Abstract 1 Introduction 2 Preliminaries 3 Hardness in the -metric 4 Hardness in the Euclidean metric 5 Conclusion and Open Questions References Appendix A Hardness from [43] in terms of Promise Sanitizer

Computational Hardness of Private Coreset

Badih Ghazi ORCID Google Research, Mountain View, CA, USA    Cristóbal Guzmán ORCID Pontificia Universidad Católica de Chile, Santiago, Chile    Pritish Kamath ORCID Google Research, Mountain View, CA, USA    Alexander Knop ORCID Google Research, Mountain View, CA, USA    Ravi Kumar ORCID Google Research, Mountain View, CA, USA    Pasin Manurangsi ORCID Google Research, Bangkok, Thailand
Abstract

We study the problem of differentially private (DP) computation of coreset for the k-means objective. For a given input set of points, a coreset is another set of points such that the k-means objective for any candidate solution is preserved up to a multiplicative (1±α) factor (and some additive factor).

We prove the first computational lower bounds for this problem. Specifically, assuming the existence of one-way functions, we show that no polynomial-time (ε,1/nω(1))-DP algorithm can compute a coreset for k-means in the -metric for some constant α>0 (and some constant additive factor), even for k=3. For k-means in the Euclidean metric, we show a similar result but only for α=Θ(1/d2), where d is the dimension.

Keywords and phrases:
Differentially Private Clustering, Coreset, Cryptographic Hardness
Copyright and License:
[Uncaptioned image] © Badih Ghazi, Cristóbal Guzmán, Pritish Kamath, Alexander Knop, Ravi Kumar, and
Pasin Manurangsi; licensed under Creative Commons License CC-BY 4.0
2012 ACM Subject Classification:
Theory of computation Computational complexity and cryptography
; Security and privacy
Editor:
Huijia (Rachel) Lin

1 Introduction

The widespread collection and use of personal data has necessitated rigorous frameworks for preserving individual privacy. Differential Privacy (DP), introduced by Dwork et al. [15, 14], has established itself as the gold standard framework, enabling data release while protecting the confidentiality of users. Roughly speaking, DP requires that the output distributions of the algorithm on two neighboring input datasets – those that differ on a single user’s input – to be similar. The similarity is measured by two parameters ε,δ0; the standard setting, which will also be our focus, is ε=O(1) and δ=1/nω(1), where n denotes the input dataset size (Definition 1). The DP framework has been successfully deployed in various large-scale applications, such as those by the U.S. Census Bureau [1] and Google’s RAPPOR [17].

Among the myriad of data analysis tasks, clustering remains a fundamental primitive in unsupervised learning. Consequently, a significant body of research has been dedicated to designing clustering algorithms that satisfy DP [6, 29, 4, 21, 39, 38, 33, 42, 26, 7, 24, 34]. While most of these works focus on developing efficient algorithms that output a final set of cluster centers, many of them employ a private coreset as a subroutine.

Recall that a coreset is another (possibly weighted) set of points such that the clustering (e.g., k-means or k-median) objective for any candidate solution is preserved up to a multiplicative (1±α) factor and some additive factor ±β (Definition 6).111As formalized in Definition 6, the additive error β in our notation is normalized so that it always lies in [0,1], unlike some previous work (e.g., [18]) where β is unnormalized and can be as large as n. In non-private settings, coreset computation has been extensively studied with the focus usually on finding a coreset of small size [31, 23, 30, 8, 35, 19, 22, 20, 41, 5, 32, 12, 11, 9]; from this perspective, a coreset can be viewed as a succinct summary of the original dataset. Coresets are highly useful in data analysis since they allow “big data” to be replaced by a “small summary”, thereby drastically reducing the computational cost of downstream algorithms. Furthermore, since the coreset approximates the cost function for any candidate solution, it enables hyperparameter tuning (e.g., k in k-means) and trying multiple heuristics (e.g., different initializations in k-means) efficiently, all without revisiting the massive original dataset.

In the context of privacy, a coreset offers a distinct advantage besides efficiency: it decouples the privacy cost from the analysis. Once a private coreset is computed, an analyst can run any clustering algorithm (e.g., k-means, k-median) on the coreset as many times as desired (for a fixed number of centers), without consuming additional privacy budget. Feldman et al. [18] first introduced the notion of private coresets and showed that they can be constructed information-theoretically with small errors. In particular, they give222Strictly speaking, the bound stated in [18, Corollary 3.3] is β=O~α(k2d2lognεn) and is only for the Euclidean metric. The bound we claim here is by replacing the use of [8] with [13], which works for any metric space with doubling dimension d (including the -metric). an ε-DP algorithm for computing k-median and k-means coresets with β=O~α(kdεn), where d denotes the dimension. Alas, their algorithm is based on the exponential mechanism [37], which is not efficient; specifically, its running time is exponential in both k and d. They also give a more efficient algorithm that removes the exponential dependence on k in the running time, but both the running time and the additive error β now become exponential in d. Subsequent works have explored different DP coreset algorithms for k-means in various settings [26, 7, 34]; yet they all have this exponential dependence and efficient construction has remained a major open challenge.

In this work, we investigate if this computational efficiency barrier is fundamental. Namely,

Does there exist a polynomial-time DP algorithm that returns
a coreset with any approximation factor arbitrarily close to 1?

We remark that, for private coresets, the requirement of small size is not critical: given a privately generated coreset of arbitrary size, one can apply a non-private coreset construction scheme to compress it as a post-processing step. Due to this, we will not enforce the size restriction in the remainder of the paper. Note that this only strengthens our lower bounds.

1.1 Our Contributions

We provide a negative answer to the above question, establishing computational hardness results for private coreset construction. By reducing from the hardness of generating synthetic data [43], we show that efficient private coreset estimation cannot be achieved with standard cryptographic assumptions.

