Closure Properties for Private Classification and Online Prediction

2020·arXiv

Abstract

Let H be a class of boolean functions and consider a composed class that is derived from H using some arbitrary aggregation rule (for example, may be the class of all 3-wise majority-votes of functions in H). We upper bound the Littlestone dimension of in terms of that of H. As a corollary, we derive closure properties for online learning and private PAC learning.

The derived bounds on the Littlestone dimension exhibit an undesirable exponential dependence. For private learning, we prove close to optimal bounds that circumvents this suboptimal dependency. The improved bounds on the sample complexity of private learning are derived algorithmically via transforming a private learner for the original class H to a private learner for the composed class . Using the same ideas we show that any (proper or improper) private algorithm that learns a class of functions H in the realizable case (i.e., when the examples are labeled by some function in the class) can be transformed to a private algorithm that learns the class H in the agnostic case.

1 Introduction

We study closure properties for learnability of binary-labeled hypothesis classes in two related settings: online learning and differentially private PAC learning.

Closure Properties for Online Learning. Let H be a class of experts that can be online learned with vanishing regret. That is, there exists an algorithm A such that given any sequence of T prediction tasks, the number of false predictions made by A is larger by at most R(T) = o(T) than the number of false predictions made by the best expert in H.

Consider a scenario where the sequence of tasks is such that every single expert in H predicts poorly on it, however there is a small unknown set of experts h1, . . . , hk ∈ H that can predict well by collaborating. More formally, there is an aggregation rule G : {0, 1}k → {0, 1} such that the combined expert G(h1, . . . , hk) exhibits accurate predictions on a significant majority of the tasks. For example, a possible aggregation rule G could be the majority-vote of the k experts. Since we assume that the identities of the k experts are not known, it is natural to consider the class H′ = {G(h1, . . . , hk) : hi ∈ H}, which consists of all possible G-aggregations of k experts from H. We study the following question:

Question 1.1. Can the optimal regret with respect to be bounded in terms of that of H?

The Littlestone dimension is a combinatorial parameter that determines online learnability [Littlestone, 1987, Ben-David et al., 2009]. In particular, H is online learnable if and only if it has a finite Littlestone dimension d < ∞ , and the best possible regret R(T) for online learning H satisfies

Furthermore, if it is known that if one of the experts never errs (a.k.a the realizable setting), then the optimal regret is exactly d.1 (The regret is called mistake-bound in this context.)

Thus, the above question boils down to asking whether the Littlestone dimension of is bounded by a function of the Littlestone dimension of H. One of the two main results in this work provides an affirmative answer to this question (Theorem 2.1).

We next discuss a variant of this question in the setting of Differentially Private (DP) learning. The two settings of online and DP-learning are intimately related (see, e.g., Bun et al. [2020], Abernethy et al. [2017], Joseph et al. [2019], Gonen et al. [2019]). In particular, both online learning and DP-learning are characterized by the finiteness of the Littlestone dimension [Littlestone, 1987, Ben-David et al., 2009, Bun et al., 2015, Alon et al., 2019, Bun et al., 2020].

Closure Properties for Differentially Private Learning. Imagine the following medical scenario: consider a family H of viruses for which there is an algorithm A that can learn to diagnose any specific virus h ∈ H given enough labeled medical data. Further assume that A has the desired property of being differentially private learning algorithm as defined by [Kasiviswanathan et al., 2011]; that is, it is a PAC learning algorithm in which the privacy of every patient whose data is used during training is guarded in the formal sense of differential privacy [Dwork et al., 2006b].

Assume that an outbreak of a deadly disease has occurred in several locations all over the world and that it is known that is caused by some relatively small, yet unknown group of viruses from H. That is, our prior information is that there are unknown viruses h1, . . . , hk ∈ H for a relatively small k such that h′ = G(h1, . . . , hk) for some rule G. For example, G could be the OR function in which case h′ occurs if and only if the patient is infected with at least one of the viruses h1, . . . , hk.

