32:[["$","audio",null,{"id":"tts"}],["$","$L37",null,{"paperID":"2002.12321","publisher":"arxiv","paperJSON":{"title":"PAPRIKA: Private Online False Discovery Rate Control","paperID":"2002.12321","avgLineHeight":11.9,"imgScale":4,"sections":[{"heading":"Abstract","paragraphs":[[{"text":"In hypothesis testing, a ","element":"span"},{"style":{"fontStyle":"italic"},"text":"false discovery ","element":"span"},{"text":"occurs when a hypothesis is incorrectly rejected due to noise in the sample. When adaptively testing multiple hypotheses, the probability of a false discovery increases as more tests are performed. Thus the problem of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"False Discovery Rate (FDR) control ","element":"span"},{"text":"is to find a procedure for testing multiple hypotheses that accounts for this effect in determining the set of hypotheses to reject. The goal is to minimize the number (or fraction) of false discoveries, while maintaining a high true positive rate (i.e., correct discoveries).","element":"span"}],[{"text":"In this work, we study False Discovery Rate (FDR) control in multiple hypothesis testing under the constraint of differential privacy for the sample. Unlike previous work in this direction, we focus on the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"online setting","element":"span"},{"text":", meaning that a decision about each hypothesis must be made immediately after the test is performed, rather than waiting for the output of all tests as in the offline setting. We provide new private algorithms based on state-of-the-art results in non-private online FDR control. Our algorithms have strong provable guarantees for privacy and statistical performance as measured by FDR and power. We also provide experimental results to demonstrate the efficacy of our algorithms in a variety of data environments.","element":"span"}]]},{"heading":"1 Introduction","paragraphs":[[{"text":"In the modern era of big data, data analyses play an important role in decision-making in healthcare, information technology, and government agencies. The growing availability of large-scale datasets and ease of data analysis, while beneficial to society, has created a severe crisis of reproducibility in science. In 2011, Bayer HealthCare reviewed 67 in-house projects and found that they could replicate fewer than 25 percent, and found that over two-thirds of the projects had major inconsistencies [","element":"span"},{"href":"#id-0","referenceIndex":10,"text":"ENAoSM","element":"a"},{"style":{"height":13.39},"width":66.38,"height":33.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/0-0.png","element":"img","alt":"+19","inline":true},{"text":"]. One major reason is that random noise in the data can often be mistaken for interesting signals, which does not lead to valid and reproducible results. This problem is particularly relevant when testing multiple hypotheses, when there is an increased chance of false discoveries based on noise in the data. For example, an analyst may conduct 250 hypothesis tests and find that 11 are significant at the 5% level. This may be exciting to the researcher who publishes a paper based on these findings, but elementary statistics suggests that (in expectation) 12.5 of those tests should be significant at that level purely by chance, even if the null hypotheses were all true. To avoid such problems, statisticians have developed tools for controlling overall error rates when performing multiple hypothesis tests.","element":"span"}],[{"text":"In hypothesis testing, the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"null hypothesis ","element":"span"},{"text":"of no interesting scientific discovery (e.g., a drug has no effect), is tested against the alternative hypothesis of a particular scientific theory being true (e.g., a drug has a ","element":"span"},{"text":"particular effect). The significance of each test is measured by a ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"style":{"fontStyle":"italic"},"text":"-value","element":"span"},{"text":", which is the probability of the observed data occurring under the null hypothesis, and a hypothesis is ","element":"span"},{"style":{"fontStyle":"italic"},"text":"rejected ","element":"span"},{"text":"if the corresponding ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value is below some (fixed) significance level. Each rejection is called a ","element":"span"},{"style":{"fontStyle":"italic"},"text":"discovery","element":"span"},{"text":", and a rejected hypothesis is a ","element":"span"},{"style":{"fontStyle":"italic"},"text":"false discovery ","element":"span"},{"text":"if the null hypothesis is actually true. When testing multiple hypotheses, the probability of a false discovery increases as more tests are performed. The problem of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"false discovery rate (FDR) control ","element":"span"},{"text":"is to find a procedure for testing multiple hypotheses that takes in the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values of each test, and outputs a set of hypotheses to reject. The goal is to minimize the number of false discoveries, while maintaining high true positive rate (i.e., true discoveries).","element":"span"}],[{"text":"In many applications, the dataset may contain sensitive personal information, and the analysis must be conducted in a privacy-preserving way. For example, in genome-wide association studies (GWAS), a large number of single-nucleotide polymorphisms (SNPs) are tested for an association with a disease simultaneously or adaptively. Prior work has shown that the statistical analysis of these datasets can lead to privacy concerns, and it is possible to identify an individual’s genotype when only minor allele frequencies are revealed [","element":"span"},{"href":"#id-1","referenceIndex":13,"text":"HSR","element":"a"},{"style":{"height":16.99},"width":88.16,"height":42.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/1-0.png","element":"img","alt":"+08].","inline":true,"padRight":true},{"text":"The field of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"differential privacy ","element":"span"},{"text":"[","element":"span"},{"href":"#id-2","referenceIndex":6,"text":"DMNS06","element":"a"},{"text":"] offers data analysis tools that provide powerful worst-case privacy guarantees, and has become a de facto gold standard in private data analysis. Informally, an algorithm that is ","element":"span"},{"style":{"height":7.2},"width":19,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/1-1.png","element":"img","alt":" ε","inline":true},{"text":"-differentially private ensures that any particular output of the algorithm is at most ","element":"span"},{"style":{"height":10.98},"width":33.56,"height":27.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/1-2.png","element":"img","alt":" eε ","inline":true,"padRight":true},{"text":"more likely when a single data point is changed. This parameterization allows for a smooth tradeoff between accurate analysis and privacy to the individuals who have contributed data. In the past decade, researchers have developed a wide variety of differentially private algorithms for many statistical tasks; these tools have been implemented in practice at major organizations including Google [","element":"span"},{"href":"#id-3","referenceIndex":11,"text":"EPK14","element":"a"},{"text":"], Apple [","element":"span"},{"href":"#id-4","referenceIndex":3,"text":"Dif17","element":"a"},{"text":"], Microsoft [","element":"span"},{"href":"#id-5","referenceIndex":4,"text":"DKY17","element":"a"},{"text":"], and the U.S. Census Bureau ","element":"span"},{"href":"#id-6","referenceIndex":5,"text":"[DLS","element":"a"},{"style":{"height":16.98},"width":88.39,"height":42.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/1-3.png","element":"img","alt":"+17].","inline":true}],[{"style":{"fontWeight":"bold"},"text":"Related Work. ","element":"span"},{"text":"The only prior work on differentially private FDR control [","element":"span"},{"href":"#id-7","referenceIndex":9,"text":"DSZ18","element":"a"},{"text":"] considers the classic offline multiple testing problem, where an analyst has all the hypotheses and corresponding ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values upfront. Their private method repeatedly applies ","element":"span"},{"text":"ReportNoisyMin ","element":"span"},{"text":"[","element":"span"},{"href":"#id-8","referenceIndex":8,"text":"DR14","element":"a"},{"text":"] to the celebrated Benjamini-Hochberg (BH) procedure [","element":"span"},{"href":"#id-9","referenceIndex":2,"text":"BH95","element":"a"},{"text":"] in offline multiple testing to privately pre-screen the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values, and then applies the BH procedure again to select the significant ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values. The (non-private) BH procedure first sorts all ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values, and then sequentially compares them to an increasing threshold, where all ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values below their (ranked and sequential) threshold are rejected. The ","element":"span"},{"text":"ReportNoisyMin ","element":"span"},{"text":"mechanism privatizes this procedure by repeatedly (and privately) finding the hypothesis with the lowest ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value.","element":"span"}],[{"text":"Although the work of [","element":"span"},{"href":"#id-7","referenceIndex":9,"text":"DSZ18","element":"a"},{"text":"] showed that it was possible to integrate differential privacy with FDR control in multiple hypothesis testing, the assumption of having all hypotheses and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values upfront is not reasonable in many practical settings. For example, a hospital may conduct multi-phase clinical trials where more patients join over time, or a marketing company may perform A/B testings sequentially. In this work, we focus on the more practical ","element":"span"},{"style":{"fontStyle":"italic"},"text":"online hypothesis testing problem","element":"span"},{"text":", where a stream of hypotheses arrive sequentially, and decisions to reject hypotheses must be made based on current and previous results before the next hypothesis arrives. This sequence of the hypotheses could be independent or adaptively chosen. Due to the fundamental difference between the offline and online FDR procedures, the method of [","element":"span"},{"href":"#id-7","referenceIndex":9,"text":"DSZ18","element":"a"},{"text":"] based on ","element":"span"},{"text":"ReportNoisyMin ","element":"span"},{"text":"cannot be applied to the online setting. Instead, we use ","element":"span"},{"text":"SparseVector","element":"span"},{"text":", described in Section ","element":"span"},{"style":{"fontWeight":"bold"},"text":"??","element":"span"},{"text":", as a starting point. Discussion of non-private online multiple hypothesis testing appears in Section ","element":"span"},{"href":"#id-10","text":"2.2.","element":"a"}],[{"style":{"fontWeight":"bold"},"text":"Our Results. ","element":"span"},{"text":"We develop a differentially private online FDR control procedure for multiple hypothesis testing, which takes a stream of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values and a target FDR level and privacy parameter ","element":"span"},{"style":{"height":7.2},"width":19,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/1-4.png","element":"img","alt":" ε","inline":true},{"text":", and outputs discoveries that can control the FDR at a certain level at any time point. Such a procedure provides unconditional differential privacy guarantees (to ensure that privacy will be protected even in the worst case) and satisfy the theoretical guarantees dictated by the FDR control problem.","element":"span"}],[{"text":"Our algorithm, Private Alpha-investing P-value Rejecting Iterative sparse veKtor Algorithm (","element":"span"},{"text":"PAPRIKA","element":"span"},{"text":", Algorithm ","element":"span"},{"href":"#id-11","text":"3)","element":"a"},{"text":", is presented in Section ","element":"span"},{"href":"#id-12","text":"3. ","element":"a"},{"text":"Its privacy and accuracy guarantees are stated in Theorem ","element":"span"},{"text":"4 ","element":"span"},{"text":"and ","element":"span"},{"href":"#id-13","text":"5, ","element":"a"},{"text":"respectively. While the full proofs appear in the appendix, we describe the main ideas behind the algorithms and proofs in the surrounding prose. In Section ","element":"span"},{"text":"4, ","element":"span"},{"text":"we provide a thorough empirical investigation","element":"span"}],[{"text":"of ","element":"span"},{"text":"PAPRIKA","element":"span"},{"text":", with additional empirical results in Appendix ","element":"span"},{"text":"A.","element":"span"}]]},{"heading":"2 Preliminaries","paragraphs":[[{"style":{"fontWeight":"bold"},"text":"2.1 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Background on Differential Privacy","element":"span"}],[{"text":"Differential Privacy bounds the maximal amount that one data entry can change the output of the computation. Databases belong to the space ","element":"span"},{"style":{"height":10.8},"width":51.85,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-0.png","element":"img","alt":" Dn ","inline":true,"padRight":true},{"text":"and contain ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"entries–one for each individual–where each entry belongs to data universe ","element":"span"},{"style":{"fontStyle":"italic"},"text":"D","element":"span"},{"text":". We say that ","element":"span"},{"style":{"height":14.4},"width":652.46,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-1.png","element":"img","alt":" D, D′ ∈ Dn are neighboring databases","inline":true,"padRight":true},{"text":"if they differ in at most one data entry.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"Definition 1 ","element":"span"},{"text":"(Differential Privacy [","element":"span"},{"href":"#id-2","referenceIndex":6,"text":"DMNS06","element":"a"},{"text":"])","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"An algorithm ","element":"span"},{"style":{"height":11.6},"width":237.42,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-2.png","element":"img","alt":" M : Dn → R","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"is ","element":"span"},{"style":{"height":16},"width":87.32,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-3.png","element":"img","alt":" (ε, δ)","inline":true},{"text":"-differentially private ","element":"span"},{"style":{"fontStyle":"italic"},"text":"if for every pair of neighboring databases ","element":"span"},{"style":{"height":14},"width":208.22,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-4.png","element":"img","alt":" D, D′ ∈ Rn","inline":true},{"style":{"fontStyle":"italic"},"text":", and for every subset of possible outputs ","element":"span"},{"style":{"height":13.2},"width":127.93,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-5.png","element":"img","alt":" S ⊆ R","inline":true},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"style":{"height":16},"width":921.38,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-6.png","element":"img","alt":"Pr[M(D) ∈ S] ≤ exp(ε) Pr[M(D′) ∈ S] + δ. If δ = 0","inline":true},{"style":{"fontStyle":"italic"},"text":", we say that ","element":"span"},{"style":{"height":12},"width":123.87,"height":30,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-7.png","element":"img","alt":" M is ε","inline":true},{"text":"-differentially private","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"}],[{"text":"The ","element":"span"},{"style":{"fontStyle":"italic"},"text":"additive sensitivity ","element":"span"},{"text":"of a real-valued query ","element":"span"},{"style":{"height":14},"width":222.94,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-8.png","element":"img","alt":" f : Dn → R","inline":true,"padRight":true},{"text":"is denoted ","element":"span"},{"style":{"height":14.8},"width":56.88,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-9.png","element":"img","alt":" ∆f","inline":true},{"text":", and is defined to be the maximum change in the function’s value that can be caused by changing a single entry. That is,","element":"span"}],[{"style":{"width":"33%"},"width":619,"height":64,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-10.png","element":"img"}],[{"text":"If ","element":"span"},{"style":{"fontStyle":"italic"},"text":"f ","element":"span"},{"text":"is a vector-valued query, the expression above can be modified with the appropriate norm in place of the absolute value. Differential privacy guarantees are often achieved by adding ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Laplace noise ","element":"span"},{"text":"at various places in the computation, where the noise scales with ","element":"span"},{"style":{"height":16},"width":95.3,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-11.png","element":"img","alt":" ∆f/ε","inline":true},{"text":". A Laplace random variable with parameter ","element":"span"},{"style":{"fontStyle":"italic"},"text":"b ","element":"span"},{"text":"is denoted Lap","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"b","element":"span"},{"text":")","element":"span"},{"text":", and has probability density function,","element":"span"}],[{"style":{"width":"35%"},"width":665,"height":96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/2-12.png","element":"img"}],[{"text":"We may sometimes abuse notation and also use Lap","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"b","element":"span"},{"text":") ","element":"span"},{"text":"to denote the realization of a random variable with this distribution.","element":"span"}],[{"text":"The ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"algorithm, first introduced by [","element":"span"},{"href":"#id-14","referenceIndex":7,"text":"DNPR10","element":"a"},{"text":"] and refined to its current form by [","element":"span"},{"href":"#id-8","referenceIndex":8,"text":"DR14","element":"a"},{"text":"], privately reports the outcomes of a potentially very large number of computations, provided that only a few are “significant.” It takes in a stream of queries, and releases a bit vector indicating whether or not each noisy query answer is above the fixed noisy threshold. We use this algorithm as a framework for our online private false discovery rate control algorithm as new hypotheses arrive online, and we only care about those “significant” hypotheses when the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value is below a certain threshold. We note that the standard presentation below checks for queries with values above a threshold, but by simply changing signs this framework can be used to check for values ","element":"span"},{"style":{"fontStyle":"italic"},"text":"below ","element":"span"},{"text":"a threshold, as we will do with the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values.","element":"span"}],[{"style":{"width":"100%"},"width":1875,"height":898,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-0.