Our main results are the following:

  • Hardness in the -metric333While k-means was first studied in the Euclidean metric, it has by now been well studied on other metrics, including metric; see, e.g., [10] and the references therein.: We prove that, assuming the existence of one-way functions444Since we do not deal with this assumption directly, we refrain from defining one-way functions and discussing their importance. Nevertheless, we note that this is a central assumption in cryptography and detailed discussion can be found in any standard textbook on the topic, e.g., [27]., no polynomial-time (ε,δ)-DP algorithm can construct a coreset for k-means in the -metric that achieves an approximation factor 1±α for some constant α>0, even for k=3 (Theorem 8).

  • Hardness in the Euclidean metric: We extend our analysis to the Euclidean setting and show that for the 2-metric, any efficient private coreset algorithm must incur an approximation error that scales inverse polynomially with the dimension. Specifically, we rule out polynomial-time algorithms achieving an approximation factor better than 1±Θ(1/d2) (Theorem 12).

Our results show a dichotomy: while private coresets exist information-theoretically, they are computationally difficult to find under standard hardness assumptions. We further note that without the coreset size restriction, the non-private version of the problem is trivial, as one can simply output the input dataset. Thus, the computational challenges we present here are truly unique to the private setting.

1.2 Technical Overview

To show computational hardness, we use a reduction from the hardness of privately generating synthetic data for 3-literal disjunctions [43]. Roughly speaking, [43] shows that, for 3-literal disjunction queries, it is hard to sanitize a dataset even in the case where we “promise” that some subset of these queries are always evaluated to one (“satisfiable”) in the input and that we only wish to be accurate on these queries.

Our reduction is somewhat straightforward: We use the same dataset as the above problem (up to scaling)! The main property we need to show here is that, if we can find a DP coreset of such a dataset, then we can use the coreset to construct DP synthetic dataset for the 3-literal disjunction sanitization. Again, this latter step is somewhat straightforward: Given a coreset, we simply round each coordinate to 1 (false) or +1 (true) based on their signs. This completes our reduction.

The main challenge however is to show that this is a valid reduction. Namely, that the output gives accurate estimates of the satisfiable 3-literal disjunctions. It turns out that this can be viewed as a 3-means cost query. Namely, suppose that we have a disjunction consisting of xi1,xi2,xi3 with signs si1,si2,si3 respectively. Then, we can create three centers, where the jth center only has the ij coordinate set to 2sij (and other coordinates being zero). Assuming that each output point x~ belongs to {±1}d, it is simple to verify that the distance is small only when the clause is satisfied. Notice that the “gap” between satisfiable and unsatisfiable in the -metric is constant (i.e., 3) whereas that of the 2-metric depends on d (i.e., 1+Θ(1/d)). This is the reason that we get a constant α in Theorem 8 but requires α that decreases with d in Theorem 12. This completes the high-level overview of our reduction; in the actual proof, we of course cannot assume that each x~ belongs to {±1}d and a significant effort is required to deal with this issue.

1.3 Related Work

Computational lower bounds intrinsic to DP are scarce. Dwork et al. [16] established such lower bounds for generating synthetic data when either the data universe or the number of queries is large (here large means exponential in some underlying size parameter). In particular, they provide a class of queries such that, assuming the existence of one-way functions, no polynomial-time (ε,1/nω(1))-DP can generate a synthetic dataset that closely matches the query values of the input dataset. However, the class of queries produced in their arguments is specifically crafted based on a signature scheme, and does not correspond to a naturally studied query class. Subsequently, Ullman and Vadhan [43] extended the hardness to a large class of queries, including natural ones such as 2-way marginal queries. Their construction is based on the NP-hardness (via Karp reductions) of constraint satisfaction problems (CSPs), which focuses on discrete domains. From this perspective, our work expands the computational hardness landscape of private algorithms to the case of continuous domains, which we hope will stimulate further studies along this direction.

2 Preliminaries

Let 𝟏S{0,1}n denote the indicator vector of a set S[n]; for ease, we use 𝟏i for 𝟏{i}. For v, let sgn(v){1,1} denote the sign of v (where sgn(0)=1); moreover, for xd, let sgn(x){1,1}d denote the coordinate-wise sign of x, i.e., sgn(x)=(sgn(x1),,sgn(xd)).

Let 𝒳 be a domain. For a query f:𝒳[0,1] and a dataset D=(x1,,xn)𝒳n, let the linear query f(D) be defined as f(D):=1ni[n]f(xi)=𝔼xD[f(x)].

2.1 Differential Privacy

We quickly recall the definition of differential privacy (DP) here. Two datasets D,D𝒳 are neighbors iff they are of the same size and they differ on a single value, i.e., D=(x1,,xn),D=(x1,,xn)𝒳n and there exists i[n] such that xi=xi for all ii.

Definition 1 (Differential Privacy [15, 14]).

Let ε0,δ[0,1]. An algorithm 𝒜:𝒳𝒪 is (ε,δ)-differentially private (i.e., (ε,δ)-DP) iff, for any two neighboring datasets D,D and for any subset S𝒪 of outputs, we have

Pr[𝒜(D)S]eεPr[𝒜(D)S]+δ.

2.2 Synthetic Data Generation

As alluded to above, both the starting point of our reduction and the coreset problem itself can be viewed as synthetic data generation problems. An algorithm for generating a synthetic data is also referred to as a “sanitizer”. More formally, a sanitizer 𝒜 is a randomized algorithm that takes in the dataset D𝒳 and outputs another dataset D~𝒳.

2.2.1 Accuracy and Efficiency

The accuracy of the output dataset is often measure against some family of linear queries f:𝒳[0,1]; the following is a standard definition used in literature (e.g. [16, 43]).

