A Histogram Publishing Method under Differential Privacy That Involves Balancing Small-Bin Availability First

Abstract

Differential privacy, a cornerstone of privacy-preserving techniques, plays an indispensable role in ensuring the secure handling and sharing of sensitive data analysis across domains such as in census, healthcare, and social networks. Histograms, serving as a visually compelling tool for presenting analytical outcomes, are widely employed in these sectors. Currently, numerous algorithms for publishing histograms under differential privacy have been developed, striving to balance privacy protection with the provision of useful data. Nonetheless, the pivotal challenge concerning the effective enhancement of precision for small bins (those intervals that are narrowly defined or contain a relatively small number of data points) within histograms has yet to receive adequate attention and in-depth investigation from experts. In standard DP histogram publishing, adding noise without regard for bin size can result in small data bins being disproportionately influenced by noise, potentially severely impairing the overall accuracy of the histogram. In response to this challenge, this paper introduces the SReB_GCA sanitization algorithm designed to enhance the accuracy of small bins in DP histograms. The SReB_GCA approach involves sorting the bins from smallest to largest and applying a greedy grouping strategy, with a predefined lower bound on the mean relative error required for a bin to be included in a group. Our theoretical analysis reveals that sorting bins in ascending order prior to grouping effectively prioritizes the accuracy of smaller bins. SReB_GCA ensures strict $ϵ$-DP compliance and strikes a careful balance between reconstruction error and noise error, thereby not only initially improving the accuracy of small bins but also approximately optimizing the mean relative error of the entire histogram. To validate the efficiency of our proposed SReB_GCA method, we conducted extensive experiments using four diverse datasets, including two real-life datasets and two synthetic ones. The experimental results, quantified by the Kullback–Leibler Divergence (KLD), show that the SReB_GCA algorithm achieves substantial performance enhancement compared to the baseline method (DP_BASE) and several other established approaches for differential privacy histogram publication.

1. Introduction

In the era of digitalization today, concerns about the privacy and security of user-sensitive data coexist with the progression of data mining technologies. These privacy apprehensions can surface at every phase of the data mining and analysis procedure, encompassing data collection, data publication, data transmission, and data analysis. Recently, there has been extensive research [1,2,3] aimed at effectively mitigating privacy threats to sensitive information during data mining and analysis, with significant contributions, including differential privacy techniques [4,5,6].

Differential privacy is a privacy-preserving paradigm defined from a probabilistic statistical standpoint [4,5,6]. In the context of database queries, it involves adding noise drawn from a certain probability distribution to query results, such that the maximum impact on the result caused by either deleting (or inserting) a single record or modifying the value of a single record is confined within a predetermined range. This ensures that an attacker, with a certain probability, cannot infer whether a particular record exists or determine its true value from the query output, thereby providing privacy protection for the presence or magnitude of each individual record’s information [6]. Due to its rigorous quantification of privacy guarantees and independence from an attacker’s background knowledge, differential privacy is well-suited for safeguarding privacy in big data scenarios [6].

Differential privacy (DP) is considered as a de facto standard privacy definition and is applied to many privacy protection scenarios [7,8,9,10,11,12,13,14,15,16,17,18,19,20], where the histogram [21] is a very typical one. The histogram adopts a box-division technology, which divides a database table into disjoint areas according to one or more column attributes and expresses each area with some statistical values to understand the distribution of various types of data. Therein, one statistical value of one disjoint area is called a bin. The histogram can be used for population census, road condition information, disease detection, product testing, daily personal activities including living expenses, web browsing, and APP statistics, etc. However, if an original histogram is directly used for publishing, it may face the problem of personal privacy leakage. For example, a hospital carries out a statistical analysis on the disease types of patients who come to the hospital this month, among whom three patients are found to have diabetes. If the number of patients with other disease types and the fact that two patients have diabetes is known, the third diabetic patient can be easily speculated. Therefore, before publishing the histogram, privacy protection is needed.

In DP histogram publishing, deleting a record or adding a record to a database table has one count that affects the publication, and its sensitivity is very small. Therefore, DP histogram publishing is of great concern in the research of DP [21]. However, the uneven distribution of the original data leads to the presence of variously sized statistics (bins) in histograms constructed from the data. When bins of varying sizes comply with $ϵ$-differential privacy, it is often observed that small bins exhibit lower relative accuracy compared to larger bins, sometimes to a significantly greater extent. In the relevant literature concerning the publication of differentially private histograms [13,14,15], the majority of studies overlook the issue of relatively lower accuracy in small bins under non-uniform data distributions. While some studies have indeed taken note of data skewness, their focus remains confined to the overall accuracy of all bins or predominantly larger bins, occasionally sacrificing the accuracy of small bins to marginally enhance the absolute accuracy of the aggregate or larger bins. Indeed, it is a well-established principle that the equitable analysis of data yields more dependable outcomes. Hence, even in the presence of noisy statistical information, it is imperative to direct attention towards data analysis conducted under a comparably uniform level of noise.

In the context of hospital patient data analysis using histograms, health information is sensitive, especially regarding serious illnesses, which typically involve fewer cases and are vital for the in-depth analysis of such diseases. Consider a hypothetical histogram of patient data resulting in counts of 2, 3, 10, 9, 8, 1, and 1, wherein 1, 1, 2, and 3 denote the respective counts for severe disease categories. Following the guidance of study [5], if noise from a Laplace mechanism with a scale parameter $\lambda$ were introduced to each datum to enforce $\frac{1}{\lambda }$-differential privacy, the expected absolute magnitude of the noise added to each count would be $\lambda$. This addition, particularly in relation to the counts of 1, 1, 2, and 3 for severe diseases, introduces a significant relative error. study [13,15,19,22] introduces grouping methodologies that can moderately enhance the overall accuracy of the data; however, this approach necessitates balancing the noise error induced by random distribution against the reconstruction error due to grouping. Current methodologies, while attempting to weigh absolute accuracy against both types of errors, still encounter the challenge of excessive noise introduced by low counts.

Specifically, in Section 4 of this paper, a formulaic analysis is carried out for the $ϵ$-DP histogram publishing, and it is concluded that under the uneven data distribution, small bins tend to bear much more relative noise than large bins. Indeed, small bins are sometimes just as important as large bins or much more crucial than large bins. Therefore, this paper considers how to prioritize balancing the accuracy of small bins and minimize the mean relative error of the histogram under $ϵ$-DP.

The main contributions of this paper are summarized as follows.

• A sanitization algorithm, SReB_GCA, is introduced, which adopts relative error as its metric for accuracy. This approach diverges from numerous methodologies documented in the study [15,19], wherein the mean squared error or absolute error is typically employed, with the histogram being assessed collectively to ascertain a cumulative mean squared or absolute error for the purpose of optimization. Consequently, the significance of smaller bins may be inadvertently disregarded.
• The grouping rules under relative error are theoretically deduced and analyzed. There are two types of errors in DP histogram publishing, including the reconstruction error due to grouping and the noise error due to Laplace noise being injected. From the analysis of their relative error forms, it is concluded that sorting from small to large is favorable for improving the utility of small bins first, a perspective not thoroughly explored in the previous literature. Additionally, a lower bound in the greedy grouping process of SReB_GCA is theoretically deduced, which facilitates maximizing the number of bins grouped and approximately optimizing the mean relative error of the histogram.