It would be highly beneficial if one could use the algorithm A to diagnose in an automated fashion. Moreover, doing it in a private manner could encourage health institutions in the different locations to contribute their patients’ data. This inspires the following question:

Question 1.2. Can one use the algorithm A to privately learn to diagnose ? How does the sample complexity of this learning task scale as a function of G?

Differential Privacy, Online Learning, and the Littlestone Dimension. Question 1.2 and Question 1.1 are equivalent in the sense that both online learning and DP-learning are characterized by the finiteness of the Littlestone dimension [Littlestone, 1987, Ben-David et al., 2009, Bun et al., 2015, Alon et al., 2019, Bun et al., 2020].

Note however that unlike the bounds relating the Littlestone dimension to online learning, which are tight up to logarithmic factors (see (1)), the bounds relating the Littlestone dimension and DP-learning are very far from each other; specifically, if d denotes the Littlestone dimension of H then the lower bound on the sample complexity of privately learning H scales with log∗ d [Bun et al., 2015, Alon et al., 2019], while the best known2 upper bound scales with exp(d) [Bun et al., 2020].

Thus, while our solution to Question 1.1 yields an affirmative answer to Question 1.2, the implied quantitative bounds are far from being realistically satisfying. Specifically, every finite H is learnable with privacy using O(log |H|) samples [Kasiviswanathan et al., 2011], and so if H is finite and not too large, the bounds implied by the Littlestone dimension are not meaningful. We therefore focus on deriving effective bounds for private learning, which is the content of Theorem 2.3 (see Theorem 7.1 for a precise statement).

Littlestone Classes. It is natural to ask which natural hypothesis classes have bounded Littlestone dimension. First, it holds that Ldim(H) ≤ log|H| for every H , so for finite classes the Littlestone dimension scales rather gracefully with their size.

There are also natural infinite Littlestone classes: for example, let the domain X = Fn be an n- dimensional vector space over some field F and let H ⊆ {0, 1}X consist of all affine subspaces of V of dimension ≤ d . It can be shown here that Ldim(H) = d. (For example, the class of all lines in R100 has Littlestone dimension 1.) A bit more generally, any class of hypotheses that can be described by polynomial equalities of a bounded degree has bounded Littlestone dimension. (Observe that if one replaces “equalities” with “inequalities” then the Littlestone dimension may become unbounded, however the VC dimension remains bounded (e.g. Halfspaces).) We note in passing that this can be further generalized to classes that are definable in stable theories, which is a deep and well-explored notion in model theory. We refer the reader to Chase and Freitag [2019], Section 5.1 for such examples.

Organization. Formal statement of our main results and description of our techniques appears in Section 2, specifically, a short overview of the proofs is given in Section 2.1. Definitions and background results are provided in Section 3. The complete proofs appear in the rest of the paper. Closure properties for Littlestone classes is proved in Section 4. The effective bounds for private learning are given in Section 5 and Sections 6 and 7. We note that each of these parts can be read independently of the other.

2 Main Results and Techniques

Let G : {0, 1}k → {0, 1} be a boolean function and let H1, . . . , Hk ⊆ {0, 1}X be hypothesis classes. Denote by G(H1, . . . , Hk) the following class G(H1, . . . , Hk) = {G(h1, . . . , hk) : hi ∈ Hi}. For example, if G(x1, x2) = x1 ∧ x2 then G(H1, H2) = H1 ∧ H2 = {h1 ∧ h2 : hi ∈ Hi} is the class of all pairwise intersections/conjunctions of a function from and a function from H2.

Theorem 2.1 (A Closure Theorem for the Littlestone Dimension). Let G : {0, 1}k → {0, 1} be a boolean function, let H1, . . . , Hk ⊆ {0, 1}X be classes, and let d ∈ N such that Ldim(Hi) ≤ d for every i ≤ k.

where conceals polynomial factors in log k and log d.