Definition 2 (Accuracy).

A dataset D~ is an (,α)-accurate estimate of D iff |f(D~)f(D)|α for all f. A sanitizer 𝒜 is (,α,n)-accurate if for any dataset555We note that the failure probability is usually parameterized in the accuracy notation but here we fix it to 2/3 for simplicity, since we are focusing on proving lower bounds. We note that the probability can be easily reduced by employing DP hyperparameter tuning (e.g., [36, 40, 25]). D𝒳n,
PrD~𝒜(D)[D~ is an (,α)-accurate estimate of D]23.

Throughout our work, we will consider the setting where 𝒳=𝒳dd and, thus, the family of queries d is also parameterized by d. We say that the sanitizer runs in polynomial time if it runs in (nd)O(1) time. Furthermore, the accuracy guarantee has to be against all values of d. In this setting, we define a parameterized family of queries to be a family =dd where d is the family of queries corresponding to 𝒳dd. We can define the accuracy for a parameterized family of queries as follows.

Definition 3 (Accuracy w.r.t. Parameterized Family of Queries).

For a parameterized family of queries =dd where d is the family of queries corresponding to 𝒳dd, we say that a sanitizer 𝒜 is (,α)-accurate if the following holds: There exists a constant ν>0 such that, for all d and nΘ(dν), 𝒜 is (d,α,n)-accurate.

2.2.2 Promise Sanitizer

To prove our results, we will use the hardness result from [43, Theorem 4.4], which actually holds even against a weaker notion which we name promise sanitizers. In words, promise sanitizers only provide the accuracy guarantee on the queries f whose values are one on the entire input dataset. For the queries that violate this condition, promise sanitizers do not provide any accuracy guarantee. This is formalized below.

Definition 4 (Promise sanitizer).

Let be a class of queries and γ[0,1]. 𝒜 is an (,γ,n)-promise sanitizer if PrD~𝒜(D)[f(D~)γ for all f~]2/3, for any dataset D𝒳n and ~ such that f(D)=1 for all f~.

Similar to Definition 3, for a parameterized family of queries =dd, we say that 𝒜 is an (,γ)-promise sanitizer if there exists a constant ν>0 such that, for all d and nΘ(dν), 𝒜 is an (d,γ,n)-promise sanitizer.

Note that a (,1γ)-accurate sanitizer is a (,γ)-promise sanitizer. In other words, a promise sanitizer is a weaker notion compared to an accurate sanitizer. While Ullman and Vadhan [43] only stated their results in term of an accurate sanitizer, we observe that their proof of [43, Theorem 4.4] already yields the hardness for a promise sanitizer as well666See Appendix A for more detail..

To state their result, let d𝟥𝖣𝗂𝗌𝗃 denote the class of all 3-literal disjunctions where the domain is {±1}d (where we think of 1 as “false” and +1 as “true”). More formally, for every (literal indices) 𝐢=(i1,i2,i3)[d]3 and (signs) 𝐬=(s1,s2,s3){±1}3, we define ψ𝐢,𝐬:{±1}d{±1} as follows:

ψ𝐢,𝐬(x)=114(1s1xi1)(1s2xi2)(1s3xi3)

In other words, this is the evaluation of the 3-literal disjunction s1xi1s2xi2s3xi3 on x. We then let d𝟥𝖣𝗂𝗌𝗃:={ψ𝐢,𝐬𝐢[d]3,𝐬{±1}3}, and let 𝟥𝖣𝗂𝗌𝗃 be the parameterized family dd𝟥𝖣𝗂𝗌𝗃. The hardness result we need is as follows.

Theorem 5 ([43]).

Let ε>0 be any constant. Assuming the existence of one-way functions, there is no polynomial-time (ε,1/nω(1))-DP (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitizer for some constant γ(0,1).

2.3 Coreset Estimation

Let 𝔹p,d denote a unit ball in the p-metric on d; i.e., 𝔹p,d:={xd:xp1}. In the p-coreset problem, we consider the domain 𝒳=𝔹p,d. Let p,dk-means denote the family of coreset cost functions; i.e., p,dk-means={cost𝒞,p:𝔹p,d[0,1]𝒞𝔹p,dk}, where cost𝒞,p(x)=minc𝒞xcp2. Finally, we let pk-means be the parameterized family dp,dk-means.

Definition 6 (p-coreset).

A dataset D~𝔹p,d is a (k,p,α,β)-coreset of D𝔹p,d if777We use the same notation as linear queries: for any dataset D, let cost𝒞,p(D)=𝔼xD[cost𝒞,p(x)].

(1α)cost𝒞,p(D)βcost𝒞,p(D~)(1+α)cost𝒞,p(D)+β,

for all 𝒞𝔹p,dk. An algorithm 𝒜 is a (k,p,α,β,d,n)-coreset estimator iff for any dataset D𝔹p,dn, it holds that

PrD~𝒜(D)[D~ is a (k,p,α,β)-coreset of D]2/3.

Similar to Definition 3, we say that 𝒜 is a (k,p,α,β)-coreset estimator if there exists a constant ν>0 such that, for all d and nΘ(dν), 𝒜 is a (k,p,α,β,d,n)-coreset estimator.

As explained in the introduction, we do not require that the private coreset be small. We also note that, unlike standard notations of coreset, we also require the coreset to be unweighted for notational convenience. Since there is no restriction on the coreset size and we allow an additive error β, this is w.l.o.g. because we can always rescale the weights by a large factor (e.g., O(|D~|/β)) and round them to integers to obtain an unweighted dataset.