Moreover, we conduct extensive experiments on four real-life and synthetic datasets to evaluate the performance of our approach in comparison with a benchmark method (DP_BASE) across single-value queries, range queries, and analyses of data distribution. Additionally, we compare this performance with several other existing methods that leverage data distribution characteristics.

The remainder of this paper is organized as follows: Section 2 introduces the related work on DP histogram publishing. Section 3 presents the relevant definitions of DP. Section 4 details the problem and presents initial approaches. Section 5 formally defines the problem and proposes a sanitization algorithm, SReB_GCA, encompassing the grouping rules and an approximately greedy optimal grouping strategy, theoretically derived and analyzed. Section 6 presents the experimental evaluation of SReB_GCA. Finally, we draw conclusions in Section 7.

2. Related Work

Researchers have derived numerous valuable solutions concerning DP histogram publishing [5,13,14,15,17,18,19,22,23,24,25,26,27]. Dwork et al. [5] introduced a method applicable to equal-width histograms for the first time. They augmented each bin in the equal-width histogram with Laplace noise and utilized the resulting noisy bins for range queries. When executing large-range queries, this approach results in a substantial accumulation of noise within the query outcomes, ultimately compromising the data availability of query results. In [14], a methodology known as Boost1 is presented, which relies on the optimal linear unbiased estimator. In practice, however, this method fails to efficiently mitigate the noise associated with each bin in the histogram. To address the challenge posed by a wide range of queries, Xu et al. [19] put forward two techniques: NoiseFirst and StructureFirst. With NoiseFirst, dynamic programming technology is employed to reconstitute the output of an equal-width histogram by consolidating adjacent, similar bins. Conversely, StructureFirst utilizes the exponential mechanism [5] to determine the boundaries of output bins, thereby forming a non-equiwidth histogram, and subsequently incorporates appropriate noise into the adjusted results prior to publication. While StructureFirst effectively mitigates the error induced by perturbation (i.e., noise error), it inadvertently introduces a novel error (i.e., reconstruction error). Furthermore, during the reconstruction process, the number of bins (k) is manually specified, rendering it incapable of effectively balancing noise error against reconstruction error.

In order to enhance the accuracy of sanitized data (i.e., data with added noise conforming to a specific distribution) and strike a superior balance between noise and reconstruction errors, the study [13] introduces PHPartition. This method employs a dynamic search via hierarchical clustering techniques to determine the optimal value k, rendering it an improvement over StructureFirst. Additionally, the study [17] puts forth an adaptive sampling methodology for achieving differential privacy in the histogram publishing of dynamically evolving datasets. Furthermore, the work presented in [24] proposes DPDR, a grouping technique grounded in the ranking methodology of the exponential mechanism. Nonetheless, these methodologies primarily focus on devising reconstruction strategies that enhance the overall accuracy of histograms or the precision of larger bins, inadvertently overlooking the accuracy of smaller bins. In some instances, they even compromise the precision of small bins to augment the absolute accuracy for broader bins or the histogram as a whole [19]. While large bins typically garner significant attention, the significance of small bins, as exemplified by phenomena like the “Black Swan Event”, cannot be discounted.

As far as we know, there is almost no research focusing specifically on prioritizing the accuracy of small bins, despite some studies employing a metric of relative error. In [28], through analyzing the correlation between the cumulative probability of noise and the privacy level in Laplace mechanism, and integrating the relative error metric, an algorithm was proposed to inject varying levels of noise proportional to query preferences. However, the algorithm’s implementation necessitates prior knowledge of these query preferences, which may contain sensitive information to some extent, thereby posing a risk of privacy leakage. In addition, the metric of relative error is also considered in study [29]. Therein, a DP publishing algorithm for batch queries based on gradual iterations is proposed to mitigate noise error; specifically, the privacy budget is allocated according to intermediate noisy results, with the overarching goal of minimizing the overall relative error while efficiently managing the consumption of the privacy budget. Through iterations, queries are adaptively adjusted to achieve the best cost-performance ratio. The algorithm proposed in this paper, distinct from that discussed in Reference [29], initiates with prioritizing the precision of smaller bins under the criterion of relative error as an assessment of overall data accuracy. While [29] primarily focuses on enhancing the accuracy of larger bins under differential privacy constraints before tuning the discrepancy between large and small bins to boost aggregate data precision, our approach subsequently optimizes the error between these bin categories to augment the overall usability of the dataset. Moreover, it is noteworthy that the dataset utilized in our research exhibits a distribution that starkly differs from that employed in Reference [29].

Furthermore, when delving into the relative accuracy of bins in the realm of DP histogram publishing, we note that several grouping principles resemble yet differ from those in prior research [22] (see Section 5). Nonetheless, given the divergent utility metrics and distinct research aims we consider, the methodology employed in the previous work cannot be straightforwardly adopted to address our present challenge.

3. Preliminaries

3.1. Differential Privacy

The concept of differential privacy (DP) originates from the indistinguishability principle in cryptographic semantic security, implying that an adversary cannot discern between the encrypted outcomes of distinct plaintexts. For example, the inclusion or exclusion of a single record has a negligible impact on query outcomes under DP, thereby safeguarding the record’s privacy.

Definition 1

($ϵ$-DP [5]). For a randomized algorithm K and a set S of all possible outputs of K, a randomized algorithm is said to satisfy ϵ-DP if algorithm K satisfies the following Formula (1) for any two neighboring datasets D and $D^{\prime }$ that differ by at most one user.

$$\begin{array}{c}\hfill P[K\left(D\right)\in S]\le exp\left(ϵ\right)\times Pr[K\left(D^{\prime }\right)\in S],\end{array}$$

(1)

where $Pr[·]$ represents the risk of privacy disclosure and is controlled by the randomness of algorithm K.

In Definition 1, the parameter $ϵ$ is referred to as the privacy budget, quantifying the level of privacy protection. Specifically, a smaller value of $ϵ$ signifies stronger privacy guarantees, whereas a larger $ϵ$ implies weaker privacy protection.

Definition 2

(Global sensitivity [5]). For any function $f:D\to R^d$, the global sensitivity of f is defined as

$$\begin{array}{c}\hfill \Delta f=ma{x}_{D,D^{\prime }}{\parallel f\left(D\right)-f\left(D^{\prime }\right)\parallel }_p,\end{array}$$

(2)

where R represents the real number space; d represents the query dimension of function f; and p represents the norm distance used by $\Delta f$, which is usually measured by $L_1$.

3.2. Laplace Mechanism

The Laplace mechanism is usually used to add noise to the numerical data to satisfy $ϵ$-DP. The definition is given below.

Definition 3

(Laplace mechanism [5]). For any function $f:D\to R^d$ with a global sensitivity $\Delta f$, the algorithm $K\left(D\right)=f\left(D\right)+(n_1,n_2,n_3,\cdots ,n_d)$ ensures ϵ-DP, where each $n_i\sim Lap(\Delta f/ϵ)$ for $i\in \{1,2,\cdots ,d\}$ is an independently drawn Laplace random variable from a Laplace distribution with scale parameter $\lambda =\frac{\Delta f}{ϵ}.$ The probability density function of this Laplace distribution is given by

$$\begin{array}{c}\hfill p\left(x\right)=\frac{1}{2\lambda }exp(-\frac{\left|x\right|}{\lambda }).\end{array}$$

(3)

3.3. Composition Properties

DP has the following two composition properties that are often used in the design of its mechanisms.