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Theorem 1 ","element":"span"},{"text":"(","element":"span"},{"href":"#id-14","referenceIndex":7,"text":"[DNPR10]","element":"a"},{"text":")","element":"span"},{"style":{"height":16},"width":460.42,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-1.png","element":"img","alt":". SparseVector is (ε, 0)","inline":true},{"style":{"fontStyle":"italic"},"text":"-differentially private.","element":"span"}],[{"id":"id-23","style":{"fontWeight":"bold"},"text":"Theorem 2 ","element":"span"},{"text":"([","element":"span"},{"href":"#id-14","referenceIndex":7,"text":"DNPR10","element":"a"},{"text":"])","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"For any sequence of ","element":"span"},{"style":{"height":14},"width":331.45,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-2.png","element":"img","alt":" k queries f1, . . . , fk","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"with sensitivity ","element":"span"},{"style":{"height":16},"width":431.91,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-3.png","element":"img","alt":" ∆ such that |{i : fi(D) ≥","inline":true},{"style":{"height":16},"width":525.6,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-4.png","element":"img","alt":"T − α}| ≤ c, SparseVector","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"outputs with probability at least ","element":"span"},{"style":{"height":14.4},"width":93.41,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-5.png","element":"img","alt":" 1 − β","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"a stream of ","element":"span"},{"style":{"height":16},"width":339.96,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-6.png","element":"img","alt":" a1, . . . , ak ∈ {⊤, ⊥}","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"such that ","element":"span"},{"style":{"height":15.6},"width":1796.21,"height":39,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-7.png","element":"img","alt":" ai = ⊥ for every i ∈ [m] with f(i) < T − αSV and ai = ⊤ for every i ∈ [m] with f(i) > T + αSV as long","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"as ","element":"span"},{"style":{"height":21.63},"width":360.41,"height":54.07,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-8.png","element":"img","alt":" αSV ≥ 8∆c log(2kc/β)ε .","inline":true}],[{"text":"Unlike the conventional use of additive sensitivity, [","element":"span"},{"href":"#id-7","referenceIndex":9,"text":"DSZ18","element":"a"},{"text":"] defined the notion of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"multiplicative sensitivity ","element":"span"},{"text":"specifically for ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values. It is motivated by the observation that, although the additive sensitivity of a ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value may be large, the relative change of the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value on two neighboring datasets is stable unless the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value is very small. Using this alternative sensitivity notion means that preserving privacy for these ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values only requires a small amount of noise.","element":"span"}],[{"id":"id-22","style":{"fontWeight":"bold"},"text":"Definition 2 ","element":"span"},{"text":"(Multiplicative Sensitivity [","element":"span"},{"href":"#id-7","referenceIndex":9,"text":"DSZ18","element":"a"},{"text":"])","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A p-value function ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p ","element":"span"},{"style":{"fontStyle":"italic"},"text":"is said to be ","element":"span"},{"style":{"height":16},"width":94.74,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-9.png","element":"img","alt":" (η, µ)","inline":true},{"style":{"fontStyle":"italic"},"text":"-multiplicative sensitive if for all neighboring databases ","element":"span"},{"style":{"height":11.6},"width":173.83,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-10.png","element":"img","alt":" D and D′","inline":true},{"style":{"fontStyle":"italic"},"text":", either both ","element":"span"},{"style":{"height":16},"width":330.94,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-11.png","element":"img","alt":" p(D), p(D′) ≤ µ or","inline":true}],[{"style":{"width":"34%"},"width":638,"height":43,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-12.png","element":"img"}],[{"text":"Specifically, when ","element":"span"},{"style":{"height":10},"width":24,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-13.png","element":"img","alt":" µ","inline":true,"padRight":true},{"text":"is sufficiently small, then we can treat the logarithm of the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values as having additive sensitivity ","element":"span"},{"style":{"height":10.4},"width":20,"height":26,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-14.png","element":"img","alt":" η","inline":true},{"text":", and we only need to add noise that scales with ","element":"span"},{"style":{"height":16},"width":60.16,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-15.png","element":"img","alt":" η/ε","inline":true},{"text":", which may be much smaller than the noise required under the standard additive sensitivity notion.","element":"span"}],[{"id":"id-10","style":{"fontWeight":"bold"},"text":"2.2 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Background on Online False Discovery Rate Control","element":"span"}],[{"text":"In the online false discovery rate (FDR) control problem, a data analyst receives a stream of hypotheses on the database ","element":"span"},{"style":{"fontStyle":"italic"},"text":"D","element":"span"},{"text":", or equivalently, a stream of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values ","element":"span"},{"style":{"height":10},"width":157.73,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-16.png","element":"img","alt":" p1, p2, . . .","inline":true},{"text":". The analyst must pick a threshold ","element":"span"},{"style":{"height":9.19},"width":37.49,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-17.png","element":"img","alt":" αt","inline":true,"padRight":true},{"text":"at each time ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t ","element":"span"},{"text":"to reject the hypothesis when ","element":"span"},{"style":{"height":13.6},"width":126.49,"height":34,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-18.png","element":"img","alt":" pt ≤ αt","inline":true},{"text":"; this threshold can depend on previous hypotheses and discoveries, and rejection must be decided before the next hypothesis arrives.","element":"span"}],[{"text":"The error metric is the false discovery rate, formally defined as:","element":"span"}],[{"style":{"width":"31%"},"width":582,"height":98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/3-19.png","element":"img"}],[{"text":"where ","element":"span"},{"style":{"height":14.59},"width":50.04,"height":36.47,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-0.png","element":"img","alt":" H0","inline":true,"padRight":true},{"text":"is the (unknown to the analyst) set of hypotheses where the null hypothesis is true, and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R ","element":"span"},{"text":"is the set of rejected hypotheses. We will also write these terms as a function of time ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t ","element":"span"},{"text":"to indicate their values after the first ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t ","element":"span"},{"text":"hypotheses: FDR","element":"span"},{"style":{"height":17.38},"width":437.63,"height":43.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-1.png","element":"img","alt":"(t), FDP(t), H0(t), R(t)","inline":true},{"text":". The goal of FDR control is to guarantee that for any time ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":", the FDR up to time ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t ","element":"span"},{"text":"is less than a pre-determined quantity ","element":"span"},{"style":{"height":16},"width":173.9,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-2.png","element":"img","alt":" α ∈ (0, 1).","inline":true}],[{"text":"Such a problem was first investigated by [","element":"span"},{"href":"#id-15","referenceIndex":12,"text":"FS08","element":"a"},{"text":"], who proposed a framework known as ","element":"span"},{"style":{"fontStyle":"italic"},"text":"online alpha-investing ","element":"span"},{"text":"that models the hypothesis testing problem as an investment problem. The analyst is endowed with an initial budget, can test hypotheses at a unit cost, and receives an additional reward for each discovery. The alpha-investing procedure ensures that the analysts always maintains an ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-3.png","element":"img","alt":" α","inline":true},{"text":"-fraction of their wealth, and can therefore continue testing future hypotheses indefinitely. Unfortunately, this approach only controls a","element":"span"}],[{"text":"slightly relaxed version of FDR, known as ","element":"span"},{"style":{"fontStyle":"italic"},"text":"mFDR","element":"span"},{"text":", which is given by mFDR","element":"span"},{"style":{"height":29.22},"width":255.34,"height":73.06,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-4.png","element":"img","alt":"(t) =E[|H0∩R|]E[|R|]","inline":true,"padRight":true},{"text":". This approach was later extended to a class of generalized alpha-investing (GAI) rules [","element":"span"},{"href":"#id-16","referenceIndex":1,"text":"AR14","element":"a"},{"text":"]. One subclass of GAI rules, the Level based On Recent Discovery (LORD), was shown to have consistently good performance in practice [","element":"span"},{"href":"#id-17","referenceIndex":14,"text":"JM15","element":"a"},{"text":", ","element":"span"},{"href":"#id-18","referenceIndex":15,"text":"JM18","element":"a"},{"text":"]. The SAFFRON procedure, proposed by [","element":"span"},{"href":"#id-19","referenceIndex":16,"text":"RZWJ18","element":"a"},{"text":"], further improves the LORD procedures by adaptively estimating the proportion of true nulls. The SAFFRON procedure is the current state-of-the-art in online FDR control for multiple hypothesis testing. To understand the main differences between the SAFFRON and the LORD procedures, we first introduce an oracle estimate of the FDP as FDP","element":"span"},{"style":{"height":16.24},"width":106.26,"height":40.59,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-5.png","element":"img","alt":"∗(t) =","inline":true}],[{"text":"number of false discoveries, so FDP","element":"span"},{"style":{"height":16.24},"width":64.51,"height":40.59,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-6.png","element":"img","alt":"∗(t)","inline":true,"padRight":true},{"text":"overestimates the FDP. The oracle estimator FDP","element":"span"},{"style":{"height":16.24},"width":64.52,"height":40.59,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-7.png","element":"img","alt":"∗(t)","inline":true,"padRight":true},{"text":"cannot be calculated since ","element":"span"},{"style":{"height":14.58},"width":50.04,"height":36.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-8.png","element":"img","alt":" H0 ","inline":true,"padRight":true},{"text":"is unknown. LORD’s naive estimator ","element":"span"},{"style":{"height":19.18},"width":265.26,"height":47.96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-9.png","element":"img","alt":"�j≤t αj/|R(t)|","inline":true,"padRight":true},{"text":"is a natural overestimate of FDP","element":"span"},{"style":{"height":16.24},"width":74.09,"height":40.6,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-10.png","element":"img","alt":"∗(t).","inline":true,"padRight":true},{"text":"The SAFFRON’s threshold sequence is based on a novel estimate of FDP as","element":"span"}],[{"style":{"width":"66%"},"width":1253,"height":116,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-11.png","element":"img"}],[{"text":"where ","element":"span"},{"style":{"height":18.55},"width":135.15,"height":46.37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-12.png","element":"img","alt":" {λj}∞j=1","inline":true,"padRight":true},{"text":"is a sequence of user-chosen parameters in the interval ","element":"span"},{"text":"(0","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"text":"1)","element":"span"},{"text":", which can be a constant or a ","element":"span"},{"text":"deterministic function of the information up to time ","element":"span"},{"style":{"height":10.4},"width":76.22,"height":26,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-13.png","element":"img","alt":" t−1","inline":true},{"text":". This is a much better estimator than LORD’s naive estimator ","element":"span"},{"style":{"height":19.18},"width":266.12,"height":47.96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-14.png","element":"img","alt":"�j≤t αj/|R(t)|","inline":true},{"text":". The SAFFRON estimator is a fairly tight estimate of FDP","element":"span"},{"style":{"height":16.24},"width":64.33,"height":40.6,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-15.png","element":"img","alt":"∗(t)","inline":true},{"text":", since intuitively ","element":"span"},{"style":{"height":16.79},"width":342.76,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-16.png","element":"img","alt":"I(pj > λj)/(1 − λj)","inline":true,"padRight":true},{"text":"has unit expectation under null hypotheses and is stochastically smaller than uniform under non-null hypotheses.","element":"span"}],[{"text":"The SAFFRON algorithm is given formally in Algorithm ","element":"span"},{"href":"#id-20","text":"2. ","element":"a"},{"text":"SAFFRON starts off with an error budget ","element":"span"},{"style":{"height":16},"width":430.53,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-17.png","element":"img","alt":"(1 − λ1)W0 < (1 − λ1)α","inline":true},{"text":", which will be allocated to different tests over time. It never loses wealth when testing candidate ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values with ","element":"span"},{"style":{"height":15.59},"width":126.22,"height":38.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-18.png","element":"img","alt":" pj < λj","inline":true},{"text":", and it earns back wealth of ","element":"span"},{"style":{"height":16.79},"width":165.72,"height":41.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-19.png","element":"img","alt":" (1 − λj)α","inline":true,"padRight":true},{"text":"on every rejection except for the first. By construction, the SAFFRON algorithm controls ","element":"span"},{"style":{"height":15.6},"width":282.6,"height":39,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-20.png","element":"img","alt":"�FDPSAFFRON(t)","inline":true,"padRight":true},{"text":"to be less than ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-21.png","element":"img","alt":" α","inline":true,"padRight":true},{"text":"at any time ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":". The function ","element":"span"},{"style":{"height":10},"width":31.01,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-22.png","element":"img","alt":" gt","inline":true,"padRight":true},{"text":"for defining the sequence ","element":"span"},{"style":{"height":18.55},"width":135.15,"height":46.38,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-23.png","element":"img","alt":" {λj}∞j=1","inline":true,"padRight":true},{"text":"can be any coordinatewise non-decreasing function. For ","element":"span"},{"text":"example, ","element":"span"},{"style":{"height":18.55},"width":135.15,"height":46.37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-24.png","element":"img","alt":" {λj}∞j=1 ","inline":true,"padRight":true},{"text":"can be a deterministic sequence of constants, or ","element":"span"},{"style":{"height":13.19},"width":127.78,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-25.png","element":"img","alt":" λt = αt","inline":true},{"text":", as in the case of alpha-investing. ","element":"span"},{"text":"These ","element":"span"},{"style":{"height":15.59},"width":36.25,"height":38.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-26.png","element":"img","alt":" λj","inline":true,"padRight":true},{"text":"values serve as a weak overestimate of ","element":"span"},{"style":{"height":11.59},"width":38.49,"height":28.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-27.png","element":"img","alt":" αj","inline":true},{"text":". The algorithm first checks if a ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value is below ","element":"span"},{"style":{"height":15.99},"width":164.6,"height":39.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-28.png","element":"img","alt":" λj, and if","inline":true,"padRight":true},{"text":"so, adds it to the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"candidate set ","element":"span"},{"text":"of hypotheses that may be rejected. It then computes the ","element":"span"},{"style":{"height":11.59},"width":38.49,"height":28.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-29.png","element":"img","alt":" αj","inline":true,"padRight":true},{"text":"threshold based on current wealth, current size of the candidate set, and the number of rejections so far, and decides to reject the hypothesis if ","element":"span"},{"style":{"height":15.19},"width":128.52,"height":37.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-30.png","element":"img","alt":" pj ≤ αj","inline":true},{"text":". It also takes in a non-increasing sequence of decay factors ","element":"span"},{"style":{"height":11.59},"width":33.63,"height":28.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-31.png","element":"img","alt":" γj","inline":true,"padRight":true},{"text":"which sum to one. These decay factors serve to depreciate past wealth and ensure that the sum of the wealth budget is always below the desired level ","element":"span"},{"style":{"height":6.8},"width":36.64,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/4-32.png","element":"img","alt":" α.","inline":true}],[{"id":"id-20","style":{"width":"99%"},"width":1872,"height":900,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-0.png","element":"img"}],[{"text":"The ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"algorithm requires that the input sequence of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values are not too correlated under the null hypothesis. This condition is formalized through a ","element":"span"},{"style":{"fontStyle":"italic"},"text":"filtration ","element":"span"},{"text":"on the sequence of candidacy and rejection decisions. Intuitively, this means that the sequence of hypotheses cannot be too adaptively chosen, otherwise the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values may become overly correlated and violate this condition. Denote by ","element":"span"},{"style":{"height":16.79},"width":315.46,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-1.png","element":"img","alt":" Rj := I(pj ≤ αj)","inline":true,"padRight":true},{"text":"the indicator for rejection, and let ","element":"span"},{"style":{"height":16.79},"width":291.77,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-2.png","element":"img","alt":" Cj := I(pj ≤ λj)","inline":true,"padRight":true},{"text":"be the indicator for candidacy. Define the filtration formed by the sequences of ","element":"span"},{"style":{"height":6.8},"width":23,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-3.png","element":"img","alt":" σ","inline":true},{"text":"-fields ","element":"span"},{"style":{"height":16.99},"width":551.8,"height":42.