Also, to avoid dealing with two parameters α,β, it will be more convenient to work with the accuracy definition of the sanitizer (Definitions 2 and 3) instead. Indeed, it is simple to see that any algorithm that solves (k,p,α,β)-coreset is also an accurate sanitizer for the query family pk-means, as formalized below.

Observation 7.

Any (k,p,α,β)-coreset estimator is an (pk-means,4α+β)-accurate sanitizer.

Proof.

This follows immediately from the definition of coreset, since cost𝒞,p(D)[0,2].

3 Hardness in the -metric

In this section, we prove the hardness of computing DP coreset in the -metric:

Theorem 8.

Let ε>0 be any constant. Assuming the existence of one-way functions, there is no polynomial-time (ε,1/nω(1))-DP algorithm for the (3,,α,β)-coreset estimation problem for some constant α,β>0.

As alluded to earlier, it is more convenient to prove the hardness in terms of sanitizer, as stated in Theorem 9 below. Due to Observation 7, Theorem 8 follows as an immediate corollary of Theorem 9.

Theorem 9.

Let ε>0 be any constant. Assuming the existence of one-way functions, there is no polynomial-time (ε,1/nω(1))-DP (k-means,ξ)-accurate sanitizer for k=3 and some constant ξ[0,1).

The proof of this theorem follows closely the outline in Section 1.2. Namely, for an input dataset D for the (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitization problem (where each xD belongs to {1,1}d), we simply construct a dataset D which is D scaled by a factor of κ=12. We then pass D to the coreset estimator and round it to obtain the final output.

As explained in Section 1.2, for each ψ𝟥𝖣𝗂𝗌𝗃, we can construct a 3-means query–where the centers are denoted by 𝒞ψ in the proof below–to check if ψ(D)=1. Since we do not have any guarantee that the coreset only contains points in {κ,κ}d, we additionally consider the origin as a center to prevent any “cheating”. Intuitively, if some coordinates have absolute values larger than κ, then its distance to the origin would be too large. Otherwise, if the absolute values are smaller than κ, then its distance to 𝒞ψ is too large. This is argued formally below in Claim 11.

Proof of Theorem 9.

We prove this by a reduction from the (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitization problem, which is known to be hard from Theorem 5. Assume for the sake of contradiction that there exists a polynomial-time (ε,1/nω(1))-DP (k-means,ξ)-sanitizer 𝒜, where ξ=1γ4.

We construct the (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitizer 𝒜~ as follows. Let κ=12.

  • Let D({±1}d)n be the input.

  • Construct dataset D={x=κxxD}.

  • Run 𝒜(D) to get an output D~.

  • Construct dataset D~={x~=sgn(x~)x~D~}.

  • Output D~.

Since 𝒜~ is a post-processing of 𝒜, the (ε,1/nω(1))-DP guarantee continues to hold.

Next, we will show that 𝒜~ solves the (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitization problem. To do this, assume (the promise) that ψ(D)=1 for all ψ~𝟥𝖣𝗂𝗌𝗃. Since 𝒜 is an (k-means,ξ)-accurate sanitizer, with probability at least 2/3, the following holds for all 𝒞𝔹pk:

|cost𝒞,(𝒜(D))cost𝒞,(D)|=|cost𝒞,(D~)cost𝒞,(D)|ξ. (1)

We will show that, when the above holds, we have ψ(D~)γ for all ψ~.

Let 𝒞𝟎={𝟎}. Furthermore, consider any 3-literal disjunction ψ=ψ𝐢,𝐬 in ~. Recall that the indices of the three literals are i1,i2,i3 and their signs are s1,s2,s3 respectively. Consider centers cψ,1,cψ,2,cψ,3 defined by cψ,j=2κsj𝟏ij. Finally, let 𝒞ψ=(cψ,1,cψ,2,cψ,3).

There are two claims crucial to the proof. The first is a claim that upper bounds cost𝒞𝟎,(x)+cost𝒞ψ,(x) for xD:

Claim 10.

For any xD and ψ~, we have cost𝒞𝟎,(x)+cost𝒞ψ,(x)2κ2.

Proof.

Notice that cost𝒞𝟎,(x)=x2=κ2 for all xD.

Meanwhile, from the assumption that ψ(D)=1, we also have that ψ(x)=1 for all xD. That is, there exists a literal of ψ, say the jth literal for j[3], that is set to true in x (i.e., xij=sj). Consider xcψ,j. We claim that all of its coordinates have absolute value κ, i.e., xcψ,j{±κ}d. To see this, consider two cases based on the coordinate i[d]:

  • Case I: iij. In this case, we simply have (xcψ,j)i=xi{±κ} as desired.

  • Case II: i=ij. In this case, (xcψ,j)ij=κxij2κsj=κxij{±κ}.

Hence, we have xcψ,j{±κ}d, which implies that xcψ,j=κ. Thus, cost𝒞𝟎,(x)+cost𝒞ψ,(x)κ2+κ2=2κ2.

The second claim is a lower bound on cost𝒞𝟎,(x~)+cost𝒞ψ,(x~) for x~D~, as stated below. It should be noted that, when ψ(x~)=1, this lower bound is exactly the same as the bound in the above claim. However, if ψ(x~)=0, the lower bound here is larger. This will indeed allow us to bound the number of x~’s that fall into the latter case.

Claim 11.

For any x~D~ and ψ~, we have cost𝒞𝟎,(x~)+cost𝒞ψ,(x~)2κ2(2ψ(x~)).

Proof.

First, consider the case ψ(x~)=1. We have cost𝒞ψ,(x~)=cψ,jx~2 for some j[3]. We can lower bound this further by observing that cψ,jx~|(cψ,j)ijx~ij|=|2κsjx~ij|. Meanwhile, cost𝒞𝟎,(x~)=x~2(x~ij)2. Thus, we have

cost𝒞𝟎,(x~)+cost𝒞ψ,(x~)(2κsjx~ij)2+(x~ij)2 =2κ2+2(κsjx~ij)2
2κ2.