Property 1

(The parallel composition property [30]). Given randomized algorithms $K_1$, $K_2$, $K_3$, ⋯, $K_n$, whose privacy budgets are ${ϵ}_1,$${ϵ}_2,$${ϵ}_3,$⋯, ${ϵ}_n$, respectively, for disjoint datasets $D_1,$$D_2,$$D_3,$$\cdots$, $D_n$, the combined algorithm $K(K_1\left(D_1\right),K_2\left(D_2\right),\cdots ,K_n\left(D_n\right))$ composed of these algorithms satisfies $max\left({ϵ}_i\right)$-DP, and the privacy protection level provided depends on the largest privacy budget.

Property 2

(The sequence composition property [30]). Given dataset D and randomized algorithms $K_1$, $K_2$, ⋯, $K_n$, whose privacy budgets are ${ϵ}_1$, ${ϵ}_2$, ${ϵ}_3$, ⋯, ${ϵ}_n$ respectively, the combined algorithm $K(K_1\left(D\right),K_2\left(D\right),\cdots ,K_n\left(D\right))$ composed of these algorithms satisfies $(\sum {ϵ}_i)$-DP.

3.4. Relative Error

In this paper, the relative error [28,29,31,32] used to measure the quality of a published result is as follows:

$$err\left(r\right)=\frac{|r-r^{★}|}{max(r,\delta )},$$

(4)

where $r^{★}$ is a published result with respect to the original result r and the parameter $\delta$ is a constant to avoid the situation $r=0$ or r is too small [28,29,31,32].

4. Problem Statement and First-Cut Method

4.1. Problem Statement

Given a sequence of original histogram bins, $H=\{H_1,H_2,\cdots ,H_n\}$. Without a loss of generality, assume that the bin proportions are $p=\{p_1,p_2,\cdots ,p_n\}$, respectively, where $0<p_1\le p_2\le \cdots \le p_n<1$ and ${\sum }_{i=1}^n{p}_i=1$. Publish a histogram $\tilde{H}=\{{\tilde{H}}_1,{\tilde{H}}_2,\cdots ,{\tilde{H}}_n\}$ satisfying $ϵ$-DP, where ${\tilde{H}}_j=H_j+n_j$, $n_j\sim Lap\left(\lambda \right)$ for $j\in \{1,2,\cdots ,n\}$, and $Lap\left(\lambda \right)$ is the Laplace distribution satisfying a scale parameter $\lambda =\frac{1}{ϵ}$.

Obviously, the absolute error of each bin in the histogram is $E\left[\right|\widetilde{H_j}-H_j\left|\right]=\lambda$. Note that the mean square error (MSE) is given by $E\left[{(\widetilde{H_j}-H_j)}^2\right]=2{\lambda }^2$. So, we can deduce that the relative error of each bin is

$$E[\frac{|\widetilde{H_j}-H_j|}{H_j}]=\frac{\lambda }{H_j}.$$

(5)

Given that $p_1\le p_2\le \cdots \le p_n$, it follows that $H_1\le H_2\le \cdots \le H_n$. Consequently, it has Formula (6).

$$\begin{array}{cc}\hfill E[\frac{|\widetilde{H_1}-H_1|}{H_1}]& \ge E[\frac{|\widetilde{H_2}-H_2|}{H_2}]\ge \cdots \ge E[\frac{|\widetilde{H_n}-H_n|}{H_n}].\hfill \end{array}$$

(6)

According to Formula (6), the relative error of each bin with different proportions is different. If the data distribution is very uneven, the relative errors of bins with smaller counts (small bins) can be disproportionately higher compared to those with larger counts. This disparity may be detrimental in application scenarios where critical decisions rely on accurate representations of these smaller bins.

4.2. First-Cut Method

From the previous subsection, we know that a histogram with uneven data distribution may often fail to meet the relative accuracy requirements for small bins when it adds the same absolute noise to all bins to satisfy $ϵ$-DP. Then, can we use two straightforward solutions? Therein, one is adding an equal relative noise to each bin in the histogram to meet the accuracy requirements for all of the bins, and the other one is taking a scale parameter that meets the relative accuracy requirement of the minimum bin as the overall scale parameter. The answer is no. Although these two solutions are simple and brute-force, they are not the best and maybe lead to privacy disaster in some extreme cases.

Firstly, we assume that the same unit noise is $\gamma$, and $\gamma =\frac{{\lambda }_j}{H_j}$ for $j\in [1,n]$, where $H_j$ is perturbed by Laplace noise with ${\lambda }_j$ as its scale parameter, respectively. Since $H_1\le H_2\le \cdots \le H_n$, it has ${\lambda }_1\le {\lambda }_2\le \cdots \le {\lambda }_n$. According to ${\lambda }_j=\frac{1}{{ϵ}_j}$, it has ${ϵ}_1\ge {ϵ}_2\ge \cdots \ge {ϵ}_n$. Then, according to Property 1 of DP, it can be seen that it satisfies $ϵ=max\left({ϵ}_j\right)={ϵ}_1$-DP, where $j\in [1,n]$. In the extreme case of $H_1<<H_n$, then ${ϵ}_1>>{ϵ}_n$; this may cause privacy disaster.

Secondly, according to the histogram publishing method adding the same noise to each bin to satisfy $ϵ$-DP, the relative noise of each bin is assumed to be ${\gamma }_j=\frac{\lambda }{H_j}$, where $\lambda =\frac{1}{ϵ}$ and $j\in [1,n]$. In the extreme case where the accuracy requirement of the minimum bin is $\gamma <<{\gamma }_1$, the perturbation has to be implemented with the scale parameter ${\lambda }^{\prime }$ in order to meet the accuracy requirement of the minimum bin, where ${\lambda }^{\prime }=H_1\gamma <<H_1{\gamma }_1=\lambda$. From ${\lambda }^{\prime }=\frac{1}{{ϵ}^{\prime }}<<\lambda =\frac{1}{ϵ}$, it has ${ϵ}^{\prime }>>ϵ$, which also may lead to a privacy disaster.

Although these two solutions can directly meet the availability requirements of small bins, they may violate $ϵ$-DP seriously. Furthermore, as we have learned, the availability of small bins will also impact the overall availability of the histogram. Consequently, if the requirement of satisfying $ϵ$-DP remains, is it feasible to prioritize enhancing the availability of small bins while concurrently considering the histogram’s availability (the mean relative error of histogram)? In the next section, we will propose a sanitization algorithm based on this question.

5. Sanitization Algorithm

In this section, we introduce our sanitization algorithm. We meticulously derive and analyze the grouping rules under the framework of relative error, wherein we propose an approximately greedy optimal grouping strategy (GGS).

5.1. Grouping Rules

According to studies [13,15,19,22], grouping constitutes a prevalent technique in differential privacy histogram publication for enhancing accuracy. The formal definition of histogram grouping is outlined as follows.

Definition 4

(Histogram grouping). Given an original bin sequence $H=\{H_1,H_2,\cdots ,H_n\}$ of the histogram, and assuming that k groups of $C=\{C_1,C_2,\cdots ,C_k\}$ are formed after grouping and each group $C_i$ covers $|C_i|$ bins, the average count ${\overline{C}}_i$ of group $C_i$ is expressed in Formula (7).

$${\overline{C}}_i=\frac{{\sum }_{H_j\in C_i}{H}_j}{|C_i|}$$

(7)

Assume that a sanitized histogram $\tilde{H}=\{{\tilde{H}}_1,{\tilde{H}}_2,\cdots ,{\tilde{H}}_n\}$ satisfies $ϵ$-DP, where each ${\tilde{H}}_j$ represents a sanitized version of $H_j\in H$. For $H_j\in C_i$, it can be seen that

$${\tilde{H}}_j={\overline{C}}_i+\frac{x}{|C_i|},$$

(8)

where $x\sim Lap\left(\lambda \right)$ and $\lambda =\frac{1}{ϵ}.$ Then, the relative error between ${\tilde{H}}_j$ and $H_j$ can be expressed as

$$err\left(H_j\right)=\frac{|{\tilde{H}}_j-H_j|}{max(H_j,\delta )},$$

(9)

where $\delta \ge 0$ serves as a small positive constant to avoid division by zero when $H_j=0$.