In particular, if Ldim(Hi) < ∞ for all i ≤ d then Ldim(G(H1, . . . , Hk)) < ∞ . Consequently, if each of the ’s is online learnable then is online learnable. We comment that if the aggregating function G is simple then one can obtain better bounds. For example, if G is a majority-vote, a k-wise OR, or a k-wise AND function then a bound of ˜O(k2 · d) holds. (See Section 4.2.2.)

Another combinatorial parameter which arises in the relationship between online and DP learning is the threshold dimension: a sequence x1, . . . , xk ∈ X is threshold-shattered by H if there are h1, . . . , hk ∈ H such that hi(xj) = 1 if and only if i ≤ j for all i, j ≤ k. The threshold dimension, T(H) is the maximum size of a sequence that is threshold-shattered by H. The threshold dimension plays a key role in showing that DP learnable classes have a finite Littlestone dimension [Alon et al., 2019]. A classical theorem by Shelah [1978] in model theory shows that the Littlestone and the threshold dimensions are exponentially related.3 In particular Ldim(H) < ∞ if and only if T(H) < ∞ . (See Theorem 3.2 in the preliminaries section.) We prove the following closure theorem in terms of the threshold dimension.

Theorem 2.2 (A Closure Theorem for the Threshold Dimension). Let G : {0, 1}k → {0, 1} be a boolean function, let H1, . . . , Hk ⊆ {0, 1}X be classes, and let t ∈ N such that T(Hi) < t for every i ≤ k. Then,

Moreover, an exponential dependence in t is necessary: for every t ≥ 6 there exists a class H such that

Note that the bounds in Theorem 2.1 and Theorem 2.2 escalate rapidly with k (the arity of G) and with t. It will be interesting to determine tight bounds.

By Alon et al. [2019], Bun et al. [2020], Theorem 2.1 also implies closure properties for DP-learnable classes. However, the quantitative bounds are even worse: not only do the bounds on the Littlestone dimension of G(H1, . . . , Hk) escalate rapidly with d and k, also the quantitative relationship between the Littlestone dimension and DP-learning sample complexity is very loose, and the best bounds exhibit a tower-like gap between the upper and lower bounds. For example, if the class of functions H is finite and its Littlestone dimension is ω(log log |H|) , then the bound of Theorem 2.1 is most likely to be much worse than the generic application of the exponential mechanism, whose sample complexity is the logarithm of the size of the class. We therefore explore the closure properties of differentially-private learning algorithms directly and derive the following bound.

Theorem 2.3 (A Closure Theorem for Private Learning (informal)). Let G : {0, 1}k → {0, 1} be a boolean function. Let H1, . . . , Hk ⊆ {0, 1}X be classes that are (ε, δ) -differentially private and (α, β)- accurate learnable with sample complexity respectively. Then, G(H1, . . . , Hk) is (ε, δ) -private and -accurate learnable with sample complexity

The exact quantitative satement of the results appears in Theorem 7.1. We remark that closure properties for pure differentially-private learning algorithms (i.e., when δ = 0 ) are implied by the characterization of [Beimel et al., 2019]. Similarly, closure properties for non-private PAC learning are implied by the characterization of their sample complexity in terms of the VC dimension and by the Sauer-Shelah-Perles Lemma [Sauer, 1972]. However, since there is no tight characterization of the sample complexity of approximate differentially-private learning algorithms (i.e., when δ > 0 ), we prove Theorem 2.3 algorithmically by constructing a (non-efficient) learning algorithm for G(H1, . . . , Hk) from private learning algorithms for H1, . . . , Hk.

Beimel et al. [2015] proved that any proper private learning algorithm in the realizable case4 can be transformed into an agnostic5 private learning algorithm, with only a mild increase in the sample complexity. We show that the same result holds even for improper private learning (i.e., when the private learning algorithm can return an arbitrary hypothesis).