Next, suppose that ψ(x~)=0. In this case, for all j[3], we have that (cψ,j)ij and x~ij have different signs. Thus, cψ,jx~|(cψ,j)ijx~ij||(cψ,j)ij|=2κ. As a result, we have cost𝒞ψ,(x~)(2κ)2=4κ2 as desired.

Combining the above two claims and (1), we get

2κ2(2ψ(D~)) =𝔼x~D~[2κ2(2ψ(x~))]
(Claim 11) 𝔼x~D~[cost𝒞𝟎,(x~)+cost𝒞ψ,(x~)]
=cost𝒞𝟎,(D~)+cost𝒞ψ,(D~)
Using (1) cost𝒞𝟎,(D)+cost𝒞ψ,(D)+2ξ
(Claim 10) 2κ2+2ξ.

Thus, from our choice of parameter ξ=1γ4,κ=12, we have that ψ(D~)γ. As a result, we can conclude that 𝒜~ solves the (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitization problem. Finally, by Theorem 5, this cannot hold assuming the existence of one-way functions.

4 Hardness in the Euclidean metric

Next, we prove that hardness in the Euclidean metric, which is similar to the hardness for the -metric (Theorem 8) except with α,β=Ω(1d2) instead of constants.

Theorem 12.

Let ε>0 be any constant. Assuming the existence of one-way functions, there is no polynomial-time (ε,1/nω(1))-DP algorithm for the (3,2,α,β)-coreset estimation problem for some α=Ω(1d2) and β=Ω(1d2).

Again, we actually prove the sanitizer variant of the theorem, as stated below, from which Theorem 12 follows as a corollary (due to Observation 7).

Theorem 13.

Let ε>0 be any constant. Assuming the existence of one-way functions, there is no polynomial-time (ε,1/nω(1))-DP (2k-means,ξ)-sanitizer for k=3 and some ξ=Ω(1/d2).

The proof follows a similar strategy as in Theorem 9 but it requires a more subtle sequence of inequalities to prove the accuracy bound. We note that we also need to set a smaller scaling factor κ: Setting κ=12 as before would result in x2=κd>1. This suggests setting κ=1d. However, we actually go with the setting κ=1d instead because, to facilitate one of our sum-of-squares rearrangement (in Claim 14), we need to select the centers (in 𝒞i) to be of norm dκ, which necessitates κ1d.

Proof of Theorem 13.

Similar to the proof of Theorem 9, we reduce from (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitization problem. Assume for the sake of contradiction that there exists a polynomial-time (ε,1/nω(1))-DP (2k-means,ξ)-sanitizer 𝒜, where ξ=(1γ)24d2.

Let 𝒜~ be exactly the same as in the proof of Theorem 9 except that we set x=κx where κ=1d (instead of κ=1/2 as before), which ensures that x21. Again, 𝒜~ is (ε,1/nω(1))-DP due to post-processing. We are left to show that 𝒜~ solves the (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitization problem. To do this, assume that ψ(D)=1 for all ψ~. Since 𝒜 is an (2k-means,ξ)-sanitizer, with probability at least 2/3, the following holds for all 𝒞𝔹2k:

|cost𝒞,2(D~)cost𝒞,2(D)|ξ. (2)

We will show that, when the above holds, we have ψ(D~)γ for all ψ~.

Consider any 3-literal disjunction ψ. We use the same notation (e.g., 𝒞𝟎,𝒞ψ,cψ,j) as in the proof of Theorem 9. Additionally, for each i[d], let 𝒞i={+dκ𝟏i,dκ𝟏i}.

We begin by showing that most of the coordinates of x~D~ have to be close to κ or +κ. The exact bound is given below.

Claim 14.

𝔼x~D~[x~κsgn(x~)22]ξ.

Proof.

For any yd, observe that cost𝒞i,2(y)=ydκsgn(yi)𝟏i2=(yidκsgn(yi))2+jiyj2. Thus, aggregating this across all i[d], we thus have

i[d]cost𝒞i,2(y) =i[d]((d1)yi2+(yidκsgn(yi))2)
=i[d]((d2d)κ2+d(yiκsgn(yi))2)
=(d3d2)κ2+dyκsgn(y)22.

From (2) and since x=κsgn(x) for all xD, we thus have

dξi[d](cost𝒞i,2(D~)cost𝒞i,2(D))=𝔼x~D~[dx~κsgn(x~)22].

Dividing both sides by d yields the claimed inequality.

The next two claims are in the same spirit as Claim 10 and Claim 11 in the proof of Theorem 9.

Claim 15.

For any xD and ψ~, we have cost𝒞ψ,2(x)cost𝒞𝟎,2(x)0.

Proof.

From our assumption, there exists a literal of ψ, say the jth literal for j[3], that is set to true in x. From the proof of Claim 10, we have xcψ,j{±κ}d. Recall that x also belongs to {±κ}d. Thus, cost𝒞𝟎,2(x)=x22=κ2d=xcψ,j22cost𝒞ψ,2(x).

Claim 16.

For any x~D~ and ψ~, we have

cost𝒞ψ,2(x~)cost𝒞𝟎,2(x~) 4κ2(1ψ(x~))4κx~κsgn(x~)2.
Proof.

We have cost𝒞ψ,2(x~)=cψ,jx~22 for some j[3]. Thus,

cost𝒞ψ,2(x~)cost𝒞𝟎,2(x~) =cψ,jx~22x~22
=cψ,j222cψ,j,x~
=4κ24κsjx~ij.