When $H_j\ge 1$ and $\delta =1$, the mean relative error between ${\tilde{C}}_i$ and $C_i$ is given by

$$\begin{array}{cc}\hfill err\left(C_i\right)& =\frac{{\sum }_{H_j\in C_i}err\left(H_j\right)}{|C_i|}=\sum _{H_j\in C_i}\frac{\frac{|{\tilde{H}}_j-H_j|}{H_j}}{|C_i|}.\hfill \end{array}$$

(10)

For any $H_j\in C_i$, the expected relative error between ${\tilde{H}}_j$ and $H_j$ can be expressed as

$$\begin{array}{cc}\hfill E\left[err\left(H_j\right)\right]& =E[\frac{|{\tilde{H}}_j-H_j|}{H_j}]=\frac{1}{H_j}E\left[\right|{\tilde{H}}_j-H_j\left|\right],\hfill \end{array}$$

(11)

where

$$E\left[\right|{\tilde{H}}_j-H_j\left|\right]={\int }_{-\infty }^{+\infty }|{\overline{C}}_i+\frac{x}{|C_i|}-H_j|\frac{1}{2\lambda }{e}^{-\frac{\left|x\right|}{\lambda }}dx$$

and $x\sim Lap\left(\lambda \right)$.

Consequently, the expected mean relative error between ${\tilde{C}}_i$ and $C_i$ is given by Formula (12).

$$\begin{array}{cc}\hfill E\left[err\left(C_i\right)\right]& =E\left[\frac{{\sum }_{H_j\in C_i}|{\tilde{H}}_j-H_j|}{|C_i|}\right]\hfill \\ & =\sum _{H_j\in C_i}\frac{1}{H_j}\frac{E\left[\right|{\tilde{H}}_j-H_j\left|\right]}{|C_i|}.\hfill \end{array}$$

(12)

Regarding our problem, we initially present Theorem 1, which offers an approximate characterization of the relative error between sanitized and original bins.

Theorem 1.

Given $C_i$, ${\overline{C}}_i$, $|C_i|$, $H_j\in C_i$, ${\tilde{H}}_j$, and λ, then $E\left[err\left(H_j\right)\right]\approx \frac{1}{H_j}\left(\right|H_j-{\overline{C}}_i|+\frac{\lambda }{|C_i|})$, where $\frac{|H_j-{\overline{C}}_i|}{H_j}$ is the Relative Reconstruction Error ($RRE$) and $\frac{\lambda }{|C_i|H_j}$ is the Relative Noise Error ($RNE$).

Proof. 

In order to obtain $E\left[err\left(H_j\right)\right]$, we need to calculate $E\left[\right|\widetilde{H_j}-H_j\left|\right]$. According to the relationship between $H_j$ and $\overline{C_i}$, the discussion can be divided into the following two cases.

(1)

When $H_j\ge \overline{C_i}$, it has

$$\begin{array}{cc}\hfill E\left[\right|\widetilde{H_j}-H_j\left|\right]& ={\int }_{-\infty }^{+\infty }|{\overline{C}}_i-H_j+\frac{x}{|C_i|}|\frac{1}{2\lambda }{e}^{-\frac{\left|x\right|}{\lambda }}dx\hfill \\ \hfill & ={\int }_{-\infty }^0-({\overline{C}}_i-H_j+\frac{x}{|C_i|})\frac{1}{2\lambda }{e}^{\frac{x}{\lambda }}dx\hfill \\ \hfill & -{\int }_0^{(H_j-{\overline{C}}_i)\left|C_i\right|}({\overline{C}}_i-H_j+\frac{x}{|C_i|})\frac{1}{2\lambda }{e}^{-\frac{x}{\lambda }}dx\hfill \\ \hfill & +{\int }_{(H_j-{\overline{C}}_i)\left|C_i\right|}^{+\infty }({\overline{C}}_i-H_j+\frac{x}{|C_i|})\frac{1}{2\lambda }{e}^{-\frac{x}{\lambda }}dx\hfill \\ \hfill & =H_j-{\overline{C}}_i+\frac{\lambda }{|C_i|}{e}^{-\frac{H_j-{\overline{C}}_i}{\frac{\lambda }{|C_i|}}}.\hfill \end{array}$$

(13)

(2)

When $H_j<\overline{C_i}$, it has

$$\begin{array}{cc}\hfill E\left[\right|\widetilde{H_j}-H_j\left|\right]& ={\int }_{-\infty }^{+\infty }|{\overline{C}}_i-H_j+\frac{x}{|C_i|}|\frac{1}{2\lambda }{e}^{-\frac{\left|x\right|}{\lambda }}dx\hfill \\ \hfill & ={\int }_{-\infty }^{(H_j-{\overline{C}}_i)\left|C_i\right|}-({\overline{C}}_i-H_j+\frac{x}{|C_i|})\frac{1}{2\lambda }{e}^{\frac{x}{\lambda }}dx\hfill \\ \hfill & +{\int }_{(H_j-{\overline{C}}_i)\left|C_i\right|}^0({\overline{C}}_i-H_j+\frac{x}{|C_i|})\frac{1}{2\lambda }{e}^{\frac{x}{\lambda }}dx\hfill \\ \hfill & +{\int }_0^{+\infty }({\overline{C}}_i-H_j+\frac{x}{|C_i|})\frac{1}{2\lambda }{e}^{-\frac{x}{\lambda }}dx\hfill \\ \hfill & ={\overline{C}}_i-H_j+\frac{\lambda }{|C_i|}{e}^{\frac{H_j-{\overline{C}}_i}{\frac{\lambda }{|C_i|}}}.\hfill \end{array}$$

(14)

Based on (13) and (14), it can be seen that

$$E\left[\right|\widetilde{H_j}-H_j\left|\right]=|{\overline{C}}_i-H_j|+\frac{\lambda }{|C_i|}{e}^{\frac{|H_j-{\overline{C}}_i|}{-\frac{\lambda }{|C_i|}}}.$$

(15)

Therefore, $E\left[\right|\widetilde{H_j}-H_j\left|\right]$ is mainly composed of two parts, where the part $|{\overline{C}}_i-H_j|$ is caused by grouping and the other part $\frac{\lambda }{|C_i|}{e}^{-\frac{|H_j-{\overline{C}}_i|}{\frac{\lambda }{|C_i|}}}$ is caused by both grouping and Laplace noise injected. It is easy to obtain $\frac{\lambda }{|C_i|}{e}^{-\frac{|H_j-{\overline{C}}_i|}{\frac{\lambda }{|C_i|}}}\le \frac{\lambda }{|C_i|}.$

Approximately, we use $|H_j-{\overline{C}}_i|+\frac{\lambda }{|C_i|}$ to represent the relative error between ${\tilde{H}}_j$ and $H_j$. Therefore, $E\left[err\left(H_j\right)\right]\approx \frac{1}{H_j}\left(\right|H_j-{\overline{C}}_i|+\frac{\lambda }{|C_i|})$ approximately, where $\frac{|H_j-{\overline{C}}_i|}{H_j}$ is the Relative Reconstruction Error ($RRE$) and $\frac{\lambda }{|C_i|H_j}$ is the Relative Noise Error ($RNE$). From the above discussion, the result follows. □

Hence, the expectation of the mean relative error of $C_i$ is

$$E\left[err\left(C_i\right)\right]=\sum _{H_j\in C_i}\frac{1}{H_j}\frac{|H_j-{\overline{C}}_i|+\frac{\lambda }{|C_i|}}{|C_i|}.$$

(16)

Theorem 2.