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-4.png","element":"img","alt":" Ft := σ(R1, . . . , Rt, C1, . . . , Ct)","inline":true},{"text":", and let ","element":"span"},{"style":{"height":16},"width":635.62,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-5.png","element":"img","alt":" αt := ft(R1, . . . , Rt−1, C1, . . . , Ct−1)","inline":true},{"text":", where ","element":"span"},{"style":{"height":14},"width":31.51,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-6.png","element":"img","alt":" ft","inline":true,"padRight":true},{"text":"is an arbitrary function of the first ","element":"span"},{"style":{"height":10.8},"width":83.11,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-7.png","element":"img","alt":" t − 1","inline":true,"padRight":true},{"text":"indicators for rejections and candidacy. We say that the null ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values are conditionally super-uniformly distributed with respect to the filtration ","element":"span"},{"style":{"fontStyle":"italic"},"text":"F ","element":"span"},{"text":"if:","element":"span"}],[{"style":{"width":"76%"},"width":1436,"height":45,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-8.png","element":"img"}],[{"id":"id-21","text":"We note that independent ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values is a special case of the conditional super-uniformity condition of ","element":"span"},{"href":"#id-21","text":"(2)","element":"a"},{"text":". When ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values are independent, they satisfy the following condition:","element":"span"}],[{"style":{"width":"65%"},"width":1224,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-9.png","element":"img"}],[{"text":"SAFFRON provides the following accuracy guarantees, where the first two conditions apply if ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values are conditionally super-uniformly distributed, and the last two conditions apply if the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values are additionally independent under the null.","element":"span"}],[{"id":"id-27","style":{"fontWeight":"bold"},"text":"Theorem 3 ","element":"span"},{"text":"(","element":"span"},{"href":"#id-19","referenceIndex":16,"text":"[RZWJ18]","element":"a"},{"text":")","element":"span"},{"style":{"fontWeight":"bold"},"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"If the null ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"style":{"fontStyle":"italic"},"text":"-values are conditionally super-uniformly distributed, then we have: (a) ","element":"span"},{"style":{"height":28.8},"width":420.88,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-10.png","element":"img","alt":" E��j≤t,j∈H0 αjI(pj>λj)1−λj","inline":true}],[{"style":{"width":"99%"},"width":1873,"height":216,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-11.png","element":"img"}],[{"id":"id-12","style":{"fontStyle":"italic"},"text":"(d) The condition ","element":"span"},{"style":{"height":16},"width":515.48,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-12.png","element":"img","alt":"�FDPSAFFRON(t) ≤ α for all t","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"implies that ","element":"span"},{"style":{"height":16},"width":458.77,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/5-13.png","element":"img","alt":" FDR(t) ≤ α for all t ∈ N.","inline":true}]]},{"heading":"3 Private online false discovery rate control","paragraphs":[[{"text":"In this section, we provide our algorithm for private online false discovery rate control, ","element":"span"},{"text":"PAPRIKA","element":"span"},{"text":", given formally in Algorithm ","element":"span"},{"href":"#id-11","text":"3. ","element":"a"},{"text":"It is a differentially private version of ","element":"span"},{"text":"SAFFRON","element":"span"},{"text":", where we use ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"to ensure privacy of our rejection set. However, the combination of these tools is far from immediate, and several algorithmic innovations are required, including: dynamic thresholds in ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"to match the alpha-investing rule of SAFFRON, adding noise that scales with the multiplicative sensitivity of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values to reduce the noise required for privacy, shifting the SparseVector threshold to accommodate FDR as a novel accuracy metric, and the candidacy indicator step which cannot be done privately and requires new analysis for both privacy and accuracy. Complete proofs of our privacy and accuracy results appear in the appendix; we elaborate here on the algorithmic details and why these modifications are needed to ensure privacy and FDR control.","element":"span"}],[{"id":"id-11","style":{"width":"99%"},"width":1872,"height":949,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-0.png","element":"img"}],[{"text":"The ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"algorithm decides to reject hypothesis ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t ","element":"span"},{"text":"if the corresponding ","element":"span"},{"style":{"height":14.4},"width":168.2,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-1.png","element":"img","alt":" p-value pt","inline":true,"padRight":true},{"text":"is less than the rejection threshold ","element":"span"},{"style":{"height":9.19},"width":37.49,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-2.png","element":"img","alt":" αt","inline":true},{"text":"; that is, if ","element":"span"},{"style":{"height":13.6},"width":130.71,"height":34,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-3.png","element":"img","alt":" pt ≤ αt","inline":true},{"text":". We instantiate the ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"framework in this setting, where ","element":"span"},{"style":{"height":10},"width":32.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-4.png","element":"img","alt":" pt","inline":true,"padRight":true},{"text":"plays the role of the ","element":"span"},{"style":{"height":13.38},"width":45.44,"height":33.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-5.png","element":"img","alt":" tth","inline":true,"padRight":true},{"text":"query answer ","element":"span"},{"style":{"height":16},"width":101.49,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-6.png","element":"img","alt":" ft(X)","inline":true},{"text":", and ","element":"span"},{"style":{"height":9.19},"width":37.49,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-7.png","element":"img","alt":" αt","inline":true,"padRight":true},{"text":"plays the role of the threshold. Note that ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"uses a single fixed threshold for all queries, while our algorithm ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"allows for a dynamic threshold that depends on the previous output. Our privacy analysis of the algorithm accounts for this change and shows that dynamic thresholds do not affect the privacy guarantees of ","element":"span"},{"text":"SparseVector","element":"span"},{"text":". However, the algorithm would not be private if the dynamic thresholds also depend on the data. Note that ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"never loses wealth when testing candidate ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values with ","element":"span"},{"style":{"height":15.59},"width":126.22,"height":38.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-8.png","element":"img","alt":" pj ≤ λj","inline":true},{"text":", and the threshold ","element":"span"},{"style":{"height":15.99},"width":195.74,"height":39.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-9.png","element":"img","alt":" αj depends","inline":true,"padRight":true},{"text":"on the data since it is based on current wealth. We remove such dependence in ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"by losing wealth at every step regardless of whether we test a candidate ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values, similar to LORD. This will result in stricter FDR control (and potentially weaker power) because our wealth decays faster.","element":"span"}],[{"text":"Similar to prior work on private offline FDR control [","element":"span"},{"href":"#id-7","referenceIndex":9,"text":"DSZ18","element":"a"},{"text":"], we use ","element":"span"},{"style":{"fontStyle":"italic"},"text":"multiplicative sensitivity ","element":"span"},{"text":"as described in Definition ","element":"span"},{"href":"#id-22","text":"2, ","element":"a"},{"text":"as ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values may have high sensitivity and require unacceptably large noise to be added to preserve privacy. We assume that our input stream of ","element":"span"},{"style":{"height":14.4},"width":326.72,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-10.png","element":"img","alt":" p-values p1, p2, . . . ,","inline":true,"padRight":true},{"text":"each has multiplicative sensitivity ","element":"span"},{"style":{"height":15.6},"width":93.15,"height":39,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-11.png","element":"img","alt":"(η, µ)","inline":true},{"text":". As long as ","element":"span"},{"style":{"height":10},"width":24,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-12.png","element":"img","alt":" µ","inline":true,"padRight":true},{"text":"is small enough (i.e., less than the rejection threshold), we can treat the logarithm of the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values as the queries with additive sensitivity ","element":"span"},{"style":{"height":10.4},"width":20,"height":26,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-13.png","element":"img","alt":" η","inline":true},{"text":". Because of this change, we must make rejection decisions based on the logarithm of the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values, so our reject condition is ","element":"span"},{"style":{"height":14},"width":429.65,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-14.png","element":"img","alt":" log pt + Zt ≤ log αt + Zα","inline":true,"padRight":true},{"text":"for Laplace noise terms ","element":"span"},{"style":{"height":14},"width":107.15,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/6-15.png","element":"img","alt":" Zt, Zα","inline":true,"padRight":true},{"text":"drawn from the appropriate distributions.","element":"span"}],[{"text":"The accuracy guarantees of ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"ensure that if a value is reported to be below threshold, then with high probability it will not be more than ","element":"span"},{"style":{"height":9.19},"width":71.61,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-0.png","element":"img","alt":" αSV","inline":true,"padRight":true},{"text":"above the threshold. However, to ensure that our algorithm satisfies the desired bound ","element":"span"},{"style":{"height":13.2},"width":175.02,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-1.png","element":"img","alt":" FDR ≤ α","inline":true},{"text":", we require that reports of “below threshold” truly do correspond to ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values that are below the desired threshold ","element":"span"},{"style":{"height":9.19},"width":37.5,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-2.png","element":"img","alt":" αt","inline":true},{"text":". To accommodate this, we shift our rejection threshold ","element":"span"},{"style":{"height":14},"width":95.61,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-3.png","element":"img","alt":" log αt","inline":true,"padRight":true},{"text":"down by a parameter ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A","element":"span"},{"text":". ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A ","element":"span"},{"text":"is chosen such that the algorithm satisfies ","element":"span"},{"style":{"height":15.6},"width":85.7,"height":39,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-4.png","element":"img","alt":" (ε, δ)","inline":true},{"text":"-differential privacy, but the choice can be seen as inspired by the ","element":"span"},{"style":{"height":9.19},"width":71.61,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-5.png","element":"img","alt":" αSV","inline":true,"padRight":true},{"text":"-accuracy term of ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"as given in Theorem ","element":"span"},{"href":"#id-23","text":"2. ","element":"a"},{"text":"Therefore our final reject condition is ","element":"span"},{"style":{"height":14.8},"width":507.62,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-6.png","element":"img","alt":" log pt + Zt ≤ log αt − A + Zα","inline":true},{"text":". This ensures that “below threshold” reports are below ","element":"span"},{"style":{"height":15.6},"width":471.13,"height":39,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-7.png","element":"img","alt":"(log αt − A) + αSV ≈ log αt","inline":true,"padRight":true},{"text":"with high probability. Empirically, we see that the bound of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A ","element":"span"},{"text":"in Theorem ","element":"span"},{"text":"4 ","element":"span"},{"text":"may be overly conservative and lead to no hypotheses being rejected, so we allow an additional scaling parameter ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s ","element":"span"},{"text":"that will scale the magnitude of shift by a factor of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s","element":"span"},{"text":". The conservative bounds of Theorem ","element":"span"},{"text":"4 ","element":"span"},{"text":"correspond to ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s ","element":"span"},{"text":"= 4","element":"span"},{"text":", but in many scenarios a smaller value of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s ","element":"span"},{"text":"= 1 ","element":"span"},{"text":"or ","element":"span"},{"text":"2 ","element":"span"},{"text":"will lead to better performance while still satisfying the privacy guarantee. Further guidance choosing this shift parameter is given in Section ","element":"span"},{"href":"#id-24","text":"4.3.","element":"a"}],[{"text":"Even with these modifications, a naive combination of ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"and ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"would still not satisfy differential privacy. This is due to the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"candidacy indicator ","element":"span"},{"text":"step of the algorithm. In the ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"algorithm, a pre-processing candidacy step occurs before any rejection decisions. This step checks whether each ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value ","element":"span"},{"style":{"height":10},"width":32.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-8.png","element":"img","alt":" pt","inline":true,"padRight":true},{"text":"is smaller than a loose upper bound ","element":"span"},{"style":{"height":13.19},"width":35.25,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-9.png","element":"img","alt":" λt","inline":true,"padRight":true},{"text":"on the eventual reject threshold ","element":"span"},{"style":{"height":9.19},"width":37.49,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-10.png","element":"img","alt":" αt","inline":true},{"text":". The algorithm chooses ","element":"span"},{"style":{"height":9.19},"width":37.49,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-11.png","element":"img","alt":" αt","inline":true,"padRight":true},{"text":"using an ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-12.png","element":"img","alt":" α","inline":true},{"text":"-investing rule that depends on the number of candidate hypotheses seen so far, and ensures that ","element":"span"},{"style":{"height":13.2},"width":127.9,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-13.png","element":"img","alt":" αt ≤ λt","inline":true},{"text":", so only hypotheses in this candidate set can be rejected. These ","element":"span"},{"style":{"height":10.8},"width":23,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-14.png","element":"img","alt":" λ","inline":true,"padRight":true},{"text":"values are used to control ","element":"span"},{"style":{"height":16},"width":283.79,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-15.png","element":"img","alt":"�FDPSAFFRON(t)","inline":true},{"text":", which serves as a conservative overestimate of FDP","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":")","element":"span"},{"text":". (For a discussion of how to choose ","element":"span"},{"style":{"height":13.19},"width":35.24,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-16.png","element":"img","alt":" λt","inline":true},{"text":", see Lemma ","element":"span"},{"href":"#id-25","text":"1 ","element":"a"},{"text":"or our experimental results in Section ","element":"span"},{"text":"4. ","element":"span"},{"text":"Reasonable choices would be ","element":"span"},{"style":{"height":13.19},"width":212.02,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-17.png","element":"img","alt":" λt = αt or a","inline":true,"padRight":true},{"text":"small constant such as ","element":"span"},{"text":"0","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"2","element":"span"},{"text":".)","element":"span"}],[{"text":"Without adding noise to the candidacy condition, there may be neighboring databases with ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values ","element":"span"},{"style":{"height":10.74},"width":85.84,"height":26.85,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-18.png","element":"img","alt":"pt, p′t","inline":true,"padRight":true},{"text":"for some hypothesis such that ","element":"span"},{"style":{"height":14.74},"width":389.33,"height":36.85,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-19.png","element":"img","alt":" log pt < log λt < log p′t","inline":true},{"text":", and hence the hypothesis would have positive ","element":"span"},{"text":"probability of being rejected under the first database and zero probability of rejection under the neighbor. This would violate the ","element":"span"},{"style":{"height":16},"width":88.42,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-20.png","element":"img","alt":" (ε, 0)","inline":true},{"text":"-differential privacy guarantee intended under ","element":"span"},{"text":"SparseVector","element":"span"},{"text":". If we were to privatize the condition for candidacy using, for example, a parallel instantiation of ","element":"span"},{"text":"SparseVector","element":"span"},{"text":", then we would have to reuse the same realizations of the noise when computing the rejection threshold ","element":"span"},{"style":{"height":9.19},"width":37.49,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-21.png","element":"img","alt":" αt","inline":true,"padRight":true},{"text":"to still control FDP, but this would no longer be private.","element":"span"}],[{"text":"Since we cannot add noise to the candidacy condition, we weaken it in ","element":"span"},{"style":{"height":14.8},"width":586.86,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-22.png","element":"img","alt":" PAPRIKA to be log pt < log 2λt.","inline":true,"padRight":true},{"text":"Then if a hypothesis has different candidacy results under neighboring databases and the multiplicative sensitivity ","element":"span"},{"style":{"height":10.4},"width":20,"height":26,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-23.png","element":"img","alt":" η","inline":true,"padRight":true},{"text":"is small, then the hypothesis is still extremely unlikely to be rejected even under the database for which it was candidate. To see this, consider a pair of neighboring databases that induce ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values where ","element":"span"},{"style":{"height":14.74},"width":406.22,"height":36.86,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-24.png","element":"img","alt":"log pt < log 2λt < log p′t","inline":true},{"text":". Due to the multiplicative sensitivity constraint, we know that ","element":"span"},{"style":{"height":14.4},"width":329.51,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-25.png","element":"img","alt":" log pt ≥ log 2λt − η","inline":true},{"text":". ","element":"span"},{"text":"Plugging this into the rejection condition ","element":"span"},{"style":{"height":14.8},"width":527.49,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-26.png","element":"img","alt":" log pt + Zt ≤ log αt − A + Zα","inline":true},{"text":", we see that we would need the difference of the noise terms to satisfy ","element":"span"},{"style":{"height":19.37},"width":415.77,"height":48.43,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-27.png","element":"img","alt":" Zt − Zα ≤ log 12 − A + η","inline":true},{"text":", which by analysis of the Laplace distribution, ","element":"span"},{"text":"will happen with exponentially small probability in ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"when ","element":"span"},{"style":{"height":18.73},"width":276.3,"height":46.82,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-28.png","element":"img","alt":" η = poly−1(n).1","inline":true,"padRight":true},{"text":"Our ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"algorithm is thus ","element":"span"},{"style":{"height":16},"width":87.32,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-29.png","element":"img","alt":" (ε, δ)","inline":true},{"text":"-differentially private, and we account for this failure probability in our (exponentially small) ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-30.png","element":"img","alt":" δ","inline":true,"padRight":true},{"text":"parameter, as stated in Theorem ","element":"span"},{"text":"4.","element":"span"}],[{"text":"Our ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"algorithm allows analysts to specify a maximum number of hypotheses tested ","element":"span"},{"style":{"fontStyle":"italic"},"text":"k ","element":"span"},{"text":"and rejections ","element":"span"},{"style":{"fontStyle":"italic"},"text":"c","element":"span"},{"text":". We require a bound on the maximum number of hypotheses tested because the accuracy guarantees of ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"only allows exponentially (in the size of the database) many queries to be answered accurately. Once the total number of rejections reaches ","element":"span"},{"style":{"fontStyle":"italic"},"text":"c","element":"span"},{"text":", the algorithm will fail to reject all future hypotheses. We do not halt the algorithm as in ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"and therefore, ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"does not have a stopping criterion, and we can safely talk about the FDR control at any fixed time, just like ","element":"span"},{"text":"SAFFRON","element":"span"},{"text":".","element":"span"}],[{"text":"Our algorithm also controls at each time ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":", ","element":"span"},{"style":{"height":16},"width":337.04,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-31.png","element":"img","alt":"�FDPPAPRIKA(t) ≤","inline":true}],[{"text":"equivalent to ","element":"span"},{"style":{"height":15.6},"width":282.6,"height":39,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-32.png","element":"img","alt":"�FDPSAFFRON(t)","inline":true,"padRight":true},{"text":"by scaling down ","element":"span"},{"style":{"height":15.59},"width":36.25,"height":38.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/7-33.png","element":"img","alt":" λj","inline":true,"padRight":true},{"text":"by a factor of 2. By analyzing and bounding this expression, we achieve FDR bounds for our ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"algorithm, as stated in Theorem ","element":"span"},{"href":"#id-13","text":"5.","element":"a"}],[{"style":{"fontWeight":"bold"},"text":"Theorem 4. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"For any stream of p-values ","element":"span"},{"style":{"height":16},"width":570.2,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-0.png","element":"img","alt":" {p1, p2, . . .}, PAPRIKA is (ε, δ)","inline":true},{"style":{"fontStyle":"italic"},"text":"-differentially private.","element":"span"}],[{"text":"As a starting point, our privacy comes from ","element":"span"},{"text":"SparseVector","element":"span"},{"text":", but as discussed above, many crucial modifications are required. To briefly summarize the key considerations, we must handle different thresholds at different times, multiplicative rather than additive sensitivity, a modified notion of the candidate set, and introducing a small delta parameter to account for the new candidate set definition and the shift. The proof of Theorem ","element":"span"},{"text":"4 ","element":"span"},{"text":"appears in Appendix ","element":"span"},{"href":"#id-26","text":"B.","element":"a"}],[{"text":"Next we describe the theoretical guarantees of FDR control for our private algorithm ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"which is an analog of Theorem ","element":"span"},{"href":"#id-27","text":"3. ","element":"a"},{"text":"We modify the notation of the conditional super-uniformity assumption of ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"to incorporate the added Laplace noise. ","element":"span"},{"text":"The conditions are otherwise identical. ","element":"span"},{"text":"(See ","element":"span"},{"href":"#id-21","text":"(2) ","element":"a"},{"text":"in Appendix ","element":"span"},{"style":{"fontWeight":"bold"},"text":"?? ","element":"span"},{"text":"for comparison.) ","element":"span"},{"text":"We note that independent ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values is a special case of conditional super-uniformity, but this requirement more generally allows for a broader class of dependencies among ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values. Let ","element":"span"},{"style":{"height":16.79},"width":515.13,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-1.png","element":"img","alt":" Rj := I(pj + Zj ≤ αj + Zα)","inline":true,"padRight":true},{"text":"be the rejection decisions, and let ","element":"span"},{"style":{"height":16.79},"width":331.5,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-2.png","element":"img","alt":" Cj := I(pj ≤ 2λj)","inline":true,"padRight":true},{"text":"be the indicators for candidacy. We let ","element":"span"},{"style":{"height":16},"width":630.32,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-3.png","element":"img","alt":" αt := ft(R1, . . . , Rt−1, C1, . . . , Ct−1)","inline":true},{"text":", where ","element":"span"},{"style":{"height":14},"width":31.51,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-4.png","element":"img","alt":" ft","inline":true,"padRight":true},{"text":"is an arbitrary function of the first ","element":"span"},{"style":{"height":10.8},"width":87.85,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-5.png","element":"img","alt":" t − 1","inline":true,"padRight":true},{"text":"indicators for rejections and candidacy. Define the filtration formed by the sequences of ","element":"span"},{"style":{"height":19.24},"width":1163.84,"height":48.1,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-6.png","element":"img","alt":"σ-fields F′t := σ(R1, . . . , Rt, C1, . . . , Ct, Z1, . . . , Zt, Zα). The null p","inline":true},{"text":"-values are conditionally super-uniformly distributed with respect to the filtration ","element":"span"},{"style":{"height":12},"width":46.6,"height":30,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-7.png","element":"img","alt":" F′ ","inline":true,"padRight":true},{"text":"if when the null hypothesis ","element":"span"},{"style":{"height":13.19},"width":44.13,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-8.png","element":"img","alt":" Hi","inline":true,"padRight":true},{"text":"is true, then ","element":"span"},{"style":{"height":19.64},"width":413.17,"height":49.1,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-9.png","element":"img","alt":" Pr(pt ≤ αt|F′t−1) ≤ αt.","inline":true,"padRight":true},{"text":"We emphasize that this condition is only needed for FDR control, and that our privacy guarantee of Theorem ","element":"span"},{"text":"4 ","element":"span"},{"text":"holds for arbitrary streams of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values, even those which do not satisfy conditional super-uniformity.","element":"span"}],[{"text":"Our FDR control guarantees for ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"mirror those of ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"(Theorem ","element":"span"},{"href":"#id-27","text":"3)","element":"a"},{"text":". The first two statements apply if ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values are conditionally super-uniform, and the last two statements apply if the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values are additionally independent under the null. The proof of Theorem ","element":"span"},{"href":"#id-13","text":"5 ","element":"a"},{"text":"appears in Appendix ","element":"span"},{"text":"C.","element":"span"}],[{"id":"id-13","style":{"fontWeight":"bold"},"text":"Theorem 5. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"If the null ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"style":{"fontStyle":"italic"},"text":"-values are conditionally super-uniformly distributed, then we have: (a) ","element":"span"},{"style":{"height":28.8},"width":436.76,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-10.png","element":"img","alt":" E��j≤t,j∈H0 αjI(pj>2λj)1−2λj","inline":true}],[{"style":{"width":"99%"},"width":1873,"height":217,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-11.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"(d) The condition ","element":"span"},{"style":{"height":16},"width":518.08,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-12.png","element":"img","alt":"�FDPPAPRIKA(t) ≤ α for all t","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"implies that ","element":"span"},{"style":{"height":16},"width":541.08,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-13.png","element":"img","alt":" FDR(t) ≤ α + δt for all t ∈ N.","inline":true}],[{"text":"Relative to the non-private guarantees of Theorem ","element":"span"},{"href":"#id-27","text":"3, ","element":"a"},{"text":"the FDR bounds provided by ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"are weaker by an additive of ","element":"span"},{"style":{"height":11.6},"width":33.2,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-14.png","element":"img","alt":" δt","inline":true},{"text":". In most differential privacy applications, ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-15.png","element":"img","alt":" δ","inline":true,"padRight":true},{"text":"is typically required to be cryptographically small (i.e., at most negligible in the size of the database) [","element":"span"},{"href":"#id-8","referenceIndex":8,"text":"DR14","element":"a"},{"text":"], so this additional term should have a minuscule effect on the FDR.","element":"span"},{"style":{"height":7.6},"width":16,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-16.png","element":"img","alt":"2","inline":true,"padRight":true},{"text":"We note that ","element":"span"},{"style":{"height":7.2},"width":19,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-17.png","element":"img","alt":" ε","inline":true,"padRight":true},{"text":"plays a role in the analysis of Theorem ","element":"span"},{"href":"#id-13","text":"5, ","element":"a"},{"text":"although it does not appear in FDR bounds. See ","element":"span"},{"href":"#id-28","text":"(22) ","element":"a"},{"text":"in the appendix, where the term with dependence on ","element":"span"},{"style":{"height":7.2},"width":19,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-18.png","element":"img","alt":" ε","inline":true,"padRight":true},{"text":"can be upper bounded by ","element":"span"},{"style":{"height":14.8},"width":271.38,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-19.png","element":"img","alt":" δ for any ε > 0.","inline":true}],[{"text":"The following lemma is a key tool in the proof of Theorem ","element":"span"},{"href":"#id-13","text":"5. ","element":"a"},{"text":"Though it is qualitatively similar to Lemma 2 in [","element":"span"},{"href":"#id-19","referenceIndex":16,"text":"RZWJ18","element":"a"},{"text":"], it is crucially modified to show an analogous statement holds under the addition of Laplace noise. Its proof appears in Appendix ","element":"span"},{"href":"#id-29","text":"D.","element":"a"}],[{"id":"id-25","style":{"width":"103%"},"width":1943,"height":244,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/8-20.png","element":"img"}],[{"text":"There are no known theoretical bounds on the statistical power of ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"even in the non-private setting. Instead, we validate power empirically through the experimental results in Section ","element":"span"},{"text":"4.","element":"span"}]]},{"heading":"4 Experiments","paragraphs":[[{"text":"We experimentally compare the FDR and the statistical power of variations of the ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"and ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"procedures, under different sequences of ","element":"span"},{"style":{"height":16.79},"width":79.96,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-0.png","element":"img","alt":" {λj}","inline":true},{"text":". Following the convention of [","element":"span"},{"href":"#id-19","referenceIndex":16,"text":"RZWJ18","element":"a"},{"text":"], we define ","element":"span"},{"text":"PAPRIKA","element":"span"},{"text":"-Alpha-Investing, or ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"AI, to be the instantiation of Algorithm ","element":"span"},{"href":"#id-11","text":"3 ","element":"a"},{"text":"with the sequence ","element":"span"},{"style":{"height":15.99},"width":260.35,"height":39.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-1.png","element":"img","alt":" λj = αj, where","inline":true,"padRight":true},{"text":"the rejection threshold matches the ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-2.png","element":"img","alt":" α","inline":true},{"text":"-investing rule, and we use ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"to denote Algorithm ","element":"span"},{"href":"#id-11","text":"3 ","element":"a"},{"text":"instantiated with a sequence of constant of ","element":"span"},{"style":{"height":15.59},"width":36.25,"height":38.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-3.png","element":"img","alt":" λj","inline":true},{"text":", which in our experiments is ","element":"span"},{"style":{"height":15.59},"width":144.97,"height":38.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-4.png","element":"img","alt":" λj = 0.2","inline":true},{"text":". We use ","element":"span"},{"style":{"height":15.99},"width":144.97,"height":39.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-5.png","element":"img","alt":" λj = 0.5","inline":true,"padRight":true},{"text":"in ","element":"span"},{"style":{"height":13.78},"width":240.73,"height":34.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-6.png","element":"img","alt":" SAFFRON.3","inline":true,"padRight":true},{"text":"We generally observe that, even under moderately stringent privacy restrictions, ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"and its AI variant perform comparably to the non-private alternatives, with ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"AI typically outperforming ","element":"span"},{"text":"PAPRIKA","element":"span"},{"text":". This suggests that even though setting ","element":"span"},{"style":{"height":15.59},"width":36.24,"height":38.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-7.png","element":"img","alt":" λj","inline":true,"padRight":true},{"text":"as a fixed constant may be easier for implementation, parameter optimization can lead to meaningful performance improvements. We chose the sequence ","element":"span"},{"style":{"height":16.79},"width":77.35,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-8.png","element":"img","alt":" {γj}","inline":true,"padRight":true},{"text":"to be a constant ","element":"span"},{"text":"1","element":"span"},{"style":{"fontStyle":"italic"},"text":"/k ","element":"span"},{"text":"up to time ","element":"span"},{"style":{"fontStyle":"italic"},"text":"k","element":"span"},{"text":". Note that the sequence can be decreasing such as of the form ","element":"span"},{"style":{"height":15.37},"width":154.41,"height":38.44,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-9.png","element":"img","alt":" γj ∝ j−s","inline":true,"padRight":true},{"text":"in [","element":"span"},{"href":"#id-19","referenceIndex":16,"text":"RZWJ18","element":"a"},{"text":"], which controls the wealth to be more concentrated around small values of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"j","element":"span"},{"text":". See [","element":"span"},{"href":"#id-19","referenceIndex":16,"text":"RZWJ18","element":"a"},{"text":"] for more discussion on the choice of ","element":"span"},{"style":{"height":16.79},"width":77.35,"height":41.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-10.png","element":"img","alt":" {γj}","inline":true},{"text":". In our experiments, we set the target FDR level ","element":"span"},{"style":{"height":12.8},"width":220.38,"height":32,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-11.png","element":"img","alt":" α + δt = 0.2","inline":true},{"text":", and thus our privacy parameter ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-12.png","element":"img","alt":" δ","inline":true,"padRight":true},{"text":"is set to be bounded by ","element":"span"},{"style":{"height":17.39},"width":365.62,"height":43.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-13.png","element":"img","alt":" 0.2/800 = 2.5 × 10−4","inline":true},{"text":". The maximum number of rejections ","element":"span"},{"style":{"fontStyle":"italic"},"text":"c ","element":"span"},{"text":"= 40","element":"span"},{"text":". All the results are averaged over ","element":"span"},{"text":"100 ","element":"span"},{"text":"runs. We investigate two settings: in Section ","element":"span"},{"href":"#id-30","text":"4.1, ","element":"a"},{"text":"the observations come Bernoulli distributions, and in Section ","element":"span"},{"href":"#id-31","text":"4.2, ","element":"a"},{"text":"the observations are generated from truncated exponential distributions. In Section ","element":"span"},{"href":"#id-24","text":"4.3, ","element":"a"},{"text":"we discuss our choice of the shift parameter ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A ","element":"span"},{"text":"and give guidance on how to choose this parameter in practice. Code for ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"and our experiments is available at ","element":"span"},{"href":"https://github.com/wanrongz/PAPRIKA","style":{"fontFamily":"monospace"},"text":"https://github.com/wanrongz/PAPRIKA","element":"a"},{"text":".","element":"span"}],[{"id":"id-30","style":{"fontWeight":"bold"},"text":"4.1 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Testing with Bernoulli Observations","element":"span"}],[{"text":"We assume that the database ","element":"span"},{"style":{"fontStyle":"italic"},"text":"D ","element":"span"},{"text":"contains ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"individuals with ","element":"span"},{"style":{"fontStyle":"italic"},"text":"k ","element":"span"},{"text":"independent features. The ","element":"span"},{"style":{"fontStyle":"italic"},"text":"i","element":"span"},{"text":"th feature is associated with ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"i.i.d. Bernoulli variables ","element":"span"},{"style":{"height":16.94},"width":161.3,"height":42.35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-14.png","element":"img","alt":" ξi1, . . . , ξin","inline":true},{"text":", each of which takes the value ","element":"span"},{"text":"1 ","element":"span"},{"text":"with probability ","element":"span"},{"style":{"height":13.19},"width":29.71,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-15.png","element":"img","alt":" θi","inline":true},{"text":", ","element":"span"},{"text":"and takes the value ","element":"span"},{"text":"0 ","element":"span"},{"text":"otherwise. Let ","element":"span"},{"style":{"height":12.39},"width":25.39,"height":30.