Theorem 2.4 (Private Learning Implies Agnostic Private Learning). For every 0 < α, β, δ < 1, every m ∈ N , and every concept class H, if there exists a (1, δ) -differentially private (α, β) -accurate PAC learner for the hypothesis class H with sample complexity m, then there exists an (O(1), O(δ)) -differentially private (O(α), O(β + δn))-accurate agnostic learner for H with sample complexity

Furthermore, if the original learner is proper, then the agnostic learner is proper.

We obtain this result by showing that a variant of the transformation of [Beimel et al., 2015] also works for the improper case; we do not know if the original transformation of [Beimel et al., 2015] also works for the improper case. Our analysis of the transformation for the improper case is more involved than the analysis for the proper case.

2.1 Technical Overview

2.1.1 Closure for Littlestone Dimension

Our proof of Theorem 2.1 exploits tools from online learning. It may be instructive to compare Theorem 2.1 with an analogous result for VC classes: a classical result by Dudley [1978] upper bounds the VC dimension of G(H1, . . . , Hk) by ˜O(d1 + · · · + dk), where di is the VC dimension of . The argument uses the Sauer-Shelah-Perles Lemma [Sauer, 1972] to bound the growth-rate (a.k.a. shatter function) of some nd1+···+dk : indeed, if we let n = VC(G(H1, . . . , Hk)), then by the definition of the shatter function, 2n ≤ nd1+···+dk , which implies that n = ˜O(d1 + · · · + dk) as stated. It is worth noting that a notion of growth-rate as well as a corresponding variant of the Sauer-Shelah-Perles Lemma also exist for Littlestone classes [Bhaskar, 2017, Chase and Freitag, 2018]. However we are not aware of a way of using it to prove Theorem 2.1.

We take a different approach. We first focus on the case where G is a majority-vote. That is, the class consists of all k-wise majority-votes of experts hi ∈ Hi . We bound the Littlestone dimension of H by exhibiting an online learning algorithm A that learns H in the mistake-bound model with at most ˜O(k2 · d) mistakes. The derivation of A exploits fundamental tools from online learning such as the Weighted Majority Algorithm by Littlestone and Warmuth [1989] and Online Boosting [Chen et al., 2012, Beygelzimer et al., 2015, Brukhim et al., 2020].

Then, the bound for a general G : {0, 1}k → {0, 1} is obtained by expressing G as a formula which only uses majority-votes and negations gates. The exponential dependence in k in the final bound is a consequence of the formula-size which can be exponential in k. We do not know whether this exponential dependence is necessary.

2.1.2 Closure for Threshold Dimension

Our proof of Theorem 2.2 is combinatorial. First, note that an inferior bound follows from Theorem 2.1, using the fact that the Littlestone and threshold dimensions are exponentially related (see Theorem 3.2). However this approach yields a super-exponential bound on T(G(H1, . . . , Hk)).

The bound in Theorem 2.2 follows by arguing contra-positively that if T(G(H1, . . . , Hk)) is large then T(Hi) is also “largish” for some i ≤ k . Specifically, if T(G(H1, . . . , Hk)) ≥ exp(t exp(k)) then T(Hi) ≥ t for some i ≤ k . This is shown using a Ramsey argument that asserts that any large enough sequence x1, . . . , xn that is threshold-shattered by G(H1 . . . Hk) must contain a relatively large subsequence that is threshold-shattered by one of the ’s. Quantitatively, if n ≥ exp(t exp(k)) then there must be a subsequence xj1, . . . , xjt that is threshold-shattered by one of the Hi’s.

This upper bounds T(G(H1, . . . , Hk)) by some exp(t exp(k)), where t = maxi T(Hi) . It is worth noting that, in contrast with Theorem 2.1, an exponential dependence here is inevitable: we prove in Theorem 2.2 that for any t there exists a class H with T(H) ≤ t such that T({h1 ∨ h2 : h1, h2 ∈ H}) ≥ exp(t). This lower bound is achieved by a randomized construction.