Assuming that $H_j\in C_i$ and $H_j\le {\overline{C}}_i$, suppose there two bins $H_l$ and $H_{l^{\prime }}$ exist such that $H_j\le H_l\le H_{l^{\prime }}$. Then, the relative error incurred by grouping $H_l$ into $C_i$ is less than that resulting from grouping $H_{l^{\prime }}$ into $C_i$.

Proof. 

From $H_j\in C_i$, it has $E\left[err\left(H_j\right)\right]=\frac{1}{H_j}\left(\right|H_j-{\overline{C}}_i|+\frac{\lambda }{|C_i|})$, where $RRE=\frac{|H_j-{\overline{C}}_i|}{H_j}$ and $RNE=\frac{\lambda }{|C_i|H_j}$. If we add $H_l$ to $C_i$, it has

$$E\left[err\left(H_j\right)\right]=\frac{1}{H_j}\left(\right|H_j-\frac{{\overline{C}}_i\left|C_i\right|+H_l}{|C_i|+1}|+\frac{\lambda }{|C_i|+1}),$$

(17)

where $RR{E}_1=\frac{1}{H_j}|H_j-\frac{{\overline{C}}_i\left|C_i\right|+H_l}{|C_i|+1}|$ and $RN{E}_1=\frac{1}{H_j}\frac{\lambda }{|C_i|+1}$. If we add $H_{i^{\prime }}$ to $C_i$, it has

$$\begin{array}{cc}\hfill E\left[err\left(H_j\right)\right]& =\frac{1}{H_j}|H_j-\frac{{\overline{C}}_i\left|C_i\right|+H_{i^{\prime }}}{|C_i|+1}|+\frac{1}{H_j}\frac{\lambda }{|C_i|+1},\hfill \end{array}$$

(18)

where $RR{E}_2=\frac{1}{H_j}|H_j-\frac{{\overline{C}}_i\left|C_i\right|+H_{i^{\prime }}}{|C_i|+1}|$ and $RN{E}_2=\frac{1}{H_j}\frac{\lambda }{|C_i|+1}$. Since $H_j\le {\overline{C}}_i$ and $H_j\le H_l\le H_{l^{\prime }}$, it has

$$\begin{array}{cc}\hfill RR{E}_1& =\frac{1}{H_j}|H_j-\frac{{\overline{C}}_i\left|C_i\right|+H_l}{|C_i|+1}|=\frac{1}{H_j}(\frac{{\overline{C}}_i\left|C_i\right|+H_l}{|C_i|+1}-H_j)\hfill \end{array}$$

(19)

and

$$\begin{array}{cc}\hfill RR{E}_2& =\frac{1}{H_j}|H_j-\frac{{\overline{C}}_i\left|C_i\right|+H_{l^{\prime }}}{|C_i|+1}|\hfill \\ \hfill & =\frac{1}{H_j}(\frac{{\overline{C}}_i\left|C_i\right|+H_l}{|C_i|+1}-H_j+\frac{H_{l^{\prime }}-H_l}{|C_i|+1})\hfill \\ \hfill & \ge \frac{1}{H_j}|H_j-\frac{{\overline{C}}_i\left|C_i\right|+H_l}{|C_i|+1}|\hfill \\ \hfill & =RR{E}_1.\hfill \end{array}$$

(20)

Therefore, the result follows. □

Theorem 2 shows that if a bin smaller than the average of the current group is added, the relative error of the current group adding another bin closer to the bin is smaller than that of adding another bin farther away from the bin.

Theorem 3.

When $|C_i|$ gets bigger, $RNE$ gets smaller.

Proof. 

Assuming that $H_j\in C_i$, it has $E\left[err\left(H_j\right)\right]=\frac{1}{H_j}\left(\right|H_j-{\overline{C}}_i|+\frac{\lambda }{|C_i|})$ with $RNE=\frac{\lambda }{H_j\left|C_i\right|}$. Therefore, the result follows. □

Theorem 3 demonstrates that the more bins a group contains, the smaller the Relative Noise Error ($RNE$) for each individual bin within that group. Theorems 2 and 3 collectively facilitate enhancing the accuracy of smaller bins during the grouping process of a new bin. Proceeding further in this section, we delve into analyzing the relative error associated with a solitary bin situated within a fixed group, leading us to the derivation of Theorem 4.

Theorem 4.

Given $C_i$, ${\overline{C}}_i$, $|C_i|$, $H_j\in C_i$, and λ, then it has the following cases.

(1) 

When $|C_i|{\overline{C}}_i<\lambda$, $E\left[err\left(H_j\right)\right]$ decreases as $H_j$ increases;

(2) 

When $|C_i|{\overline{C}}_i\ge \lambda$, two cases exist as follows.

(i) 

If $H_j\le {\overline{C}}_i$, then $E\left[err\left(H_j\right)\right]$ decreases as $H_j$ increases;

(ii) 

If $H_j>{\overline{C}}_i$, then $E\left[err\left(H_j\right)\right]$ increases as $H_j$ increases.

Proof. 

Let $f\left(x\right)=\frac{1}{x}\left(\right|x-{\overline{C}}_i|+\frac{\lambda }{|C_i|}),$ where $x>0$ is the variable for $H_j$, and the derivative $f\left(x\right)$ can be obtained as follows:

$$\frac{df\left(x\right)}{dx}=\left\{\begin{array}{cc}\hfill & -\frac{{\overline{C}}_i}{x^2}-\frac{\lambda }{x^2\left|C_i\right|},0<x\le {\overline{C}}_i\hfill \\ \hfill & \frac{{\overline{C}}_i}{x^2}-\frac{\lambda }{x^2\left|C_i\right|},x>{\overline{C}}_i\hfill \end{array}.\right.$$

(21)

i.e.,

$$\begin{array}{cc}\hfill \frac{df\left(x\right)}{dx}& =\left\{\begin{array}{cc}\hfill & <0,0<x\le {\overline{C}}_i\hfill \\ \hfill & \ge 0,x>{\overline{C}}_i,\left|C_i\right|{\overline{C}}_i\ge \lambda \hfill \\ \hfill & <0,x>{\overline{C}}_i,\left|C_i\right|{\overline{C}}_i<\lambda \hfill \end{array}\right.\hfill \end{array}$$

(22)

Thus, the result follows. □

Example 1.

When $ϵ=0.0005$, $\lambda =\frac{1}{ϵ}=2000,$ ${\overline{C}}_i=100$, and $|C_i|=10$, it has $|C_i|{\overline{C}}_i<\lambda$. Assuming that $H_j\in C_i$, the change of $ln\left(E\left[err\left(H_j\right)\right]\right)$ with respect to $H_j$ is illustrated in Figure 1. When $ϵ=0.01$, $\lambda =\frac{1}{ϵ}=100,$ ${\overline{C}}_i=100$, and $|C_i|=10$, it has $|C_i|{\overline{C}}_i\ge \lambda$. Assume that $H_j\in C_i$; the behavior of $ln\left(E\left[err\left(H_j\right)\right]\right)$ as $H_j$ varies is shown in Figure 2. Finally, the conclusions of Theorem 4 are intuitively demonstrated directly through Figure 1 and Figure 2.

