moduli count k (3, 5, 7), and privacy budgets ε (0.1 to 1.0) to quantify accuracy and privacy.
- Real-world domains covered include healthcare analytics, energy usage (smart grids), and mobile app telemetry, each with domain-specific privacy constraints and deployment considerations.
Methodological Landscape: RNS-Based Local DP Techniques
MSS (Modular Shaping for Secret) in RNS-Based Frequency Estimation
Imagine being able to sum up a crowd’s frequency estimates exactly, yet keep every individual count private. MSS (Modular Shaping for Secret) makes this possible. It works by packing user counts into a vector of residues modulo a set of coprime bases. The server can then reconstruct the total sum using the Chinese Remainder Theorem (CRT). Each user transmits a randomized residue vector to obfuscate their exact count, ensuring per-user details remain hidden even as the total becomes exact.
The process involves each user mapping their frequency count into a vector of residues modulo coprime bases m1, m2, …, mk. To protect privacy, users transmit a randomized version of this vector rather than the raw residues, so the exact count isn’t exposed at the residue level. The server collects these residues (in aggregate) for each modulus and uses the CRT to recover the global sums. This yields exact totals while preserving per-user privacy in the residue domain.
The privacy guarantee is expressed as epsilon-LDP on each residue projection. The overall privacy budget is distributed across the residues, and masking across residues limits information leakage from any single residue. The size of each modulus and the number of moduli k determine the balance between privacy protection and accuracy, as well as communication and computation costs. Larger moduli and more residues can improve potential accuracy but require more data transmission and computation.
How MSS Works in Practice (a quick walkthrough)
- Each user computes a residue vector r_i = (r1, r2, …, rk) where rj = frequency_count modulo mj for each j. The user then transmits a randomized version of this vector.
- The server pools all received residues for each modulus mj to form an aggregate residue Rj for j = 1, …, k.
- Using the coprime moduli m1, …, mk, the server applies the CRT to the aggregated residues {Rj} to recover the exact global frequency sums.
Because each user’s contribution is masked at the residue level and only aggregated residues are used, individual counts remain private. The ε-LDP guarantee per residue projection ensures that small changes in a single user’s count have limited impact on any given residue.
Parameter Knobs and Their Impact
Choices in parameters significantly affect privacy, accuracy, and cost:
| Parameter | What it controls | Impact on privacy and utility | Cost considerations |
|---|---|---|---|
| k (number of moduli) | Number of coprime bases used; length of residue vector | More residues can improve possible accuracy and help distribute the privacy budget; increases robustness of CRT reconstruction. | More data per user; higher server computation for CRT and aggregation. |
| m_i (modulus sizes) | The range captured by each residue for modulus i | Larger moduli expand the total space and can improve the ability to capture large sums; privacy per residue can be tighter. | Increased message size per residue; larger arithmetic domain for CRT. |
| Product M = m1 × m2 × … × mk | Overall capacity for unique residue combinations | To recover exact totals, M should exceed the maximum possible sum across all users. | Directly related to message size and CRT computation complexity. |
| Privacy budget (ε per residue) | Per-residue privacy guarantee | Smaller ε means stronger protection; the total budget is spread across residues. | Lower ε may require smaller per-residue data release or more residues to maintain utility. |
MSS enables obtaining exact total counts while keeping individual contributions private at the residue level. The trade-off is governed by the number and size of moduli, and the allocation of the privacy budget across residues, allowing adaptation to different privacy requirements and resource constraints.
LDPLCM (Local Differential Privacy with Lightweight Constant-Latent Masking)
LDPLCM offers a practical way for devices to share counts with strong privacy, without a central trusted party. It combines local masking with residue-encoded counts.
Core mechanics:
- Count Clipping: Each count is clipped to a known bound to cap sensitivity, preventing extreme values from dominating results and stabilizing masking.
- Residue Encoding: Data are encoded as residues, a compact representation preserving structure for accurate aggregation while being lightweight for resource-constrained devices.
- Local Masking: A local masking vector is applied on the device before data leaves, privatizing it on-device.
- Privacy Guarantee: Local randomization satisfies epsilon-LDP across residue projections, protecting individual signals.
- Masking Seed Refresh: Seeds can be refreshed between rounds or batches to reduce cross-round correlation and strengthen long-term privacy.
Why it’s Well Suited for IoT and Mobile
- Lightweight Operations: Masking and residue operations are efficient, suitable for devices with limited processing power and memory.
- Small Data Footprint: Residue-based representation keeps data small, saving bandwidth and energy on constrained networks.
- On-Device Privacy: Data are privatized before reaching servers or aggregators.