First, consider the case ψ(x~)=1. In this case, we can bound the above further by

cost𝒞ψ,2(x~)cost𝒞𝟎,2(x~) 4κ24κ|x~ij|
=4κ(|x~ij|κ)
4κ|x~ijκsgn(x~ij)|
4κx~κsgn(x~)2,

which implies the desired bound.

Finally, for the case ψ(x~)=0, we simply have sjx~ij0 and thus cost𝒞ψ,2(x~)cost𝒞𝟎,2(x~)4κ2.

Now, from the above three claims, we have

0 𝔼xD[cost𝒞ψ,2(x)cost𝒞𝟎,2(x)]
=cost𝒞ψ,2(D)cost𝒞𝟎,2(D)
Using (2) 2ξ+cost𝒞ψ,2(D~)cost𝒞𝟎,2(D~)
=2ξ+𝔼x~D~[cost𝒞ψ,2(x~)cost𝒞𝟎,2(x~)]
(Claim 16) 2ξ+𝔼x~D~[4κ2(1ψ(x~))4κx~κsgn(x~)2]
=4κ2(1ψ(D~))2ξ4κ𝔼x~D~[x~κsgn(x~)2]
(Cauchy–Schwarz Inequality) 4κ2(1ψ(D~))2ξ4κ𝔼x~D~[x~κsgn(x~)22]
(Claim 14) 4κ2(1ψ(D~))2ξ4κξ
4κ2(1ξ2κ2ξκψ(D~)),

where the first inequality is from Claim 15.

The above inequality implies that ψ(D~)1ξ2κ2ξκ, which is at least γ due to our choice of ξ=(1γ)24d2,κ=1d. As a result, 𝒜~ solves the (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitization problem; by Theorem 5, this cannot hold assuming the existence of one-way functions.

5 Conclusion and Open Questions

In this paper, we showed computational lower bounds for efficiently constructing DP coresets, assuming the one-way functions exist. Our result should be contrasted against the work of Feldman et al. [18], who showed that small private coresets exist information-theoretically.

Our work leaves open several questions for future research. While our hardness result for the 2-metric rules out approximation factors 1±Θ(1/d2), it is an interesting question if a dimension-independent constant-factor hardness (similar to our -metric result) can be obtained for the Euclidean metric. Additionally, our hardness results hold for k=3 due to our “gadget” to reduce from 3-literal disjunctions, leaving the case k=2 as an intriguing open question. We remark that, while Ullman and Vadhan [43] also proved the hardness of generating synthetic data for 2-way marginals, their result does not achieve “perfect completeness” (in the promise sense that f(D)=1 for all f in Definition 4). This property is crucial in our reduction, preventing us from obtaining hardness for the k=2 case.

Furthermore, our proofs rely on the fact that we are dealing with the k-means objective (by rearranging terms into sum-of-squares); it would be interesting to see if our results can be extended to the case of, e.g., k-median as well. Finally, understanding the computational landscape of private coresets in other metric spaces or for other objective functions is an interesting research direction.