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-16.png","element":"img","alt":" ti","inline":true,"padRight":true},{"text":"be the sum of the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"i","element":"span"},{"text":"th features. A ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value for testing null hypothesis ","element":"span"},{"style":{"height":16.98},"width":609,"height":42.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-17.png","element":"img","alt":"Hi0 : θi ≤ 1/2 against Hi1 : θi > 1/2","inline":true,"padRight":true},{"text":"is given by","element":"span"}],[{"style":{"width":"19%"},"width":369,"height":115,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-18.png","element":"img"}],[{"text":"[","element":"span"},{"href":"#id-7","referenceIndex":9,"text":"DSZ18","element":"a"},{"text":"] showed that ","element":"span"},{"style":{"height":15.6},"width":177.55,"height":39,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-19.png","element":"img","alt":" pi is (µ, η)","inline":true},{"text":"-multiplicatively sensitive for ","element":"span"},{"style":{"height":28.8},"width":395.56,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-20.png","element":"img","alt":" µ = m−1−c and η ≍�","inline":true}],[{"text":"and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"c ","element":"span"},{"text":"is any small positive constant.","element":"span"}],[{"style":{"width":"61%"},"width":1155,"height":198,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-21.png","element":"img"}],[{"text":"for varying values of ","element":"span"},{"style":{"height":9.19},"width":38.72,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-22.png","element":"img","alt":" π1","inline":true},{"text":", which represents the expected fraction of non-null hypotheses. We consider relatively small values of ","element":"span"},{"style":{"height":9.19},"width":38.72,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-23.png","element":"img","alt":" π1","inline":true,"padRight":true},{"text":"as most practical applications of FDR control (such as GWAS studies) will have only a small fraction of true “discoveries” in the data.","element":"span"}],[{"text":"In the following experiments, we sequentially test ","element":"span"},{"style":{"height":16.94},"width":943.79,"height":42.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-24.png","element":"img","alt":" Hi0 versus Hi1 for i = 1, . . . , k. We use n = 1000 as the","inline":true,"padRight":true},{"text":"size of the database ","element":"span"},{"style":{"fontStyle":"italic"},"text":"D","element":"span"},{"text":", and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"k ","element":"span"},{"text":"= 800 ","element":"span"},{"text":"as the number of features as well as the number of hypotheses. Our experiments are run under several different shifts ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A","element":"span"},{"text":", but due to space constraints, we only report results in the main body with ","element":"span"},{"style":{"height":22.82},"width":626.49,"height":57.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-25.png","element":"img","alt":" A = cηε log 23 min{δ,1−((1−δ)/ exp(ε))1/k}","inline":true,"padRight":true},{"text":"(i.e., when ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s ","element":"span"},{"text":"= 1","element":"span"},{"text":"), which still satisfies our privacy ","element":"span"},{"text":"guarantee. Further discussion on the choice of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A ","element":"span"},{"text":"and additional results under other shift parameters ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s ","element":"span"},{"text":"are deferred to Appendix ","element":"span"},{"href":"#id-24","text":"4.3. ","element":"a"},{"text":"The results are summarized in Figure ","element":"span"},{"href":"#id-32","text":"1, ","element":"a"},{"text":"which plots the FDR and statistical power against the expected fraction of non-nulls, ","element":"span"},{"style":{"height":9.19},"width":38.72,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-26.png","element":"img","alt":" π1","inline":true},{"text":". In Figure ","element":"span"},{"href":"#id-32","text":"1(","element":"a"},{"text":"a) and (b), we compare our algorithms with privacy parameter ","element":"span"},{"style":{"height":11.2},"width":91.74,"height":28,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/9-27.png","element":"img","alt":" ε = 5","inline":true,"padRight":true},{"text":"to the non-private baseline methods of LORD [","element":"span"},{"href":"#id-17","referenceIndex":14,"text":"JM15","element":"a"},{"text":", ","element":"span"},{"href":"#id-18","referenceIndex":15,"text":"JM18","element":"a"},{"text":"], Alpha-investing [","element":"span"},{"href":"#id-16","referenceIndex":1,"text":"AR14","element":"a"},{"text":"], and ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"and ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"AI from [","element":"span"},{"href":"#id-19","referenceIndex":16,"text":"RZWJ18","element":"a"},{"text":"]. In Figure ","element":"span"},{"href":"#id-32","text":"1(","element":"a"},{"text":"c,d) and (e,f), we compare the ","element":"span"},{"text":"performance of ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"AI and ","element":"span"},{"text":"PAPRIKA","element":"span"},{"text":", respectively, with varying privacy parameters ","element":"span"},{"style":{"height":14.4},"width":188.36,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/10-0.png","element":"img","alt":" ε = 3, 5, 10","inline":true},{"text":". We also list these values in Table ","element":"span"},{"href":"#id-33","text":"1 ","element":"a"},{"text":"in Appendix ","element":"span"},{"text":"A.","element":"span"}],[{"id":"id-32","style":{"width":"71%"},"width":1348,"height":1936,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/10-1.png","element":"img"}],[{"text":"Figure 1: ","element":"figcaption","subtype":"caption"},{"text":"FDR and statistical power versus fraction of non-null hypotheses ","element":"figcaption","subtype":"caption"},{"style":{"height":12},"width":289.66,"height":29.99,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/10-2.png","element":"img","alt":" π1 for PAPRIKA","inline":true,"padRight":true},{"text":"(with ","element":"figcaption","subtype":"caption"},{"style":{"height":14.4},"width":632.76,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/10-3.png","element":"img","alt":" λj = 0.2), PAPRIKA AI (with λj = αj","inline":true},{"text":"), and non-private algorithms when the database consists of Bernoulli observations.","element":"figcaption","subtype":"caption"}],[{"text":"As expected, the performance of ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"generally diminishes as ","element":"span"},{"style":{"height":7.2},"width":19,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/10-4.png","element":"img","alt":" ε","inline":true,"padRight":true},{"text":"decreases. A notable exception is that FDR also decreases in Figure ","element":"span"},{"href":"#id-32","text":"1(","element":"a"},{"text":"c). This phenomenon is because we set ","element":"span"},{"style":{"height":15.59},"width":131.84,"height":38.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/10-5.png","element":"img","alt":" λj = αj","inline":true},{"text":", resulting in a smaller ","element":"span"},{"text":"candidacy set and leading to insufficient rejections. Surprisingly, ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"AI also yields a lower FDR than many of the non-private algorithms (Figure ","element":"span"},{"href":"#id-32","text":"1(","element":"a"},{"text":"a)), since it tends to make fewer rejections. We also see that ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"AI performs dramatically better than ","element":"span"},{"text":"PAPRIKA","element":"span"},{"text":", suggesting that the choice of ","element":"span"},{"style":{"height":15.59},"width":132.25,"height":38.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-0.png","element":"img","alt":" λj = αj","inline":true,"padRight":true},{"text":"should be preferred to constant ","element":"span"},{"style":{"height":15.59},"width":36.25,"height":38.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-1.png","element":"img","alt":" λj","inline":true,"padRight":true},{"text":"to ensure good performance in practice.","element":"span"}],[{"text":"As ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"is the first algorithm for private online FDR control, there is no private baseline for ","element":"span"},{"id":"id-31","text":"comparison. In Appendix ","element":"span"},{"text":"A, ","element":"span"},{"text":"we show that naïve Laplace privatization plus ","element":"span"},{"text":"SAFFRON ","element":"span"},{"text":"is ineffective.","element":"span"}],[{"style":{"fontWeight":"bold"},"text":"4.2 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Testing with Truncated Exponential Observations","element":"span"}],[{"text":"We again assume that the database ","element":"span"},{"style":{"fontStyle":"italic"},"text":"D ","element":"span"},{"text":"contains ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"individuals with ","element":"span"},{"style":{"fontStyle":"italic"},"text":"k ","element":"span"},{"text":"independent features. The ","element":"span"},{"style":{"fontStyle":"italic"},"text":"i","element":"span"},{"text":"th feature is associated with ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"i.i.d. truncated exponential distributed variables ","element":"span"},{"style":{"height":16.94},"width":161.3,"height":42.35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-2.png","element":"img","alt":" ξi1, . . . , ξin","inline":true},{"text":", each of which is sampled ","element":"span"},{"text":"according to density","element":"span"}],[{"style":{"width":"38%"},"width":715,"height":88,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-3.png","element":"img"}],[{"text":"for positive parameters ","element":"span"},{"style":{"height":13.59},"width":262.49,"height":33.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-4.png","element":"img","alt":" b and θi. Let ti","inline":true,"padRight":true},{"text":"be the realized sum of the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"i","element":"span"},{"text":"th features, and let ","element":"span"},{"style":{"height":13.19},"width":34.29,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-5.png","element":"img","alt":" Ti","inline":true,"padRight":true},{"text":"denote the random variable of the sum of the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"truncated exponential distributed variables in the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"i","element":"span"},{"text":"th entry. A ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value for testing the null hypothesis ","element":"span"},{"style":{"height":16.94},"width":189.34,"height":42.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-6.png","element":"img","alt":" Hi0 : θi = 1","inline":true,"padRight":true},{"text":"against the alternative hypothesis ","element":"span"},{"style":{"height":16.94},"width":189.32,"height":42.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-7.png","element":"img","alt":" Hi1 : θi > 1","inline":true,"padRight":true},{"text":"is given by,","element":"span"}],[{"style":{"width":"20%"},"width":378,"height":60,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-8.png","element":"img"}],[{"text":"[","element":"span"},{"href":"#id-7","referenceIndex":9,"text":"DSZ18","element":"a"},{"text":"] showed that ","element":"span"},{"style":{"height":15.6},"width":177.55,"height":39,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-9.png","element":"img","alt":" pi is (µ, η)","inline":true},{"text":"-multiplicatively sensitive for ","element":"span"},{"style":{"height":28.8},"width":395.56,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-10.png","element":"img","alt":" µ = m−1−c and η ≍�","inline":true}],[{"text":"and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"c ","element":"span"},{"text":"is any small positive constant. In the following experiments, we generate our database using the exponential distribution model truncated at ","element":"span"},{"style":{"height":13.19},"width":279.46,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-11.png","element":"img","alt":" b = 1. We set θi","inline":true,"padRight":true},{"text":"as follows:","element":"span"}],[{"style":{"width":"30%"},"width":575,"height":121,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-12.png","element":"img"}],[{"text":"where we vary the parameter ","element":"span"},{"style":{"height":9.19},"width":38.72,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-13.png","element":"img","alt":" π1","inline":true},{"text":", corresponding to the expected fraction of non-nulls.","element":"span"}],[{"text":"We sequentially test ","element":"span"},{"style":{"height":16.94},"width":49.13,"height":42.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-14.png","element":"img","alt":" Hi0","inline":true,"padRight":true},{"text":"versus ","element":"span"},{"style":{"height":16.94},"width":49.13,"height":42.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-15.png","element":"img","alt":" Hi1","inline":true,"padRight":true},{"text":"for ","element":"span"},{"style":{"fontStyle":"italic"},"text":"i ","element":"span"},{"text":"= 1","element":"span"},{"style":{"fontStyle":"italic"},"text":", . . . , k","element":"span"},{"text":". We use ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"= 1000 ","element":"span"},{"text":"as the size of the database ","element":"span"},{"style":{"fontStyle":"italic"},"text":"D","element":"span"},{"text":", and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"k ","element":"span"},{"text":"= 800 ","element":"span"},{"text":"as the number of features as well as the number of hypotheses. While there is no closed form to compute the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values, the sum of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"n ","element":"span"},{"text":"= 1000 ","element":"span"},{"text":"i.i.d. samples is approximately normally distributed by the Central Limit Theorem. The expectation and the variance of ","element":"span"},{"style":{"height":19.53},"width":295.24,"height":48.84,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-16.png","element":"img","alt":" ξij with b = 1 are","inline":true}],[{"style":{"width":"29%"},"width":558,"height":204,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-17.png","element":"img"}],[{"text":"respectively. Therefore, ","element":"span"},{"style":{"height":13.19},"width":34.29,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-18.png","element":"img","alt":" Ti","inline":true,"padRight":true},{"text":"is approximately distributed as ","element":"span"},{"style":{"height":20.26},"width":359.61,"height":50.65,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-19.png","element":"img","alt":" N(nE�ξij�, nVar[ξij])","inline":true},{"text":", and we compute the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values ","element":"span"},{"text":"accordingly. We run the experiments with shift ","element":"span"},{"style":{"height":22.82},"width":625.66,"height":57.04,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-20.png","element":"img","alt":" A = cηε log 23 min{δ,1−((1−δ)/ exp(ε))1/k} ","inline":true,"padRight":true},{"text":"(shift magnitude ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s ","element":"span"},{"text":"= 1","element":"span"},{"text":"). ","element":"span"},{"text":"The results are shown in Figure ","element":"span"},{"href":"#id-34","text":"2, ","element":"a"},{"text":"which plots the FDR and statistical power against the expected fraction of non-nulls, ","element":"span"},{"style":{"height":9.19},"width":51.6,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/11-21.png","element":"img","alt":" π1.","inline":true}],[{"id":"id-34","style":{"width":"71%"},"width":1348,"height":1981,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/12-0.png","element":"img"}],[{"text":"Figure 2: ","element":"figcaption","subtype":"caption"},{"text":"FDR and statistical power versus fraction of non-nulls ","element":"figcaption","subtype":"caption"},{"style":{"height":14.4},"width":403.13,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/12-1.png","element":"img","alt":" π1 for PAPRIKA (with","inline":true},{"style":{"height":14.4},"width":677.61,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/12-2.png","element":"img","alt":"λj = 0.2), PAPRIKA AI (with λj = αj","inline":true},{"text":"), and non-private algorithms when the database consists of truncated exponential observations.","element":"figcaption","subtype":"caption"}],[{"text":"As in the case with binomial data, we see that the performance of ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"generally diminishes as ","element":"span"},{"style":{"height":7.2},"width":19,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/12-3.png","element":"img","alt":"ε","inline":true,"padRight":true},{"text":"decreases, and that ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"AI outperforms ","element":"span"},{"text":"PAPRIKA","element":"span"},{"text":", again reinforcing the need for tuning the parameters ","element":"span"},{"style":{"height":15.59},"width":36.25,"height":38.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/12-4.png","element":"img","alt":" λj","inline":true,"padRight":true},{"text":"based on the alpha-investing rule. All methods perform well in this setting, and the FDR of ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"AI is visually indistinguishable from 0 at all levels of ","element":"span"},{"style":{"height":13.59},"width":145.59,"height":33.