Calibration and Practical Use
LDPLCM’s utility depends on tunable factors like modulus sizes, masking strength, and clip bounds. These jointly determine accuracy and privacy. Deployments require careful calibration to meet domain-specific accuracy targets while delivering desired privacy guarantees.
| Parameter | Role | Guidance |
|---|---|---|
| Modulus size | Residue space for encoding | Choose modest sizes to balance accuracy and resource use; larger moduli require more computation and memory. |
| Clip bound | Sensitivity cap | Set to reflect realistic data ranges to limit the influence of outliers. |
| Masking strength | Privacy-utility tradeoff | Tune to target ε-LDP; stronger masking increases privacy but may reduce utility. |
| Seed refresh interval | Cross-round decorrelation | Refresh between rounds or batches to reduce correlations and improve long-term privacy. |
LDPLCM delivers privacy-friendly data collection for constrained devices, achieving meaningful privacy guarantees (ε-LDP across projections) through count bounding, residue encoding, local masking, and periodic seed refreshes.
PGR (Privacy-Guarantee-Representative) in RNS Context
PGR (Privacy-Guarantee-Representative) offers a practical way to estimate counts in an RNS context by organizing users into cohorts that share a masking seed. Within each cohort, residues are computed and aggregated, ensuring individual vectors stay private while cohort totals approximate true counts.
- Cohort-Based Masking: Users are grouped into cohorts, each sharing a masking seed. This masks signals so no single vector is revealed, preserving individual privacy while enabling group-level analysis.
- Residue Aggregation: Residue contributions are computed within cohorts and aggregated. Each member contributes a masked residue; the cohort sums these to yield privacy-protected totals reflecting the collective signal.
- Cross-Cohort Averaging: Averaging across cohorts helps when signals are sparse or noisy, making the final estimate more robust.
- Processing Mode: PGR favors batch processing and streaming scenarios with rotating seeds, where cohort seeds can be rotated and securely updated.
Privacy in PGR hinges on cohort-level masking and restricting cross-cohort leakage. When seeds are secure and cohort boundaries respected, public aggregates closely approximate true counts without exposing individual vectors.
At a Glance: PGR Mechanics
| Aspect | How PGR Handles It |
|---|---|
| Masking Granularity | Cohort-level masking; individual vectors remain hidden. |
| Computation | Residues computed within cohorts; cohort totals aggregated. |
| Variance Management | Cross-cohort averaging reduces variance, stabilizing estimates. |
| Processing Mode | Optimized for batches and streams; seeds rotated securely over time. |
| Privacy Risk | Limited cross-cohort leakage; relies on secure seed management. |
Limitations and Mitigations
- Seed Management Complexity: Maintaining secure, rotating seeds for many cohorts adds operational overhead. Mitigation: Implement robust key management systems.
- Granularity in Dynamic Data: Highly dynamic streams can blur fine-grained changes. Mitigation: Thoughtful batching and rollout planning.
- Cross-Cohort Leakage Risk: Possible if cohort boundaries or seeds are mishandled. Mitigation: Strict access controls and auditing.
PGR offers a practical balance between privacy and utility, especially for batch and streaming workloads, delivering stable, cohort-level insights without exposing individual vectors with careful seed governance.
Performance and Privacy Guarantees: Comparative Insights
Comparing the three RNS-based methods reveals distinct strengths and trade-offs:
| Aspect | MSS | LDPLCM | PGR |
|---|---|---|---|
| Privacy model | Per-residue ε-LDP; overall budget sums per-round and cohort protections. | Local randomization with masking; overall budget sums per-round and cohort protections. | Cohort-based masking; overall budget sums per-round and cohort protections. |
| Reconstruction accuracy | Improves with larger/diverse moduli; effective noise/masking control. CRT aggregation tightens estimates if product of moduli is large relative to domain, subject to noise. | Benefits from diverse moduli and masking control; masking noise impacts accuracy. CRT gains possible if modulus product is large, with noise considerations. | Benefits from larger modulus products and effective masking; CRT tightening depends on domain size and noise. Cohort masking can constrain variance. |
| Communication and computation scaling | Scales with number of moduli k; requires k residues per user. | Lightweight masks, small residue count; reduced per-user data; small scaling with residue count. | Relies on cohort-level aggregation to reduce per-user data transfer; scaling tied to cohort sizes and aggregation complexity. |
| Trade-offs by scenario | Flexible precision with moderate overhead; tunable privacy-utility via moduli and budgets. Suitable for general collection. | Simplest to deploy on constrained devices; may incur higher variance for tight privacy due to masking noise. Edge-friendly. | Strong privacy in batch settings; robust seed management required; complexity and coordination across cohorts needed. Best for periodic/reporting phases. |
Practical Takeaway
- MSS: Baseline accuracy, explicit budgets, general collection.