References

  • [1] John M. Abowd. The U.S. Census Bureau adopts differential privacy. In KDD, pages 6353–6356, 2018.
  • [2] Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy. Proof verification and the hardness of approximation problems. J. ACM, 45(3):501–555, 1998. doi:10.1145/278298.278306.
  • [3] Sanjeev Arora and Shmuel Safra. Probabilistic checking of proofs: A new characterization of NP. J. ACM, 45(1):70–122, 1998. doi:10.1145/273865.273901.
  • [4] Maria-Florina Balcan, Travis Dick, Yingyu Liang, Wenlong Mou, and Hongyang Zhang. Differentially private clustering in high-dimensional Euclidean spaces. In ICML, pages 322–331, 2017. URL: http://proceedings.mlr.press/v70/balcan17a.html.
  • [5] Luca Becchetti, Marc Bury, Vincent Cohen-Addad, Fabrizio Grandoni, and Chris Schwiegelshohn. Oblivious dimension reduction for k-means: beyond subspaces and the Johnson–Lindenstrauss lemma. In STOC, pages 1039–1050, 2019. doi:10.1145/3313276.3316318.
  • [6] Avrim Blum, Cynthia Dwork, Frank McSherry, and Kobbi Nissim. Practical privacy: the SuLQ framework. In PODS, pages 128–138, 2005. doi:10.1145/1065167.1065184.
  • [7] Alisa Chang, Badih Ghazi, Ravi Kumar, and Pasin Manurangsi. Locally private k-means in one round. In ICML, pages 1441–1451, 2021. URL: http://proceedings.mlr.press/v139/chang21a.html.
  • [8] Ke Chen. On coresets for k-median and k-means clustering in metric and Euclidean spaces and their applications. SICOMP, 39(3):923–947, 2009. doi:10.1137/070699007.
  • [9] Vincent Cohen-Addad, Andrew Draganov, Matteo Russo, David Saulpic, and Chris Schwiegelshohn. A tight VC-dimension analysis of clustering coresets with applications. In SODA, pages 4783–4808, 2025. doi:10.1137/1.9781611978322.162.
  • [10] Vincent Cohen-Addad and Karthik C. S. Inapproximability of clustering in lp metrics. In FOCS, pages 519–539, 2019. doi:10.1109/FOCS.2019.00040.
  • [11] Vincent Cohen-Addad, Kasper Green Larsen, David Saulpic, and Chris Schwiegelshohn. Towards optimal lower bounds for k-median and k-means coresets. In STOC, pages 1038–1051, 2022. doi:10.1145/3519935.3519946.
  • [12] Vincent Cohen-Addad, Kasper Green Larsen, David Saulpic, Chris Schwiegelshohn, and Omar Ali Sheikh-Omar. Improved coresets for Euclidean k-means. In NeurIPS, 2022.
  • [13] Vincent Cohen-Addad, David Saulpic, and Chris Schwiegelshohn. A new coreset framework for clustering. In STOC, pages 169–182, 2021. doi:10.1145/3406325.3451022.
  • [14] Cynthia Dwork, Krishnaram Kenthapadi, Frank McSherry, Ilya Mironov, and Moni Naor. Our data, ourselves: Privacy via distributed noise generation. In EUROCRYPT, pages 486–503, 2006. doi:10.1007/11761679_29.
  • [15] Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In TCC, pages 265–284, 2006. doi:10.1007/11681878_14.
  • [16] Cynthia Dwork, Moni Naor, Omer Reingold, Guy N Rothblum, and Salil Vadhan. On the complexity of differentially private data release: efficient algorithms and hardness results. In STOC, pages 381–390, 2009. doi:10.1145/1536414.1536467.
  • [17] Úlfar Erlingsson, Vasyl Pihur, and Aleksandra Korolova. RAPPOR: Randomized aggregatable privacy-preserving ordinal response. In CCS, pages 1054–1067, 2014. doi:10.1145/2660267.2660348.
  • [18] Dan Feldman, Amos Fiat, Haim Kaplan, and Kobbi Nissim. Private coresets. In STOC, pages 361–370, 2009. doi:10.1145/1536414.1536465.
  • [19] Dan Feldman and Michael Langberg. A unified framework for approximating and clustering data. In STOC, pages 569–578, 2011. doi:10.1145/1993636.1993712.
  • [20] Dan Feldman, Melanie Schmidt, and Christian Sohler. Turning big data into tiny data: Constant-size coresets for k-means, PCA, and projective clustering. SICOMP, 49(3):601–657, 2020. doi:10.1137/18M1209854.
  • [21] Dan Feldman, Chongyuan Xiang, Ruihao Zhu, and Daniela Rus. Coresets for differentially private k-means clustering and applications to privacy in mobile sensor networks. In IPSN, pages 3–16, 2017. doi:10.1145/3055031.3055090.
  • [22] Hendrik Fichtenberger, Marc Gillé, Melanie Schmidt, Chris Schwiegelshohn, and Christian Sohler. BICO: BIRCH meets coresets for k-means clustering. In ESA, pages 481–492, 2013. doi:10.1007/978-3-642-40450-4_41.
  • [23] Gereon Frahling and Christian Sohler. Coresets in dynamic geometric data streams. In STOC, pages 209–217, 2005. doi:10.1145/1060590.1060622.
  • [24] Badih Ghazi, Junfeng He, Kai Kohlhoff, Ravi Kumar, Pasin Manurangsi, Vidhya Navalpakkam, and Nachiappan Valliappan. Differentially private heatmaps. In AAAI, pages 7696–7704, 2023. doi:10.1609/AAAI.V37I6.25933.
  • [25] Badih Ghazi, Pritish Kamath, Alexander Knop, Ravi Kumar, Pasin Manurangsi, and Chiyuan Zhang. Private hyperparameter tuning with ex-post guarantee. In NeurIPS, 2025.
  • [26] Badih Ghazi, Ravi Kumar, and Pasin Manurangsi. Differentially private clustering: Tight approximation ratios. In NeurIPS, 2020.
  • [27] Oded Goldreich. The Foundations of Cryptography - Volume 1: Basic Techniques. Cambridge University Press, 2001. doi:10.1017/CBO9780511546891.
  • [28] Oded Goldreich. The Foundations of Cryptography - Volume 2: Basic Applications. Cambridge University Press, 2004. doi:10.1017/CBO9780511721656.
  • [29] Anupam Gupta, Katrina Ligett, Frank McSherry, Aaron Roth, and Kunal Talwar. Differentially private combinatorial optimization. In SODA, pages 1106–1125, 2010. doi:10.1137/1.9781611973075.90.
  • [30] Sariel Har-Peled and Akash Kushal. Smaller coresets for k-median and k-means clustering. Discret. Comput. Geom., 37(1):3–19, 2007. doi:10.1007/S00454-006-1271-X.
  • [31] Sariel Har-Peled and Soham Mazumdar. On coresets for k-means and k-median clustering. In STOC, pages 291–300, 2004. doi:10.1145/1007352.1007400.
  • [32] Lingxiao Huang and Nisheeth K. Vishnoi. Coresets for clustering in Euclidean spaces: importance sampling is nearly optimal. In STOC, pages 1416–1429, 2020. doi:10.1145/3357713.3384296.
  • [33] Zhiyi Huang and Jinyan Liu. Optimal differentially private algorithms for k-means clustering. In PODS, pages 395–408, 2018. doi:10.1145/3196959.3196977.
  • [34] Max Dupré la Tour, Monika Henzinger, and David Saulpic. Making old things new: A unified algorithm for differentially private clustering. In ICML, 2024.
  • [35] Michael Langberg and Leonard J. Schulman. Universal epsilon-approximators for integrals. In SODA, pages 598–607, 2010. doi:10.1137/1.9781611973075.50.
  • [36] Jingcheng Liu and Kunal Talwar. Private selection from private candidates. In STOC, pages 298–309, 2019. doi:10.1145/3313276.3316377.
  • [37] Frank McSherry and Kunal Talwar. Mechanism design via differential privacy. In FOCS, pages 94–103, 2007. doi:10.1109/FOCS.2007.66.
  • [38] Kobbi Nissim and Uri Stemmer. Clustering algorithms for the centralized and local models. In ALT, pages 619–653, 2018. URL: http://proceedings.mlr.press/v83/nissim18a.html.
  • [39] Kobbi Nissim, Uri Stemmer, and Salil P. Vadhan. Locating a small cluster privately. In PODS, pages 413–427, 2016. doi:10.1145/2902251.2902296.
  • [40] Nicolas Papernot and Thomas Steinke. Hyperparameter tuning with Rényi differential privacy. In ICLR, 2022.
  • [41] Christian Sohler and David P. Woodruff. Strong coresets for k-median and subspace approximation: Goodbye dimension. In FOCS, pages 802–813, 2018. doi:10.1109/FOCS.2018.00081.
  • [42] Uri Stemmer. Locally private k-means clustering. In SODA, pages 548–559, 2020. doi:10.1137/1.9781611975994.33.
  • [43] Jonathan R. Ullman and Salil P. Vadhan. PCPs and the hardness of generating synthetic data. J. Cryptol., 33(4):2078–2112, 2020. doi:10.1007/S00145-020-09363-Y.