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/12-5.png","element":"img","alt":" ε and π1","inline":true,"padRight":true},{"text":"tested. Numerical values are listed","element":"span"}],[{"text":"in Table ","element":"span"},{"href":"#id-35","text":"2 ","element":"a"},{"text":"in Appendix ","element":"span"},{"text":"A ","element":"span"},{"text":"for ease of comparison.","element":"span"}],[{"text":"We provide a further illustration of our experiments on truncated exponentials in Figure ","element":"span"},{"href":"#id-36","text":"3. ","element":"a"},{"text":"In particular, we plot the rejection threshold ","element":"span"},{"style":{"height":9.19},"width":37.49,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-0.png","element":"img","alt":" αt","inline":true,"padRight":true},{"text":"and wealth versus the hypothesis index. Each “jump” of the wealth corresponds to a rejection. We observe that the rejections of our private algorithms are consistent with the rejections of the non-private algorithms, another perspective which empirically confirms their accuracy.","element":"span"}],[{"text":"One hypothesis for the good performance observed in Figure ","element":"span"},{"href":"#id-34","text":"2 ","element":"a"},{"text":"is that the signal between the null and alternative hypotheses as parameterized by ","element":"span"},{"style":{"height":13.19},"width":29.71,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-1.png","element":"img","alt":" θi","inline":true,"padRight":true},{"text":"is very strong, meaning the algorithms can easily discriminate between the true null and true non-null hypotheses based on the observed ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values. To measure this, we also varied the value of ","element":"span"},{"style":{"height":13.19},"width":29.71,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-2.png","element":"img","alt":" θi","inline":true,"padRight":true},{"text":"in the alternative hypotheses. These results are shown in Figure ","element":"span"},{"href":"#id-37","text":"4, ","element":"a"},{"text":"which plots FDR and power of ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"and ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"AI with when the alternative hypotheses have parameter ","element":"span"},{"style":{"height":14.4},"width":330.19,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-3.png","element":"img","alt":"θi = 1.90, 1.95, 2.00","inline":true},{"text":". As expected, the performance gets better as we increase the signal, and we observe that when the signal is too weak (","element":"span"},{"style":{"height":13.19},"width":156.03,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-4.png","element":"img","alt":"θi = 1.90","inline":true},{"text":"), performance begins to decline.","element":"span"}],[{"text":"For baseline of comparison, we include results for LapSAFFRON with ","element":"span"},{"style":{"height":10.8},"width":91.09,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-5.png","element":"img","alt":" ε = 5","inline":true},{"text":", which is a naïve privatization of SAFFRON based on the Laplace Mechanism. For this baseline mechanism, LapSAFFRON first computes the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values of each hypothesis, applies the Laplace Mechanism [","element":"span"},{"href":"#id-2","referenceIndex":6,"text":"DMNS06","element":"a"},{"text":"] to the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values, and then uses these noisy ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values as input to SAFFRON. Overall privacy of the mechanism comes from advanced composition across multiple calls to the Laplace Mechanism, and post-processing guarantees of differential privacy, where the SAFFRON algorithm is post-processing on the privatized ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values. We see that this baseline mechanism performs extremely poorly relative to ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"and ","element":"span"},{"text":"PAPRIKA ","element":"span"},{"text":"AI, motivating the need for our better algorithm design.","element":"span"}],[{"id":"id-36","style":{"width":"63%"},"width":1198,"height":763,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-6.png","element":"img"}],[{"text":"Figure 3: ","element":"figcaption","subtype":"caption"},{"text":"Wealth and rejection threshold ","element":"figcaption","subtype":"caption"},{"style":{"height":8},"width":34.62,"height":19.99,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-7.png","element":"img","alt":" αt","inline":true,"padRight":true},{"text":"versus hypothesis index with privacy parameter ","element":"figcaption","subtype":"caption"},{"style":{"height":10.4},"width":84.39,"height":26,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-8.png","element":"img","alt":"ε = 5","inline":true,"padRight":true},{"text":"when the database consists of truncated exponential observations. ","element":"figcaption","subtype":"caption"},{"text":"PAPRIKA ","element":"figcaption","subtype":"caption"},{"text":"AI and ","element":"figcaption","subtype":"caption"},{"style":{"height":13.99},"width":1441.28,"height":34.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/13-9.png","element":"img","alt":"SAFFRON AI used λj = αj, PAPRIKA used λj = 0.2, and SAFFRON used λj = 0.5.","inline":true}],[{"id":"id-37","style":{"width":"63%"},"width":1198,"height":1118,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-0.png","element":"img"}],[{"text":"Figure 4: ","element":"figcaption","subtype":"caption"},{"text":"FDR and statistical power versus expected fraction of non-null hypotheses ","element":"figcaption","subtype":"caption"},{"style":{"height":11.59},"width":139.8,"height":28.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-1.png","element":"img","alt":" π1 under","inline":true,"padRight":true},{"text":"various choices of signal ","element":"figcaption","subtype":"caption"},{"style":{"height":13.2},"width":304.46,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-2.png","element":"img","alt":" θi = 1.90, 1.95, 2.00","inline":true,"padRight":true},{"text":"for alternative hypothesis parameters. The privacy parameter is ","element":"figcaption","subtype":"caption"},{"style":{"height":10.4},"width":91.12,"height":26,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-3.png","element":"img","alt":" ε = 5","inline":true},{"text":", and the database consists of truncated exponential observations. The first row shows performance of ","element":"figcaption","subtype":"caption"},{"style":{"height":14},"width":504.06,"height":34.99,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-4.png","element":"img","alt":" PAPRIKA AI where λj = αj","inline":true},{"text":", and the second row shows performance of ","element":"figcaption","subtype":"caption"},{"style":{"height":14},"width":450.37,"height":34.99,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-5.png","element":"img","alt":" PAPRIKA where λj = 0.2.","inline":true}],[{"id":"id-24","style":{"fontWeight":"bold"},"text":"4.3 ","element":"span"},{"style":{"fontWeight":"bold"},"text":"Choice of shift ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A","element":"span"}],[{"text":"We now discuss how to choose the shift parameter ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A","element":"span"},{"text":". Theorem ","element":"span"},{"text":"4 ","element":"span"},{"text":"gives a theoretical lower bound for ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A ","element":"span"},{"text":"in terms of the privacy parameter ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-6.png","element":"img","alt":" δ","inline":true},{"text":", but this bound may be overly conservative. Since the shift ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A ","element":"span"},{"text":"is closely related to the performance of FDR and statistical power, we wish to pick a value of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A ","element":"span"},{"text":"that yields good performance in practice. In Theorem ","element":"span"},{"href":"#id-13","text":"5, ","element":"a"},{"text":"we show that FDR","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":") ","element":"span"},{"text":"is less than our desired bound ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-7.png","element":"img","alt":" α","inline":true,"padRight":true},{"text":"plus the privacy parameter ","element":"span"},{"style":{"height":11.6},"width":33.21,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-8.png","element":"img","alt":" δt","inline":true},{"text":", which naturally requires that the privacy loss parameter ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-9.png","element":"img","alt":" δ","inline":true,"padRight":true},{"text":"be small. For a more detailed explanation, we bound Inequality ","element":"span"},{"href":"#id-28","text":"(22) ","element":"a"},{"text":"in the proof of Theorem ","element":"span"},{"href":"#id-13","text":"5 ","element":"a"},{"text":"using Inequality ","element":"span"},{"href":"#id-38","text":"(14) ","element":"a"},{"text":"from the proof of Theorem ","element":"span"},{"text":"4, ","element":"span"},{"text":"and therefore, the empirical ","element":"span"},{"style":{"height":11.6},"width":19,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-10.png","element":"img","alt":" δ","inline":true,"padRight":true},{"text":"is naturally tied to the empirical FDR. As long as we can guarantee the empirical FDR to be bounded by the target FDR level, our privacy loss is bounded by the nominal ","element":"span"},{"style":{"height":11.6},"width":30.22,"height":29,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-11.png","element":"img","alt":" δ.","inline":true}],[{"text":"We use the Bernoulli example in Section ","element":"span"},{"href":"#id-30","text":"4.1 ","element":"a"},{"text":"to investigate the performance under different choices of the shift ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A ","element":"span"},{"text":"with privacy parameter ","element":"span"},{"style":{"height":11.2},"width":93.86,"height":28,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/14-12.png","element":"img","alt":" ε = 5","inline":true},{"text":". The results are summarized in Figure ","element":"span"},{"href":"#id-39","text":"5, ","element":"a"},{"text":"which plots the FDR and power versus the expected fraction of non-nulls when we vary the shift size with ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s ","element":"span"},{"text":"= 0","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"5","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"text":"1","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"text":"1","element":"span"},{"style":{"fontStyle":"italic"},"text":".","element":"span"},{"text":"5","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"text":"2","element":"span"},{"text":".","element":"span"}],[{"text":"Larger shifts (corresponding to larger values of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s","element":"span"},{"text":") will lower the rejection threshold, which causes fewer hypotheses to be rejected. This improves FDR of the algorithm, but harms Power, as the threshold may be too low to reject true nulls. Figure ","element":"span"},{"href":"#id-39","text":"5 ","element":"a"},{"text":"shows that the shift size parameter ","element":"span"},{"style":{"fontStyle":"italic"},"text":"s ","element":"span"},{"text":"should be chosen by the analyst to balance the tradeoff between FDR and Power, as demanded by the application.","element":"span"}],[{"id":"id-39","style":{"width":"63%"},"width":1198,"height":1146,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/15-0.png","element":"img"}],[{"text":"Figure 5: ","element":"figcaption","subtype":"caption"},{"text":"FDR and statistical power versus expected fraction of non-null hypotheses ","element":"figcaption","subtype":"caption"},{"style":{"height":11.59},"width":139.8,"height":28.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/15-1.png","element":"img","alt":" π1 under","inline":true,"padRight":true},{"text":"various choices of shift magnitude ","element":"figcaption","subtype":"caption"},{"style":{"fontStyle":"italic"},"text":"s","element":"figcaption","subtype":"caption"},{"text":". The privacy parameter is ","element":"figcaption","subtype":"caption"},{"style":{"height":10.4},"width":83.66,"height":26,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/15-2.png","element":"img","alt":" ε = 5","inline":true},{"text":", and the database consists of Bernoulli observations. The first row shows performance of ","element":"figcaption","subtype":"caption"},{"style":{"height":14},"width":494.8,"height":34.99,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/15-3.png","element":"img","alt":" PAPRIKA AI where λj = αj,","inline":true,"padRight":true},{"text":"and the second row shows performance of ","element":"figcaption","subtype":"caption"},{"style":{"height":14},"width":450.37,"height":34.99,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/15-4.png","element":"img","alt":" PAPRIKA where λj = 0.2.","inline":true}]]},{"heading":"References","paragraphs":[[{"id":"id-16","text":"[AR14] ","element":"span"},{"text":"Ehud Aharoni and Saharon Rosset. Generalized ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/15-5.png","element":"img","alt":" α","inline":true},{"text":"-investing: definitions, optimality results and application to public databases. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Journal of the Royal Statistical Society: Series B (Statistical Methodology)","element":"span"},{"text":", 76(4):771–794, 2014.","element":"span"}],[{"id":"id-9","text":"[BH95] ","element":"span"},{"text":"Yoav Benjamini and Yosef Hochberg. Controlling the false discovery rate: a practical and powerful approach to multiple testing. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Journal of the Royal Statistical Society: Series B (Methodological)","element":"span"},{"text":", 57(1):289–300, 1995.","element":"span"}],[{"id":"id-4","text":"[Dif17] ","element":"span"},{"text":"Differential ","element":"span"},{"text":"Privacy ","element":"span"},{"text":"Team, ","element":"span"},{"text":"Apple. ","element":"span"},{"text":"Learning ","element":"span"},{"text":"with ","element":"span"},{"text":"privacy ","element":"span"},{"text":"at ","element":"span"},{"text":"scale. ","element":"span"},{"href":"https://machinelearning.apple.com/docs/learning-with-privacy-at-scale/appledifferentialprivacysystem.pdf","style":{"fontFamily":"monospace"},"text":"https: ","element":"a"},{"href":"https://machinelearning.apple.com/docs/learning-with-privacy-at-scale/appledifferentialprivacysystem.pdf","style":{"fontFamily":"monospace"},"text":"//machinelearning.apple.com/docs/learning-with-privacy-at-scale/ ","element":"a"},{"href":"https://machinelearning.apple.com/docs/learning-with-privacy-at-scale/appledifferentialprivacysystem.pdf","style":{"fontFamily":"monospace"},"text":"appledifferentialprivacysystem.pdf","element":"a"},{"text":", December 2017.","element":"span"}],[{"id":"id-5","text":"[DKY17] ","element":"span"},{"text":"Bolin Ding, Janardhan Kulkarni, and Sergey Yekhanin. Collecting telemetry data privately. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Advances in Neural Information Processing Systems 30","element":"span"},{"text":", NIPS ’17, pages 3571–3580. Curran Associates, Inc., 2017.","element":"span"}],[{"id":"id-6","text":"[DLS","element":"span"},{"style":{"height":16.98},"width":77.3,"height":42.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/15-6.png","element":"img","alt":"+17]","inline":true,"padRight":true},{"text":"Aref N. Dajani, Amy D. Lauger, Phyllis E. Singer, Daniel Kifer, Jerome P. Reiter, Ashwin Machanavajjhala, Simson L. Garfinkel, Scot A. Dahl, Matthew Graham, Vishesh Karwa, Hang Kim, Philip Lelerc, Ian M. Schmutte, William N. Sexton, Lars Vilhuber, and John M.","element":"span"}],[{"text":"Abowd. The modernization of statistical disclosure limitation at the U.S. census bureau, 2017. Presented at the September 2017 meeting of the Census Scientific Advisory Committee.","element":"span"}],[{"id":"id-2","text":"[DMNS06] ","element":"span"},{"text":"Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the 3rd Conference on Theory of Cryptography","element":"span"},{"text":", TCC ’06, pages 265–284, 2006.","element":"span"}],[{"id":"id-14","text":"[DNPR10] ","element":"span"},{"text":"Cynthia Dwork, Moni Naor, Toniann Pitassi, and Guy N. Rothblum. Differential privacy under continual observation. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the 42nd ACM Symposium on Theory of Computing","element":"span"},{"text":", STOC ’10, pages 715–724, 2010.","element":"span"}],[{"id":"id-8","text":"[DR14] ","element":"span"},{"text":"Cynthia Dwork and Aaron Roth. The algorithmic foundations of differential privacy. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Foundations and Trends in Theoretical Computer Science","element":"span"},{"text":", 9(3–4):211–407, 2014.","element":"span"}],[{"id":"id-7","text":"[DSZ18] ","element":"span"},{"text":"Cynthia Dwork, Weijie J Su, and Li Zhang. Differentially private false discovery rate control. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1807.04209","element":"span"},{"text":", 2018.","element":"span"}],[{"id":"id-0","text":"[ENAoSM","element":"span"},{"style":{"height":16.98},"width":77.31,"height":42.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/16-0.png","element":"img","alt":"+19]","inline":true,"padRight":true},{"text":"Medicine Engineering, Engineering National Academies of Sciences, Medicine, et al. Reproducibility and replicability in science. 2019.","element":"span"}],[{"id":"id-3","text":"[EPK14] ","element":"span"},{"text":"Úlfar Erlingsson, Vasyl Pihur, and Aleksandra Korolova. RAPPOR: Randomized aggregatable privacy-preserving ordinal response. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Proceedings of the 2014 ACM Conference on Computer and Communications Security","element":"span"},{"text":", CCS ’14, pages 1054–1067, New York, NY, USA, 2014. ACM.","element":"span"}],[{"id":"id-15","text":"[FS08] ","element":"span"},{"text":"Dean P Foster and Robert A Stine. ","element":"span"},{"style":{"height":6.8},"width":26,"height":17,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/16-1.png","element":"img","alt":" α","inline":true},{"text":"-investing: a procedure for sequential control of expected false discoveries. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Journal of the Royal Statistical Society: Series B (Statistical Methodology)","element":"span"},{"text":", 70(2):429–444, 2008.","element":"span"}],[{"id":"id-1","text":"[HSR","element":"span"},{"style":{"height":16.98},"width":77.31,"height":42.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/16-2.png","element":"img","alt":"+08]","inline":true,"padRight":true},{"text":"Nils Homer, Szabolcs Szelinger, Margot Redman, David Duggan, Waibhav Tembe, Jill Muehling, John V Pearson, Dietrich A Stephan, Stanley F Nelson, and David W Craig. Resolving individuals contributing trace amounts of dna to highly complex mixtures using high-density snp genotyping microarrays. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"PLoS genetics","element":"span"},{"text":", 4(8):e1000167, 2008.","element":"span"}],[{"id":"id-17","text":"[JM15] ","element":"span"},{"text":"Adel Javanmard and Andrea Montanari. On online control of false discovery rate. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1502.06197","element":"span"},{"text":", 2015.","element":"span"}],[{"id":"id-18","text":"[JM18] ","element":"span"},{"text":"Adel Javanmard and Andrea Montanari. Online rules for control of false discovery rate and false discovery exceedance. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"The Annals of Statistics","element":"span"},{"text":", 46(2):526–554, 2018.","element":"span"}],[{"id":"id-19","text":"[RZWJ18] ","element":"span"},{"text":"Aaditya Ramdas, Tijana Zrnic, Martin Wainwright, and Michael Jordan. SAFFRON: an adaptive algorithm for online control of the false discovery rate. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"arXiv preprint arXiv:1802.09098","element":"span"},{"text":", 2018.","element":"span"}],[{"text":"[TR19] ","element":"span"},{"text":"Jinjin Tian and Aaditya Ramdas. ADDIS: An adaptive discarding algorithm for online FDR control with conservative nulls. In ","element":"span"},{"style":{"fontStyle":"italic"},"text":"Advances in Neural Information Processing Systems 32","element":"span"},{"text":", NeurIPS ’19, pages 9383–9391. Curran Associates, Inc., 2019.","element":"span"}]]},{"heading":"A Additional Tables","paragraphs":[[{"text":"Tables ","element":"span"},{"href":"#id-33","text":"1 ","element":"a"},{"text":"and ","element":"span"},{"href":"#id-35","text":"2 ","element":"a"},{"text":"report the numerical values for our experiments on Bernoulli and truncated exponential data, respectively. This information is also presented visually in Figures ","element":"span"},{"href":"#id-32","text":"1 ","element":"a"},{"text":"and ","element":"span"},{"href":"#id-34","text":"2.","element":"a"}],[{"id":"id-33","style":{"width":"99%"},"width":1863,"height":791,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/17-0.png","element":"img"}],[{"text":"Table 1: Numerical values of FDR and power for Bernoulli observations experiments. ","element":"figcaption","subtype":"caption"},{"text":"LapSAFFRON corresponds to running SAFFRON on the naïve Laplace privatization of the p-values.","element":"figcaption","subtype":"caption"}],[{"id":"id-35","style":{"width":"99%"},"width":1863,"height":790,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/17-1.png","element":"img"}],[{"text":"Table 2: Numerical values of FDR and power for truncated exponential observations experiments. LapSAF- ","element":"figcaption","subtype":"caption"},{"id":"id-26","text":"FRON corresponds to running SAFFRON on the naïve Laplace privatization of the p-values.","element":"figcaption","subtype":"caption"}]]},{"heading":"B Proof of Theorem 4","paragraphs":[[{"text":"Before proving Theorem ","element":"span"},{"text":"4, ","element":"span"},{"text":"we will state and prove the following lemma, which will be useful in the proofs of Theorem ","element":"span"},{"text":"4 ","element":"span"},{"text":"and Theorem ","element":"span"},{"href":"#id-13","text":"5.","element":"a"}],[{"id":"id-42","style":{"fontWeight":"bold"},"text":"Lemma 2. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"If ","element":"span"},{"style":{"height":16},"width":498.1,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-0.png","element":"img","alt":" Z1 ∼ Lap(2b), Z2 ∼ Lap(b)","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"and ","element":"span"},{"style":{"fontStyle":"italic"},"text":"C > ","element":"span"},{"text":"0 ","element":"span"},{"style":{"fontStyle":"italic"},"text":"is a constant, we have ","element":"span"},{"style":{"height":16},"width":444.48,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-1.png","element":"img","alt":" Pr(Z1 ≥ Z2 − C) = 1 −","inline":true}],[{"style":{"width":"25%"},"width":471,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-2.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"Proof.","element":"span"}],[{"style":{"width":"97%"},"width":1824,"height":713,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-3.png","element":"img"}],[{"style":{"fontWeight":"bold"},"text":"Theorem 4. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"For any stream of p-values ","element":"span"},{"style":{"height":16},"width":570.2,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-4.png","element":"img","alt":" {p1, p2, . . .}, PAPRIKA is (ε, δ)","inline":true},{"style":{"fontStyle":"italic"},"text":"-differentially private.","element":"span"}],[{"style":{"fontStyle":"italic"},"text":"Proof. ","element":"span"},{"text":"Fix any two neighboring databases ","element":"span"},{"style":{"fontStyle":"italic"},"text":"D ","element":"span"},{"text":"and ","element":"span"},{"style":{"height":10.8},"width":48.1,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-5.png","element":"img","alt":" D′","inline":true},{"text":". Let ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R ","element":"span"},{"text":"denote the random variable representing the output of ","element":"span"},{"style":{"height":18.95},"width":911.28,"height":47.37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-6.png","element":"img","alt":" PAPRIKA(D, α, λ, W0, {γj}∞j=0, c, ε, δ, s) and let R′","inline":true,"padRight":true},{"text":"denote the random variable representing the ","element":"span"},{"text":"output of ","element":"span"},{"style":{"height":18.95},"width":719.63,"height":47.38,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-7.png","element":"img","alt":" PAPRIKA(D′, α, λ, W0, {γj}∞j=0, c, ε, δ, s","inline":true},{"text":"). Let ","element":"span"},{"style":{"fontStyle":"italic"},"text":"k ","element":"span"},{"text":"denote the total number of hypotheses. When ","element":"span"},{"style":{"height":14},"width":259.43,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-8.png","element":"img","alt":"log pt ≥ log 2λ","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":14.74},"width":259.43,"height":36.85,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-9.png","element":"img","alt":" log p′t ≥ log 2λ","inline":true,"padRight":true},{"text":"for all ","element":"span"},{"style":{"height":16},"width":965.06,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-10.png","element":"img","alt":" t, Pr(R = {0, 0, . . . , 0}) = 1 = Pr(R′ = {0, 0, . . . , 0})","inline":true},{"text":". When ","element":"span"},{"style":{"height":15.14},"width":719.87,"height":37.85,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-11.png","element":"img","alt":"log pt < log 2λ and log p′t < log 2λ for all t","inline":true},{"text":", privacy follows from the privacy of ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":"with dynamic ","element":"span"},{"text":"thresholds. Since the threshold at each time ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t ","element":"span"},{"text":"only depends on the threshold at time ","element":"span"},{"style":{"height":10.8},"width":83.04,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-12.png","element":"img","alt":" t − 1","inline":true,"padRight":true},{"text":"and and private rejection ","element":"span"},{"style":{"height":16},"width":144.98,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-13.png","element":"img","alt":" R(t − 1)","inline":true},{"text":", by post-processing, the threshold ","element":"span"},{"style":{"height":9.19},"width":37.49,"height":22.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-14.png","element":"img","alt":" αt","inline":true,"padRight":true},{"text":"is private. Then by post-processing and the privacy of ","element":"span"},{"text":"SparseVector ","element":"span"},{"text":", the rejection ","element":"span"},{"style":{"fontStyle":"italic"},"text":"R","element":"span"},{"text":"(","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":") ","element":"span"},{"text":"is also private. We give the formal probability argument as follows. For any neighboring ","element":"span"},{"style":{"height":14},"width":99.91,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-15.png","element":"img","alt":" D, D′","inline":true,"padRight":true},{"text":"and any sequence of hypotheses, we first consider the output up to the first rejection, which is ","element":"span"},{"text":"AboveThresh ","element":"span"},{"text":". Consider any output ","element":"span"},{"style":{"height":17.38},"width":178.88,"height":43.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-16.png","element":"img","alt":" r ∈ {0, 1}l","inline":true},{"text":". Let ","element":"span"},{"style":{"height":16},"width":323.84,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-17.png","element":"img","alt":" r = {r1, r2, . . . , rl}","inline":true},{"text":", with ","element":"span"},{"style":{"height":13.19},"width":106.86,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-18.png","element":"img","alt":" rl = 1","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":13.19},"width":420.05,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-19.png","element":"img","alt":" r1 = . . . = rl−1 = 0. Let","inline":true}],[{"style":{"width":"46%"},"width":870,"height":100,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/18-20.png","element":"img"}],[{"text":"where ","element":"span"},{"style":{"height":10},"width":169.42,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-0.png","element":"img","alt":" α1, . . . , αt","inline":true,"padRight":true},{"text":"is a fixed sequence of thresholds determined by the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"r","element":"span"},{"text":". We have","element":"span"}],[{"id":"id-40","style":{"width":"96%"},"width":1809,"height":738,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-1.png","element":"img"}],[{"text":"Equation ","element":"span"},{"href":"#id-40","text":"(3) ","element":"a"},{"text":"is from change of integration variable ","element":"span"},{"style":{"height":13.2},"width":162.41,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-2.png","element":"img","alt":" z to z − η","inline":true},{"text":". Inequality ","element":"span"},{"href":"#id-40","text":"(4) ","element":"a"},{"text":"is because ","element":"span"},{"style":{"height":16},"width":382.57,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-3.png","element":"img","alt":" Zα follows Lap(2ηc/ε)","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":16},"width":447.8,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-4.png","element":"img","alt":" log pi(D) − η ≤ log pi(D′)","inline":true},{"text":". Inequality ","element":"span"},{"href":"#id-40","text":"(5) ","element":"a"},{"text":"is because","element":"span"}],[{"style":{"width":"59%"},"width":1109,"height":280,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-5.png","element":"img"}],[{"text":"When we restart ","element":"span"},{"text":"AboveThresh ","element":"span"},{"text":"after the first rejection, the inital threshold is the post-processing of the previous ouputs, which is also private. Then by simple composition, the overall privacy loss is ","element":"span"},{"style":{"height":7.2},"width":29.58,"height":18,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-6.png","element":"img","alt":" ε.","inline":true,"padRight":true},{"text":"For other cases, the worst case is that for all ","element":"span"},{"style":{"height":15.14},"width":617.98,"height":37.85,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-7.png","element":"img","alt":" t, log pt < log 2λ and log p′t ≥ log 2λ","inline":true},{"text":". In this setting, we have","element":"span"}],[{"style":{"width":"34%"},"width":644,"height":120,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-8.png","element":"img"}],[{"text":"To satisfy ","element":"span"},{"style":{"height":16},"width":87.28,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-9.png","element":"img","alt":" (ε, δ)","inline":true},{"text":"-differential privacy, we need to bound the probability of outputting ","element":"span"},{"style":{"fontStyle":"italic"},"text":"r ","element":"span"},{"text":"for database ","element":"span"},{"style":{"fontStyle":"italic"},"text":"D","element":"span"},{"text":". We first consider ","element":"span"},{"style":{"fontStyle":"italic"},"text":"r ","element":"span"},{"text":"= ","element":"span"},{"style":{"fontStyle":"italic"},"text":"{","element":"span"},{"text":"0","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"text":"0 ","element":"span"},{"style":{"fontStyle":"italic"},"text":". . . , ","element":"span"},{"text":"0","element":"span"},{"style":{"fontStyle":"italic"},"text":"}","element":"span"},{"text":". We wish to bound ","element":"span"},{"style":{"height":16},"width":982.62,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-10.png","element":"img","alt":" Pr(R′ = {0, 0 . . . , 0}) ≤ exp(ε) Pr(R = {0, 0, . . . , 0}) + δ","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":16},"width":1011.13,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-11.png","element":"img","alt":" Pr(R = {0, 0 . . . , 0}) ≤ exp(ε) Pr(R′ = {0, 0, . . . , 0}) + δ","inline":true},{"text":". The latter is trivial since ","element":"span"},{"style":{"height":16},"width":266,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-12.png","element":"img","alt":" exp(ε) Pr(R′ =","inline":true},{"style":{"height":16},"width":551.8,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-13.png","element":"img","alt":"{0, 0, . . . , 0}) + δ = exp(ε) + δ","inline":true},{"text":", which is greater than 1. It remains to satisfy ","element":"span"},{"style":{"height":16},"width":430.6,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/19-14.png","element":"img","alt":" Pr(R′ = {0, 0 . . . , 0}) ≤","inline":true}],[{"id":"id-41","style":{"width":"99%"},"width":1867,"height":805,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-0.png","element":"img"}],[{"text":"where Inequality ","element":"span"},{"href":"#id-41","text":"(7) ","element":"a"},{"text":"is because the worst case happens when ","element":"span"},{"style":{"height":10},"width":32.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-1.png","element":"img","alt":" pt","inline":true,"padRight":true},{"text":"is ","element":"span"},{"style":{"height":10.4},"width":20,"height":26,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-2.png","element":"img","alt":" η","inline":true,"padRight":true},{"text":"below the candidacy threshold ","element":"span"},{"style":{"height":14},"width":101.38,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-3.png","element":"img","alt":" log 2λ","inline":true},{"text":", Equation ","element":"span"},{"href":"#id-41","text":"(8) ","element":"a"},{"text":"applies Lemma ","element":"span"},{"href":"#id-42","text":"2, ","element":"a"},{"text":"and Inequality ","element":"span"},{"href":"#id-41","text":"(9) ","element":"a"},{"text":"follows from the facts that ","element":"span"},{"style":{"height":13.2},"width":115.68,"height":33,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-4.png","element":"img","alt":" αt ≤ λ","inline":true,"padRight":true},{"text":"for all ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t ","element":"span"},{"text":"and that the third term in ","element":"span"},{"href":"#id-41","text":"(8) ","element":"a"},{"text":"is positive. Setting ","element":"span"},{"href":"#id-41","text":"(9) ","element":"a"},{"text":"to be larger than ","element":"span"},{"style":{"height":16},"width":428.43,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-5.png","element":"img","alt":" (1 − δ)/ exp(ε), we have,","inline":true}],[{"id":"id-44","style":{"width":"71%"},"width":1340,"height":111,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-6.png","element":"img"}],[{"text":"Next, we consider all other possible outputs ","element":"span"},{"style":{"fontStyle":"italic"},"text":"r","element":"span"},{"text":". Define the set ","element":"span"},{"style":{"fontStyle":"italic"},"text":"S ","element":"span"},{"text":":= ","element":"span"},{"style":{"fontStyle":"italic"},"text":"{","element":"span"},{"style":{"fontStyle":"italic"},"text":"r ","element":"span"},{"style":{"fontStyle":"italic"},"text":"| ","element":"span"},{"text":"there exists a ","element":"span"},{"style":{"height":16},"width":339.26,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-7.png","element":"img","alt":" t such that rt = 1}.","inline":true,"padRight":true},{"text":"We wish to bound ","element":"span"},{"style":{"height":16},"width":1303.55,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-8.png","element":"img","alt":" Pr(R ∈ S) ≤ exp(ε) Pr(R′ ∈ S) + δ and Pr(R′ ∈ S) ≤ exp(ε) Pr(R ∈ S) + δ","inline":true},{"text":". The latter is trivial since ","element":"span"},{"style":{"height":16},"width":264.08,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-9.png","element":"img","alt":" Pr(R′ ∈ S) = 0","inline":true},{"text":". It remains to bound ","element":"span"},{"style":{"height":16},"width":603.85,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-10.png","element":"img","alt":" Pr(R ∈ S) ≤ δ. For any t, we have","inline":true}],[{"id":"id-43","style":{"width":"79%"},"width":1481,"height":507,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-11.png","element":"img"}],[{"text":"where Inequality ","element":"span"},{"href":"#id-43","text":"(11) ","element":"a"},{"text":"is because the worst case occurs when ","element":"span"},{"href":"#id-43","style":{"height":16.4},"width":502.79,"height":41,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-12.png","element":"img","alt":" log pt = log 2λ, Equality (12)","inline":true,"padRight":true},{"text":"applies Lemma ","element":"span"},{"href":"#id-42","text":"2, ","element":"a"},{"text":"and Inequality ","element":"span"},{"href":"#id-43","text":"(13) ","element":"a"},{"text":"follows from the facts that ","element":"span"},{"style":{"height":13.6},"width":259.55,"height":34,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-13.png","element":"img","alt":" αt ≤ λ for all t","inline":true,"padRight":true},{"text":"and that the second term in ","element":"span"},{"href":"#id-43","text":"(12) ","element":"a"},{"text":"is negative. Setting ","element":"span"},{"href":"#id-43","text":"(13) ","element":"a"},{"text":"to be less than ","element":"span"},{"style":{"height":14.8},"width":191.77,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-14.png","element":"img","alt":" δ, we have,","inline":true}],[{"id":"id-38","style":{"width":"62%"},"width":1173,"height":97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-15.png","element":"img"}],[{"text":"Combining Equations ","element":"span"},{"href":"#id-38","text":"(14) ","element":"a"},{"text":"and ","element":"span"},{"href":"#id-44","text":"(10)","element":"a"},{"text":", we have the condition that ","element":"span"},{"style":{"height":28.8},"width":715.18,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-16.png","element":"img","alt":"23 exp�− ε(A+log 2−η)4ηc �≤ min{δ, 1 − ((1 −","inline":true}],[{"style":{"width":"39%"},"width":735,"height":91,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/20-17.png","element":"img"}],[{"text":"which is how the shift term ","element":"span"},{"style":{"fontStyle":"italic"},"text":"A ","element":"span"},{"text":"is set in ","element":"span"},{"text":"PAPRIKA","element":"span"},{"text":".","element":"span"}],[{"id":"id-45","style":{"width":"1%"},"width":28,"height":28,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-0.png","element":"img"}]]},{"heading":"C Proof of Theorem 5","paragraphs":[[{"style":{"fontWeight":"bold"},"text":"Theorem 5. ","element":"span"},{"style":{"fontStyle":"italic"},"text":"If the null ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"style":{"fontStyle":"italic"},"text":"-values are conditionally super-uniformly distributed, then we have: (a) ","element":"span"},{"style":{"height":28.8},"width":436.76,"height":72,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-1.png","element":"img","alt":" E��j≤t,j∈H0 αjI(pj>2λj)1−2λj","inline":true}],[{"style":{"width":"99%"},"width":1873,"height":216,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-2.