Given $H=\{H_1,H_2,\cdots ,H_n\}$ in order from small to large, Theorem 4 shows that the maximum relative error of the histogram in each group depends on the bins at both ends.

Theorem 5.

Given $C_i$, ${\overline{C}}_i$, $|C_i|$, $H_j\in C_i$, and λ with $\lambda =\frac{1}{ϵ}$, then $E\left[err\left(H_j\right)\right]$ increases with the increase in λ (or the decrease in ϵ) and decreases otherwise.

Proof. 

From $E\left[err\left(H_j\right)\right]=\frac{1}{H_j}\left(\right|H_j-\overline{C_i}|+\frac{\lambda }{|C_i|})$, $E\left[err\left(H_j\right)\right]$ increases with the increase in $\lambda$; otherwise, it decreases. When $\lambda =\frac{1}{ϵ}$, $E\left[err\left(H_j\right)\right]$ increases with the decrease in $ϵ$; otherwise, it decreases. □

Theorem 6.

Given $C_i$, ${\overline{C}}_i$, $|C_i|$, $H_j\in C_i$, and λ, the monotonicity of $E\left[err\left(C_i\right)\right]$ on $H_j$ is the same as the monotonicity of $E\left[err\left(H_j\right)\right]$ on $H_j$.

Proof. 

Since

$$\begin{array}{cc}\hfill E\left[err\left(C_i\right)\right]& =E[\frac{{\sum }_{H_j\in C_i}err\left(H_i\right)}{|C_i|}]=\frac{{\sum }_{H_j\in C_i}err\left(H_i\right)}{|C_i|}=\sum _{H_j\in C_i}\frac{\frac{|H_j-{\overline{C}}_i|+\frac{\lambda }{|C_i|}}{H_j}}{|C_i|},\hfill \end{array}$$

(23)

Theorem 6 can be proved by using the method of Theorem 4 similarly, and the monotonicity of $E\left[err\left(C_i\right)\right]$ on $H_j$ is consistent with that of $E\left[err\left(H_j\right)\right]$ on $H_j$. □

From Theorems 1–3, in order to reasonably solve the problem considered in this paper, the following two grouping rules are needed at least.

• A sorting from small to large is favorable to improve the availability of small bins first.
• The closer bins should be divided into the same group as much as possible to reduce the relative error.

Based on the two grouping rules above, we formulate the following optimization problem, referred to as OP.

OP: Given a histogram $H=\{H_1,H_2,\dots ,H_n\}$ sorted in ascending order and a privacy budget $ϵ$, the goal is to partition H into k non-overlapping groups $C=\{C_1,C_2,\dots ,C_k\}$, such that ${\bigcup }_i{C}_i=H$ and $C_i\cap C_j=\varnothing$ for all $i\ne j$ and $k\ge 2$. Define the average error as $er{r}_{Avg}=\frac{{\sum }_{C_i\in C}{\sum }_{H_j\in C_i}E\left[err\left(H_j\right)\right]}{n}$, where the objective is to find an optimal grouping $C^{\ast }=\{C_1^{\ast },C_2^{\ast },\dots ,C_k^{\ast }\}$ that minimizes $er{r}_{Avg}$, i.e., $C^{\ast }=arg{min}_{C}er{r}_{Avg}$. Here, the error for each bin $H_j$ is given by $err\left(H_j\right)=\frac{|{\tilde{H}}_j-H_j|}{H_j}$, with ${\tilde{H}}_j={\overline{C}}_i+\frac{Lap\left(\lambda \right)}{|C_i|}$ and the noise scale $\lambda =\frac{1}{ϵ}$.

The OP problem, which is founded on the dynamic programming technique introduced in [19], incurs a complexity of $O\left(k{n}^2\right)$ when k is predefined. Furthermore, in cases where k is not specified, determining the optimal grouping escalates to a complexity of $O\left(n^4\right)$. Consequently, this approach becomes impractical for large real-world datasets due to computational intensity. To address this, the paper introduces a greedy optimal grouping strategy, designated as the GP (Greedy Problem), without predetermining k. Incorporating Theorems 4–6, the formal description of the GP is as follows.

The GP: Given a histogram $H=\{H_1,H_2,\dots ,H_n\}$ sorted in ascending order and a privacy parameter $ϵ$, the task is to divide H into k non-overlapping groups $C=\{C_1,C_2,\dots ,C_k\}$, where the number of groups satisfies $1\le k\le n$, such that ${\bigcup }_{i=1}^k{C}_i=H$ and for any pair of distinct groups $C_i$ and $C_q$, $C_i\cap C_q=\varnothing$ (with the condition applicable when $k\ge 2$). The objective is to identify a grouping configuration $C^{\ast }=\{C_1^{\ast },C_2^{\ast },\dots ,C_k^{\ast }\}$ that adheres to Equation (24).

$$\begin{array}{cc}\hfill & max\{|C_i||E\left[err(C_i\cup H_j)\right]<\frac{E\left[err\left(C_i\right)\right]\left|C_i\right|+E{\left[err\left(H_j\right)\right]}^{\ast }}{\left(\right|C_i|+1)}\},\hfill \end{array}$$

(24)

where

$$E\left[err\left(C_i\right)\right]=\sum _{H_i\in C_i}\frac{1}{H_i}\left(\right|H_i-{\overline{C}}_i|+\frac{\lambda }{|C_i|})/|C_i|,$$

(25)

$$\begin{array}{cc}\hfill & E\left[err(C_i\cup H_j)\right]=\sum _{H_r\in (C_i\cup H_j)}\frac{1}{H_i}\left(\right|H_r-{\overline{C^{\prime }}}_i|+\frac{\lambda }{|C_i|+1})/(|C_i|+1),\hfill \end{array}$$

(26)

$${\overline{C}}_i^{\prime }=({\overline{C}}_i|C_i|+H_j)/(|C_i|+1),$$

(27)

$$\begin{array}{cc}\hfill & E{\left[err\left(H_j\right)\right]}^{\ast }=mi{n}_{j+1\le e\le n}(E\left[err\left(H_j\right)\right]|H_j\in C_{\{H_j,\cdots ,H_e\}})\hfill \end{array}$$

(28)

and

$$\lambda =\frac{1}{ϵ}.$$

(29)

Therein, Formula (28) defines $C_{\{H_j,\dots ,H_e\}}$ as a group comprising bins $H_j,\dots ,H_e$.

From Formula (24), it is evident that, apart from computing $E\left[err(C_i\cup H_j)\right]$ and $E\left[err\left(C_i\right)\right]$, it is also necessary to calculate

$$E{\left[err\left(H_j\right)\right]}^{\ast }=\underset{j+1\le e\le n}{min}\left(E\left[err\left(H_j\right)\right]\mid H_j\in C_{\{H_j,\dots ,H_e\}}\right).$$

(30)

Formula (30) varies each time the composition of groups changes and thus requires recalculation accordingly. This differs from operations involving mean square error, which can often be simplified via decomposition into the sum of squares and the square of the sums, enhancing computational efficiency. Consequently, in scenarios where k is not predetermined, the operational efficiency can be relatively low for large real-world datasets. To address this, we propose the following approximately greedy optimal grouping strategy.