Appendix A Hardness from [43] in terms of Promise Sanitizer

In this section, we briefly explain how to interpret the hardness result of Ullman and Vadhan [43] in terms of a promise sanitizer (Theorem 5).

Informally, the proof is by contradiction, assuming that an efficient DP promise sanitizer exists. The idea is to construct a dataset by taking a set of valid digital signatures and encoding them using a PCP of the signature’s verification circuit. Now, if the sanitizer can produce a synthetic dataset that satisfies a good fraction of the PCP predicates, the PCP’s soundness guarantee means we can decode a valid signature from the synthetic dataset. But, this yields a contradiction: either the decoded signature is new, which would violate the security of the super-secure signature scheme, or it matches one of the original signatures, which would violate the DP guarantees.

To avoid repeating their proof verbatim, we will only sketch the high-level arguments here.

A.1 Background

We review a couple of key tools required for the construction of [43].

Super-Secure Digital Signature Scheme

A Digital Signature Scheme (DSS) consists of three polynomial-time algorithms:

  • 𝙶𝚎𝚗 takes in the security parameter 1κ and output a secret key 𝗌𝗄 and a verification key 𝗏𝗄,

  • 𝚂𝚒𝚐𝚗 takes in888We use a “no-message” version of the signature scheme, which can be initiated from the standard notion by setting the message m to be fixed (e.g., empty string) for every signature. a secret key 𝗌𝗄 and outputs a (random) signature σ,

  • 𝚅𝚎𝚛 takes in the verification key 𝗏𝗄 and a signature σ. For any valid signature σ produced by 𝚂𝚒𝚐𝚗, 𝚅𝚎𝚛(𝗏𝗄,σ) always accepts (i.e., returns 1).

The security guarantee is that, an adversary that is given the verification key 𝗏𝗄 together with a set Σ of any polynomially large number of signatures, cannot produce a new signature σΣ that is accepted by 𝚅𝚎𝚛 with at least 1/nΩ(1) probability.

It is known that super-secure digital signature schemes exist, assuming one-way functions [28].

Probabilistic Checkable Proofs

Another ingredient required in the construction is the Probabilistic Checkable Proofs (PCPs) under Levin reductions. We state this only for Max-3SAT.

PCPs with 𝟥𝖣𝗂𝗌𝗃 predicates consist of three (deterministic) algorithms:

  • 𝚁 takes in the circuit C and outputs a set ~d𝟥𝖣𝗂𝗌𝗃 of predicates

  • 𝙴𝚗𝚌 takes in any circuit C and an input y for the circuit C, and produces π{0,1}d,

  • 𝙳𝚎𝚌 takes in π{0,1}d and C and produces an input y for the circuit C.

The guarantees are as follows:

  • (Completeness) If C(y)=1, then ψ(𝙴𝚗𝚌(y,C))=1 for all ψ~,

  • (Soundness) If 𝔼ψ~[ψ(π)]γ, then C(𝙳𝚎𝚌(π,C))=1.

In the papers that originally proved the PCP theorem [2, 3], it was also shown that PCPs of the above form exist for some constant γ(0,1).

A.2 The Construction and Hardness Argument

Formally, the construction of [43] (which builds on [16]) works as follows:

  • Let 𝗌𝗄,𝗏𝗄 be the key pair generated by 𝙶𝚎𝚗.

  • Let σ1,,σn be outputs from n runs of 𝚂𝚒𝚐𝚗(𝗌𝗄).

  • Let C𝗏𝗄 denote the circuit for 𝚅𝚎𝚛(𝗏𝗄,).

  • Let ~=𝚁(C𝗏𝗄).

  • For i[n], let πi=𝙴𝚗𝚌(σi,C𝗏𝗄).

  • Output the dataset D=(π1,,πn) together with ~.

Now, suppose for the sake of contradiction that there is an (ε,1/nω(1))-DP (𝟥𝖣𝗂𝗌𝗃,γ)-promise sanitizer that runs in polynomial time. Then, we can run the sanitizer on D to produce a synthetic dataset D~=(x~1,,x~n~). Now, from the completeness of the PCP, we have 𝔼ψ~[ψ(D)]=1. Thus, by the guarantee of the promise sanitizer, with probability 2/3, we have 𝔼ψ~[ψ(D~)]γ. When this happens, there must exist x~iD~ such that 𝔼ψ~[ψ(x~i)]γ. Finally, we can run 𝙳𝚎𝚌(x~i,C𝗏𝗄) to get a new signature σ.

By the guarantee of the PCP, we have C𝗏𝗄(σ)=1, i.e., 𝚅𝚎𝚛(𝗏𝗄,σ)=1. Now, one of the following two cases can happen: (i) if σ{σ1,,σn}, then we violate the security of the signature scheme, or (ii) if σ{σ1,,σn}, then π=𝙴𝚗𝚌(σ,C𝗏𝗄) belongs to the input dataset and we violate (ε,1/nω(1))-DP.