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"(d) The condition ","element":"span"},{"style":{"height":16},"width":518.08,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-3.png","element":"img","alt":"�FDPPAPRIKA(t) ≤ α for all t","inline":true,"padRight":true},{"style":{"fontStyle":"italic"},"text":"implies that ","element":"span"},{"style":{"height":16},"width":541.08,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-4.png","element":"img","alt":" FDR(t) ≤ α + δt for all t ∈ N.","inline":true}],[{"style":{"fontStyle":"italic"},"text":"Proof. ","element":"span"},{"text":"For any time ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t > ","element":"span"},{"text":"0","element":"span"},{"text":", before the total number of rejections reaches ","element":"span"},{"style":{"fontStyle":"italic"},"text":"c ","element":"span"},{"text":"we bound the number of false rejections as follows:","element":"span"}],[{"id":"id-46","style":{"width":"80%"},"width":1504,"height":327,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-5.png","element":"img"}],[{"text":"where Inequality ","element":"span"},{"href":"#id-45","text":"(15) ","element":"a"},{"text":"follows from the rejection rule before the total number of rejections reaches ","element":"span"},{"style":{"fontStyle":"italic"},"text":"c","element":"span"},{"text":", and the number of false rejections is always ","element":"span"},{"text":"0 ","element":"span"},{"text":"afterwards. Inequality ","element":"span"},{"href":"#id-46","text":"(16) ","element":"a"},{"text":"follows from the conditional super-uniformity property. We bound each term in ","element":"span"},{"href":"#id-46","text":"(16) ","element":"a"},{"text":"separately. Using the law of iterated expectations by conditioning on ","element":"span"},{"style":{"height":16.44},"width":96.72,"height":41.11,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-6.png","element":"img","alt":"F′t−1","inline":true},{"text":", we can bound the first term of ","element":"span"},{"href":"#id-46","text":"(16) ","element":"a"},{"text":"as follows:","element":"span"}],[{"id":"id-47","style":{"width":"75%"},"width":1417,"height":464,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-7.png","element":"img"}],[{"text":"where Equation ","element":"span"},{"href":"#id-47","text":"(17) ","element":"a"},{"text":"applies the conditional super-uniformity. Since ","element":"span"},{"style":{"height":16},"width":542.18,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-8.png","element":"img","alt":"�FDPPAPRIKA(t) ≤ α, we have,","inline":true}],[{"style":{"width":"39%"},"width":737,"height":144,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-9.png","element":"img"}],[{"text":"Next, we bound the second term in ","element":"span"},{"href":"#id-46","text":"(16) ","element":"a"},{"text":"as follows:","element":"span"}],[{"style":{"width":"56%"},"width":1066,"height":255,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/21-10.png","element":"img"}],[{"text":"Combining this inequality with ","element":"span"},{"href":"#id-47","text":"(17)","element":"a"},{"text":", we bound mFDR as","element":"span"}],[{"style":{"width":"43%"},"width":819,"height":421,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-0.png","element":"img"}],[{"text":"If the null ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values are independent of each other and the non-nullls, and ","element":"span"},{"style":{"height":16},"width":79.45,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-1.png","element":"img","alt":" {αt}","inline":true,"padRight":true},{"text":"is a coordinate-wise non-decreasing function of the vector ","element":"span"},{"style":{"height":14},"width":219.89,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-2.png","element":"img","alt":" R1, . . . , Rt−1","inline":true},{"text":", then we have","element":"span"}],[{"id":"id-48","style":{"width":"76%"},"width":1429,"height":493,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-3.png","element":"img"}],[{"text":"whe","element":"span"},{"href":"#id-48","text":"re I","element":"a"},{"text":"nequality ","element":"span"},{"href":"#id-48","text":"(18) ","element":"a"},{"text":"applies the law of iterated expectations by conditioning on ","element":"span"},{"style":{"height":16.44},"width":96.73,"height":41.11,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-4.png","element":"img","alt":" F′t−1 ","inline":true,"padRight":true},{"text":"and Lemma ","element":"span"},{"href":"#id-25","text":"1. ","element":"a"},{"text":"Inequal-","element":"span"}],[{"text":"ity ","element":"span"},{"href":"#id-48","text":"(19) ","element":"a"},{"text":"follows by a case analysis: if ","element":"span"},{"href":"#id-25","style":{"height":24.78},"width":1248.31,"height":61.95,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-5.png","element":"img","alt":" Zj > Zα−A, then exp(Zα−Zj −A) < 1, and thus min{αj exp(Zα−Zj−A),1}|R(t)|","inline":true,"padRight":true},{"text":"reduces to ","element":"span"},{"style":{"height":21.18},"width":82.78,"height":52.96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-6.png","element":"img","alt":"αj|R(t)|","inline":true},{"text":". On the other hand, if ","element":"span"},{"style":{"height":16.39},"width":225.81,"height":40.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-7.png","element":"img","alt":" Zj ≤ Zα − A","inline":true},{"text":", then ","element":"span"},{"style":{"height":24.78},"width":601.5,"height":61.96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-8.png","element":"img","alt":" min{αj exp(Zα−Zj−A),1}|R(t)| ≤ 1|R(t)| ≤ 1","inline":true},{"text":", allowing us ","element":"span"},{"text":"to upper bound the expectation by the probability of this event.","element":"span"}],[{"id":"id-28","style":{"width":"99%"},"width":1869,"height":934,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-9.png","element":"img"}],[{"id":"id-29","text":"Combining ","element":"span"},{"href":"#id-28","text":"(21) ","element":"a"},{"text":"and ","element":"span"},{"href":"#id-28","text":"(22)","element":"a"},{"text":", we reach the conclusion that FDR","element":"span"},{"style":{"height":18.18},"width":860.42,"height":45.46,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-10.png","element":"img","alt":"(t) ≤ α+min{δ, 1−((1−δ)/ exp(ε))1/k}t ≤ α+δt.","inline":true}],[{"style":{"width":"1%"},"width":28,"height":19,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/22-11.png","element":"img"}]]},{"heading":"D Proof of Lemma 1","paragraphs":[[{"style":{"width":"103%"},"width":1943,"height":244,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-0.png","element":"img"}],[{"style":{"fontStyle":"italic"},"text":"Proof. ","element":"span"},{"text":"The proof is similar to the proof of Lemma 2 in ","element":"span"},{"href":"#id-19","referenceIndex":16,"text":"[RZWJ18] ","element":"a"},{"text":"with the addition of i.i.d. Laplace noise.","element":"span"}],[{"text":"In a high level, we hallucinate a vector of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values that are same as the original vector of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values, except for the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":"-th index. This allows us to apply the conditional uniformity property, since now ","element":"span"},{"style":{"height":10},"width":32.04,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-1.png","element":"img","alt":" pt","inline":true,"padRight":true},{"text":"is independent of the hallucinated rejections. We then connect the original rejections and the hallucinated rejections by the monotonicity of the rejections.","element":"span"}],[{"text":"We perform our analysis using a hallucinated process: let ","element":"span"},{"style":{"height":17.5},"width":61.96,"height":43.75,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-2.png","element":"img","alt":" ˜pt1:k ","inline":true,"padRight":true},{"text":"be a copy of ","element":"span"},{"style":{"height":10},"width":61.96,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-3.png","element":"img","alt":" p1:k","inline":true,"padRight":true},{"text":"that is identical everywhere ","element":"span"},{"text":"except for the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":"-th ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value which is set to be 1. That is,","element":"span"}],[{"style":{"width":"19%"},"width":366,"height":120,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-4.png","element":"img"}],[{"text":"Also let the hallucinated Laplace noises ","element":"span"},{"style":{"height":19.35},"width":69.11,"height":48.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-5.png","element":"img","alt":"˜Zt1:k","inline":true,"padRight":true},{"text":"be an identical copy of ","element":"span"},{"style":{"height":13.19},"width":69.11,"height":32.97,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-6.png","element":"img","alt":" Z1:k","inline":true},{"text":", and let ","element":"span"},{"style":{"height":17.22},"width":48.2,"height":43.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-7.png","element":"img","alt":" ˜Zα","inline":true,"padRight":true},{"text":"be an identical copy ","element":"span"},{"text":"of ","element":"span"},{"style":{"height":13.19},"width":48.21,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-8.png","element":"img","alt":" Zα","inline":true},{"text":". The ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":"-th value of ","element":"span"},{"style":{"height":19.35},"width":69.11,"height":48.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-9.png","element":"img","alt":"˜Zt1:k","inline":true,"padRight":true},{"text":"can be arbitrary since we have ensure the event ","element":"span"},{"style":{"height":16},"width":186.04,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-10.png","element":"img","alt":" {˜pt > 2λt}","inline":true},{"text":", so it will fail to ","element":"span"},{"text":"become a candidate and the values of ","element":"span"},{"style":{"height":17.22},"width":39.2,"height":43.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-11.png","element":"img","alt":"˜Zt","inline":true,"padRight":true},{"text":"will not be relevant. We denote ","element":"span"},{"style":{"height":17.22},"width":70.38,"height":43.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-12.png","element":"img","alt":"˜C1:k","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":17.22},"width":72.16,"height":43.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-13.png","element":"img","alt":"˜R1:k","inline":true,"padRight":true},{"text":"as the candidates and rejections made using ","element":"span"},{"style":{"height":19.34},"width":323.36,"height":48.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-14.png","element":"img","alt":" ˜pt1:k, ˜Zt1:k, and ˜Zα.","inline":true}],[{"style":{"width":"96%"},"width":1811,"height":27,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-15.png","element":"img"}],[{"text":"because ","element":"span"},{"style":{"height":14},"width":111.33,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-16.png","element":"img","alt":" ˜pt = 1","inline":true},{"text":", so both will fail to become candidates, and hence we have ","element":"span"},{"style":{"height":17.22},"width":204.2,"height":43.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-17.png","element":"img","alt":"˜R1:k = R1:k","inline":true,"padRight":true},{"text":"and the following equation holds:","element":"span"}],[{"style":{"width":"34%"},"width":647,"height":94,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-18.png","element":"img"}],[{"text":"We note that when ","element":"span"},{"style":{"height":14},"width":152.62,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-19.png","element":"img","alt":" pt ≤ 2λt","inline":true},{"text":", the above equation still holds since both sides will be zero. Since ","element":"span"},{"style":{"height":19.35},"width":72.17,"height":48.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-20.png","element":"img","alt":"˜Rt1:k","inline":true,"padRight":true},{"text":"is ","element":"span"},{"text":"independent of ","element":"span"},{"style":{"height":14.4},"width":195.94,"height":36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-21.png","element":"img","alt":" pt, we have","inline":true}],[{"id":"id-49","style":{"width":"76%"},"width":1438,"height":328,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-22.png","element":"img"}],[{"text":"where Inequality ","element":"span"},{"href":"#id-49","text":"(23) ","element":"a"},{"text":"is obtained by taking the expectation only with respect to ","element":"span"},{"style":{"height":10},"width":32.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-23.png","element":"img","alt":" pt","inline":true,"padRight":true},{"text":"by invoking the conditional super-uniformity property and independence of ","element":"span"},{"style":{"height":10},"width":32.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-24.png","element":"img","alt":" pt","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":18.83},"width":129.54,"height":47.07,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-25.png","element":"img","alt":" h( ˜R1:k)","inline":true},{"text":", and Inequality ","element":"span"},{"href":"#id-49","text":"(24) ","element":"a"},{"text":"follows from the facts that ","element":"span"},{"style":{"height":17.23},"width":283.78,"height":43.08,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-26.png","element":"img","alt":" Ri ≥ ˜Ri for all i","inline":true,"padRight":true},{"text":"and that the function ","element":"span"},{"style":{"fontStyle":"italic"},"text":"h ","element":"span"},{"text":"is non-decreasing.","element":"span"}],[{"text":"For the second inequality in the lemma statement, we hallucinate a vector of ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-values ","element":"span"},{"style":{"height":17.5},"width":61.96,"height":43.75,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-27.png","element":"img","alt":" ¯pt1:k","inline":true,"padRight":true},{"text":"that equals ","element":"span"},{"style":{"height":10},"width":61.95,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-28.png","element":"img","alt":"p1:k","inline":true,"padRight":true},{"text":"everywhere except for the ","element":"span"},{"style":{"fontStyle":"italic"},"text":"t","element":"span"},{"text":"-th ","element":"span"},{"style":{"fontStyle":"italic"},"text":"p","element":"span"},{"text":"-value which is set to be 0. That is,","element":"span"}],[{"style":{"width":"19%"},"width":366,"height":121,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-29.png","element":"img"}],[{"text":"Also let the hallucinated Laplace noises ","element":"span"},{"style":{"height":18.15},"width":69.11,"height":45.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-30.png","element":"img","alt":"¯Zt1:k ","inline":true,"padRight":true},{"text":"be an identical copy of ","element":"span"},{"style":{"height":16.83},"width":278.16,"height":42.08,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-31.png","element":"img","alt":" Z1:k, and let ¯Zα","inline":true,"padRight":true},{"text":"be an identical copy of ","element":"span"},{"style":{"height":13.19},"width":48.2,"height":32.98,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-32.png","element":"img","alt":"Zα","inline":true},{"text":". We denote ","element":"span"},{"style":{"height":16.02},"width":70.39,"height":40.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-33.png","element":"img","alt":"¯C1:k","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":16.02},"width":72.16,"height":40.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-34.png","element":"img","alt":"¯R1:k","inline":true,"padRight":true},{"text":"as the candidates and rejections made using ","element":"span"},{"style":{"height":17.5},"width":61.96,"height":43.75,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-35.png","element":"img","alt":" ¯pt1:k","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":18.14},"width":69.11,"height":45.36,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-36.png","element":"img","alt":" ¯Zt1:k","inline":true},{"text":". By construction, ","element":"span"},{"text":"we have ","element":"span"},{"style":{"height":16.02},"width":138.34,"height":40.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-37.png","element":"img","alt":"¯Ri = Ri","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":16.02},"width":134.79,"height":40.05,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-38.png","element":"img","alt":"¯Ci = Ci","inline":true,"padRight":true},{"text":"for all ","element":"span"},{"style":{"fontStyle":"italic"},"text":"i < t","element":"span"},{"text":". On the event that ","element":"span"},{"style":{"height":16},"width":550.92,"height":40,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-39.png","element":"img","alt":" {log pt + Zt ≤ log αt + Zα − A}","inline":true},{"text":", since ","element":"span"},{"style":{"height":14},"width":107.68,"height":35,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/23-40.png","element":"img","alt":" ¯pt = 0","inline":true,"padRight":true},{"text":"and we inject the same Laplace noise, we have ","element":"span"},{"style":{"height":16.02},"width":218.26,"height":40.06,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-0.png","element":"img","alt":"¯Rt = Rt = 1","inline":true,"padRight":true},{"text":"and ","element":"span"},{"style":{"height":16.02},"width":214.71,"height":40.06,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-1.png","element":"img","alt":"¯Ct = Ct = 1","inline":true},{"text":", and hence also ","element":"span"},{"style":{"height":16.02},"width":201.77,"height":40.06,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-2.png","element":"img","alt":"¯R1:k = R1:k","inline":true},{"text":". Then the following equation holds:","element":"span"}],[{"style":{"width":"64%"},"width":1200,"height":96,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-3.png","element":"img"}],[{"text":"We note that when ","element":"span"},{"style":{"height":14.8},"width":509.03,"height":37,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-4.png","element":"img","alt":" log pt + Zt > log αt + Zα − A","inline":true},{"text":", the above equation still holds since both sides will be zero. Since ","element":"span"},{"style":{"height":16.83},"width":279.31,"height":42.08,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-5.png","element":"img","alt":"¯R1:k and Zt, Zα","inline":true,"padRight":true},{"text":"are independent of ","element":"span"},{"style":{"height":10},"width":32.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-6.png","element":"img","alt":" pt","inline":true},{"text":", we can take conditional expectations to obtain","element":"span"}],[{"id":"id-50","style":{"width":"91%"},"width":1715,"height":320,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-7.png","element":"img"}],[{"text":"where Inequality ","element":"span"},{"href":"#id-50","text":"(25) ","element":"a"},{"text":"follows by taking expectation only with respect to ","element":"span"},{"style":{"height":10},"width":32.05,"height":25,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-8.png","element":"img","alt":" pt","inline":true,"padRight":true},{"text":"by invoking the conditional uniformity property and the fact that the support of p-values is ","element":"span"},{"text":"[0","element":"span"},{"style":{"fontStyle":"italic"},"text":", ","element":"span"},{"text":"1]","element":"span"},{"text":", and Inequality ","element":"span"},{"href":"#id-50","text":"(26) ","element":"a"},{"text":"follows from the facts that ","element":"span"},{"style":{"height":17.63},"width":705.26,"height":44.08,"src":"https://cdn.bytez.com/mobilePapers/v2/arxiv/2002.12321/images/24-9.png","element":"img","alt":" h(R1:k) ≤ h( ¯R1:k) since Ri ≤ ¯Ri for all i","inline":true,"padRight":true},{"text":"and that the function ","element":"span"},{"style":{"fontStyle":"italic"},"text":"h ","element":"span"},{"text":"is non-decreasing.","element":"span"}]]}],"_version":"3.3.2"},"paperNode":"$24:props:children:props:children:0:props:product"}]]