5.2. GGS

Definition 5

($GGS$). Assuming that $H=\{H_1,H_2,$$\cdots ,$$H_n\}$ satisfies the sorting from small to large and is grouped in order, the number of groups is k with $1\le k\le n$ and for the ith $(1\le i\le k-1)$ dividing point is

$$\begin{array}{cc}\hfill d_i& =max\{j|E\left[err(C_i\cup H_j)\right]<\frac{E\left[err\left(C_i\right)\right]\left|C_i\right|+\frac{\lambda }{(n-j+1)H_j}}{|C_i|+1}\},\hfill \end{array}$$

(31)

then, the grouping strategy formed by $\{d_1,d_2,\cdots ,$$d_{k-1}\}$ is called the approximately greedy optimal grouping strategy and denoted as $GGS$.

Specifically, the approximate greedy bound defined in Definition 5 is chiefly derived from Theorem 7, and it can be utilized for the greedy grouping procedure.

Theorem 7.

$$E{\left[err\left(H_j\right)\right]}^{\ast }\ge \frac{\lambda }{(n-j+1)H_j}.$$

(32)

Proof. 

From

$$\begin{array}{cc}\hfill E{\left[err\left(H_j\right)\right]}^{\ast }& =mi{n}_{j+1\le e\le n}(E\left[err\left(H_j\right)\right]|H_j\in C_{\{H_j,\cdots ,H_e\}})\hfill \\ \hfill & =min(RRE+NRE)\hfill \\ \hfill & \ge min\left(RRE\right)+min\left(NRE\right)\hfill \\ \hfill & \ge \frac{\lambda }{(n-j+1)H_j},\hfill \end{array}$$

(33)

the result follows. □

5.3. SReB_GCA

In the preceding subsection, the GGS method initially requires sorting. However, directly sorting the original histogram H would violate $ϵ$-differential privacy. Consequently, a fraction of the total privacy budget, designated as ${ϵ}_1$, is allocated to perform the sorting of H in ascending order in compliance with ${ϵ}_1$-DP. Subsequently, the SReB_GCA histogram publishing algorithm is designed, incorporating the grouping principles discussed, along with the approximate greedy optimization strategy outlined in GGS. Detailed descriptions of the algorithm can be found in Algorithms 1 and 2.

Algorithm 1 SReB_GCA

Require:  Histogram $H=\{H_1,H_2,\cdots ,H_n\}$ and privacy budget $ϵ$ Ensure:  Sanitized histogram $\tilde{H}$ 1: $ϵ={ϵ}_1+{ϵ}_2$, ${\lambda }_1=\frac{1}{{ϵ}_1}$ and ${\lambda }_2=\frac{1}{{ϵ}_2}$; 2: $\widehat{H}=H+{〈Lap\left({\lambda }_1\right)〉}^n$; 3: $\widehat{H}$ = Ascending${}_{Sort}$$\left(\widehat{H}\right)$; 4: $S=GGS(\widehat{H},{\lambda }_2)$; $//$S stands for a group strategy, i.e., a set of segmentation points 5: $C=Grouping(H,S)$; 6: for $i=1$ to $\left|C\right|$ do 7:  $\overline{C_i}={\sum }_{H_j\in C_i,C_i\in C}\frac{H_j}{|C_i|}$ 8: end for 9: for each $H_j\in H$ do 10:  ${\tilde{H}}_j={\overline{C}}_i+\frac{Lap\left({\lambda }_2\right)}{|C_i|}$, where $H_j\in C_i$; 11: end for 12: return  $\tilde{H}=\{{\tilde{H}}_1,{\tilde{H}}_2,\cdots ,{\tilde{H}}_n\}$

Algorithm 2 GGS$(\widehat{H},{\lambda }_1)$

Require:  Sorted histogram $\widehat{H}$ from small to large, and scale parameter ${\lambda }_1$ Ensure:  Grouping strategy S 1: $S=\varnothing$; 2: $l=1$; 3: $C_i=\left\{{\widehat{H}}_1\right\}$; 4: for $r=l+1$ to n do 5:  min = E[err$(C_i\cup {\widehat{H}}_r)$]; 6:  tmp = $(E\left[err\left(C_i\right)\right]|C_i|+\frac{{\lambda }_2}{(n-r+1){\widehat{H}}_r})/(|C_i|+1)$; 7:  if min<tmp then 8:   $d<r$; 9:   $C_i=C_i\cup {\widehat{H}}_r$; 10:  else 11:   $S=S\cup \left\{d\right\}$; 12:   $l=d+1$; 13:   $C_i=\left\{{\widehat{H}}_l\right\}$; 14:  end if 15: end for 16: return  S

Moreover, we can obtain two corollaries, Corollaries 1 and 2, related to SReB_GCA from the perspective of privacy and relative error respectively.

Corollary 1.

SReB_GCA in Algorithm 1 satisfies ϵ-DP.

Proof. 

SReB_GCA in Algorithm 1 divides the privacy budget $ϵ$ into ${ϵ}_1$ and ${ϵ}_2$, where ${ϵ}_1$ is used to realize the perturbation of the original histogram in Line 2, and ${ϵ}_2$ is used to perturb the mean value of a group in Lines 9–11. According to Property 2, SReB_GCA satisfies ${ϵ}_1+{ϵ}_2=ϵ$-DP. □

Corollary 2.

Given the group $C_i$ obtained by SReB_GCA in Algorithm 1, the mean value is ${\overline{C}}_i$, the number of bins is $|C_i|$, ${\widehat{H}}_j\in C_i$ is a bin in the group, and ${\tilde{H}}_j$ is the sanitization of ${\widehat{H}}_j$; then, the relative error $E\left[err\left({\widehat{H}}_j\right)\right]$ is approximately $\frac{1}{{\widehat{H}}_j}\left(\right|{\widehat{H}}_j-{\overline{C}}_i|+\frac{{\lambda }_2}{|C_i|})$, where $\frac{|{\widehat{H}}_j-{\overline{C}}_i|}{{\widehat{H}}_j}$ is $RRE$ and $\frac{{\lambda }_2}{{\widehat{H}}_j\left|C_i\right|}$ is $RNE$ with ${\lambda }_2=\frac{1}{{ϵ}_2}$.

Proof. 

From Theorem 1, we can obtain the result when $\lambda ={\lambda }_2.$ □

6. Experimental Evaluation

To the best of our knowledge, no attention has been paid to the DP histogram publishing for small data, except for the relative error of the whole average case considered in some studies [28,29,31,32]. Therefore, our paper sets a benchmark method DP_BASE as its competitor. In addition, we also compare our method with AHP in the study [22] in terms of the availability of data distribution, which is one of the classical methods in DP histogram publishing. In this paper, the benchmark method is denoted as DP_BASE, which uses the Laplace mechanism to directly perturb a histogram and then publishes it. Under the same $ϵ$-DP, the availability of our SReB_GCA is compared with DP_BASE, and it evaluates the performance using the single-value query, range query, and data distribution.