- LDPLCM: Edge devices, limited resources, explicit budgets per channel, maintain masking controls.
- PGR: Periodic/reporting phases, cohort-based aggregation, ensure robust seed management and secure cohort handling.
Real-World Applications and Case Studies
Healthcare Data Privacy
Imagine mapping symptom occurrences and disease spread across dozens of hospitals without exposing any patient’s record. RNS-based Local Differential Privacy (LDP) enables this by allowing local perturbation of data on clinician devices before sharing. A secure server then aggregates these obfuscated signals using CRT reconstruction to produce accurate prevalence estimates while preserving Protected Health Information (PHI) privacy, aligning with HIPAA and GDPR policies.
Evaluation Plan: Uses synthetic EHR-like data with domain-specific constraints to reflect clinical patterns. Privacy parameters (e.g., budget) are calibrated to clinical risk tolerance. The aim is accurate prevalence estimates across hospitals while keeping PHI private and compliant.
Smart Grids and Energy Usage
Smart grids can optimize energy use, but require protecting individual household routines. RNS encoding adds calibrated randomness to measurements, reducing occupancy inference risk while keeping the overall energy picture intact for grid planning. Cohort-based PGR supports periodic reporting with strong aggregation privacy by grouping households and releasing only aggregated statistics, hiding individual patterns. Validation uses realistic smart-grid traces varying in household count, device types, and time granularity (5-, 15-, 60-minute intervals).
Key Metrics:
- Privacy Leakage: Residual ability to infer individual behavior.
- Energy Usage Bias: Difference between estimated and true consumption.
- Operational Latency: Time from collection to actionable reporting.
These methods aim to provide the grid with necessary information for efficiency while preserving personal routines, validated against diverse realistic data.
Mobile Analytics and Telemetry
Learning feature usage frequencies across millions of devices without collecting raw usage data is crucial for product analytics. Privacy-preserving mobile analytics keeps user data on-device. LDPLCM-style masking is suitable for devices with limited bandwidth and battery, as masking keeps communications small and bounded. Each device applies local masking to feature counts (e.g., encoding as residues) before transmission. The server aggregates these compact residue signals to estimate feature popularity at scale with privacy guarantees.
Pilot Studies: One-Shot vs. Multi-Round Reporting
Compares reporting once per period (one-shot) versus multiple, smaller reports (multi-round). Parameters include modulus counts and privacy budgets.
| Aspect | One-shot | Multi-round |
|---|---|---|
| Accuracy (fixed budget) | Good initial; may require stronger masking. | Improved over time as more residues accumulate. |
| Battery impact | Lower immediate. | Higher due to periodic wakeups. |
| Network load | Lower peak (one message). | Steady but spread across rounds. |
| Privacy budget usage | Used in a single report. | Allocatable over multiple rounds. |
The best choice depends on feature importance, user tolerance for battery impact, and network constraints. Privacy-preserving mobile analytics can reveal feature popularity while keeping individual usage private on-device.
Implementation Roadmap, Evaluation Protocol, and Deployment Checklist
Implementation Roadmap: Key Considerations
- Strengths: Strong privacy protection (local/cohort), scalability (modular arithmetic), flexibility (privacy budgets), robustness (sparse data).
- Challenges: Higher implementation complexity, secure seed/key management, careful parameter tuning (moduli, clip bounds, masking), potential latency in CRT for large datasets.
Evaluation Protocol: A Structured Plan
A clear, repeatable evaluation plan involves:
- Dataset Planning: Multiple scales (n_users in {10k, 50k, 200k}; domain_size in {100, 1k, 10k}).
- Parameter Sweeps: Moduli counts k in {3, 5, 7}; various modulus sizes.
- Metrics: Explicit privacy budgets (ε in {0.1, 0.5, 1.0}; δ = 1e-5); performance measures (MAE, RMSE, bias, coverage, leakage estimates).
- Resource Profiling: Server CRT reconstruction, per-user data transfer, total network throughput.
- Real-World Pilots: Healthcare, smart grids, mobile telemetry over 2–4 weeks.
Caveats: Evaluation can be time-consuming/resource-intensive. Coordinating pilots is challenging. Generalizability depends on realistic data generation and parameter choices.
Deployment Checklist: Ensuring Success
- Core Requirements: Secure key/seed management, robust RNG sources, CRT library integration, secure data handling pipelines.
- Governance: Monitoring for privacy budget drift, audit and compliance plans.
- Operational Overhead: Ongoing security and governance, dependency on secure libraries (supply chain risk), potential latency in real-time CRT operations.
Leave a Reply