6.1. Experimental Settings

(1) Datasets

Waitakere, Search Log, NetTrace, and Social Network are used for experiments in this paper, which are commonly employed in histogram publishing [13,14,19]. Among them, Waitakere is a semi-synthetic dataset derived from the 2006 Census Meshblock Dataset of New Zealand, comprising a total population of 186,471 spread across 1340 meshblocks. Search Log is a synthetic dataset of search query logs featuring the keyword “Obama”, covering the period from 1 January 2004 to 9 August 2009. This timeframe is divided into 32,768 intervals, each lasting 90 min. Each interval represents a bin of the histogram, used to tally the number of queries within those 90-min segments. NetTrace documents IP-level network traces garnered from a university’s intranet, where every internal host aligns with a histogram bin to enumerate the connecting external hosts. The Social Network dataset archives the friendships of 11,000 social networking platform users, with each user profile detailing their friend count. We consolidate the attributes of these datasets in

Table 1. Expermental dataset characteristics.

Dataset	$\left|\mathit{H}\right|$	Mean	Variance	Count Range
Waitakere	7725	24.13	4764.57	[0, 467]
Search Log	32,768	10.25	577.31	[0, 496]
NetTrace	65,536	0.39	91.01	[0, 1423]
Social Network	11,342	59.49	2995	[1, 1678]

. Moreover, Figure 3 illustrates that the prevalence of smaller bins is significantly high across all these datasets. Throughout the graphical representations from Figure 3, Figure 4, Figure 5 and Figure 6, the y-axis employs a logarithmic scale with a base of 10.

(2) Utility metrics and parameter settings

Combined popular data analysis tasks, which involve checking data distributions and answering single-value or range queries [13], utilize mean relative error (MRE) and Kullback–Leibler Divergence (KLD) as metrics to assess the utility of the released histograms.

(a) Single-value query. The performance of these two methods on different single values of queries with different privacy parameters ($ϵ=1,0.1,0.01$) is explored, and the mean relative error of the same value of the bins is used to verify the accuracy of their reports and is symbolized as $MR{E}_{single}$.

$$MR{E}_{single}=\frac{1}{|{\mathbf{Q}}_{\mathbf{k}}|}\sum _{H_j\in {\mathbf{Q}}_{\mathbf{k}}}\frac{|H_j-{\tilde{H}}_j|}{max(H_j,\delta )}$$

(34)

where ${\mathbf{Q}}_{\mathbf{k}}$$=\left\{H_j\right|H_j=k,H_j\in H,k\in [min\left(H\right),max\left(H\right)]\}$, and $\delta =1$ in this paper.

$\left(\mathbf{b}\right)\mathbf{Range}$ $\mathbf{query}.$ The performance of two methods on different ranges of queries with varying privacy parameters ($ϵ=1,0.1,0.01$) is explored, with the mean relative error in the query range employed to validate the accuracy of their responses, symbolized as $MR{E}_{range}$.

$$MR{E}_{range}=\frac{1}{|{\mathbf{Q}}_{\mathbf{i}}|}\sum _{q_j\in {\mathbf{Q}}_{\mathbf{i}}}\frac{|q_j-{\tilde{q}}_j|}{max(q_j,\delta )}$$

(35)

where ${\mathbf{Q}}_i$ denotes the set of all queries within scope i, $q_j$ represents one query within scope i, ${\tilde{q}}_j$ is the sanitized version of $q_j$, $i\in \{1,50,100,150,200,250,300,350,400,450,500\}$, $j\in [1,|H|-i+1]$, and $\delta =1$ in this paper.

$\left(\mathbf{c}\right)\mathbf{Data}$ $\mathbf{distribution}.$ The KLD (Kullback–Leibler Divergence), which is used to quantify the difference between two probability distributions where a smaller KLD indicates higher similarity and a larger value denotes greater dissimilarity, is investigated for two methods employing distinct privacy parameters ($ϵ=1,0.1,0.01$).

$$KLD=\sum _{j=1}^{\left|H\right|}{H}_{j}log\frac{H_j}{{\tilde{H}}_j}.$$

(36)

6.2. Experimental Results

(1) Single-value query. Figure 4 illustrates the behavior of the SReB_GCA and DP_BASE methods as they handle single-value queries across various privacy parameter settings. Notably, our proposed SReB_GCA method demonstrates a more consistent mean relative error performance compared to the DP_BASE method across different bin sizes. Specifically, it significantly enhances the accuracy for smaller bins without imposing a substantial detriment to the error rates of larger bins. The experiments conducted on the four datasets, depicted in Figure 4a–d, collectively confirm the efficacy of the SReB_GCA method in achieving a balanced reduction in relative errors, particularly for bins with lower counts.

(2) Range query. Figure 5 illustrates the performance of the SReB_GCA and DP_BASE methods in response to range queries for varying privacy parameters. It indicates that the SReB_GCA method achieves higher accuracy across different range queries compared to the DP_BASE method. Furthermore, the experimental results from the four datasets presented in Figure 5a–d reveal an improving trend in range query accuracy as the privacy parameter $ϵ$ increases.

(3) Data distribution. Based on the KLD metric, Figure 6 illustrates that the distribution generated by the SReB_GCA method in this paper is closer to the true data distribution compared to the DP_BASE method. Moreover,

Table 2. KLD with SReB_GCA and AHP.

Dataset	Method	$\mathit{ϵ}=1$	$\mathit{ϵ}=0.1$	$\mathit{ϵ}=0.01$
Waitakere	AHP	0.018	0.203	0.467
	SReB_GCA	0.0004	0.056	0.171
Search Log	AHP	0.054	0.103	0.189
	SReB_GCA	0.0001	0.009	0.099
NetTrace	AHP	0.153	0.572	1.229
	SReB_GCA	0.004	0.092	0.252
Social Network	AHP	0.071	0.309	0.825
	SReB_GCA	0.0001	0.003	0.099

demonstrates that our SReB_GCA method achieves a smaller KLD value than the AHP method reported in study [22], indicative of a distribution that is closer to the genuine data. Study [22] is designed based on the absolute value error, and its optimization objective is different from the one we are considering, but it is comparable in terms of KLD for evaluating the performance of data distribution. Considering that study [22] reports smaller KLD values across a range of privacy parameters $ϵ$ compared to other studies [13,15,19], the SReB_GCA method introduced herein excels in KLD performance over these preceding works, thereby producing sanitized data of superior quality.

7. Conclusions

To enhance the poor relative accuracy of small bins in histograms under $ϵ$-DP, we propose the SReB_GCA sanitization algorithm. SReB_GCA encompasses sorting and greedy grouping stages, with sorting conducted from smallest to largest to prioritize optimizing smaller bins. The grouping incorporates a lower bound on the mean relative error to inform an effective grouping strategy. Experiments on four real-life and synthetic datasets demonstrate that SReB_GCA effectively optimizes the reconstruction and noise errors of small bins, striking a good balance between the utility of small and large bins. Coupled with KLD, it is validated that our SReB_GCA outperforms the baseline method (DP_BASE) and several classic DP histogram publishing techniques in terms of data utility. The feasibility of the histogram publishing model based on the centralized differential privacy proposed in this paper has been validated on various datasets, including Waitakere, Search Log, NetTrace, and Social Network. However, the algorithm presented herein is tailored for static histogram publication; further in-depth investigation is warranted to ascertain its generality under streaming release conditions. Moreover, given the heightened sensitivity of medical and health data, we anticipate that our algorithm, as presented in this paper, will find suitable application scenarios in the crucial domain of medical and health data privacy protection, thereby further propelling advancements in this field. Lastly, exploring how to adapt the proposed algorithm within the context of local differential privacy (LDP) scenarios, such as in simple, high-dimensional, streaming, or dynamic LDP histogram publishing instances as seen in [33,34,35,36], presents an intriguing avenue for further study.