2.1.3 Private learning Implies Agnostic Private Learning

We start by describing the transformation of [Beimel et al., 2015] from a proper private learning algorithm of a class H to an agnostic proper private learning algorithm for H. Assume that there is a private learning algorithm A for H with sample complexity m. The transformation takes a sample S of size O(m) and constructs all possible behaviors H of functions in H on the points of the sample (ignoring the labels). By the Sauer-Shelah-Perles Lemma, the number of such behaviors is at most � e|S|VC(H)�VC(H) . Then, it finds using the exponential mechanism a behavior h′ ∈ H that minimizes the empirical error on the sample. (The exponential mechanism is guaranteed to identify a behavior with small empirical error because the number of possible behaviors is relatively small.) Finally, the transformation relabeles the sample S using h′ and applies A on the relabeled sample. If A is a proper learning algorithm then, by standard VC arguments, the resulting algorithm is an agnostic algorithm for H. The privacy guarantees of the resulting algorithm are more delicate, and it is only O(1)-differentially private, even if A is ε -differentially private for a small (The difficulty in the privacy analysis is the set of behaviors H is data-dependent. Therefore, the privacy guarantees of the resulting algorithms are not directly implied by those of the exponential mechanism, which assume that the set of possible outcomes is fixed and data-independent.)

When A is improper, we cannot use VC arguments to argue that the resulting algorithm is an agnostic learner. We rather use the generalization properties of differential privacy (proved in [Dwork et al., 2015, Bassily et al., 2016, Rogers et al., 2016, Feldman and Steinke, 2017, Nissim and Stemmer, 2017, Jung et al., 2020]): if a differentially private algorithm has a small empirical error on a sample chosen i.i.d. from some distribution, then it also has a small generalization error on the underlying distribution (even if the labeling hypothesis is chosen after seeing the sample). There are technical issues in applying these results in our case that require some modifications in the transformation.

2.1.4 Closure for Differentially Private Learning

We prove Theorem 2.3 by constructing a private algorithm AClosureLearn for the class G(H1, . . . , Hk) using private learning algorithms for the classes . Algorithm uses the relabeling procedure (the one that we use to transform a private PAC learner into a private agnostic learner) in a new setting.

The input to AClosureLearn is a sample labeled by some function in G(H1, . . . , Hk) . The algorithm finds hypotheses in steps, where in the i’th step, the algorithm finds a hypothesis hi such that h1, . . . , hi have a completion ci+1, . . . , ck to a hypothesis G(h1, . . . , hi, ci+1, . . . , ck) with small error (assuming that h1, . . . , hi−1 have a good completion).

Each step of AClosureLearn is similar to the algorithm for agnostic learning described above. That is, in the i’th step, AClosureLearn first relabels the input sample S using some h ∈ Hi in a way that guarantees completion to a hypothesis with small empirical error. The relabeling h is chosen using the exponential mechanism with an appropriate score function. The relabeled sample is then fed to the private algorithm for the class to produce a hypothesis and then the algorithm proceeds to the next step i + 1. As in the algorithm for agnostic learning, the proof that the hypothesis G(h1, . . . , hk) returned by the algorithm is easier when the private algorithms for are proper and it is more involved if they are improper.

3 Preliminaries

This section is organized as follows: Section 3.1 contains basic definitions and tools related to the Littlestone dimension and Section 3.2 contains basic definitions and tools related to private learning.

3.1 Preliminaries on the Littlestone Dimension

The Littlestone dimension is a combinatorial parameter that characterizes regret bounds in online learning [Littlestone, 1987, Ben-David et al., 2009]. The definition of this parameter uses the notion of mistake-trees: these are binary decision trees whose internal nodes are labeled by elements of X. Any root-to-leaf path in a mistake tree can be described as a sequence of examples (x1, y1), . . . , (xd, yd), where xi is the label of the i’th internal node in the path, and yi = if the (i+1) ’th node in the path is the right child of the i’th node, and otherwise yi = 0 . We say that a tree T is shattered by H if for any root-to-leaf path (x1, y1), . . . , (xd, yd) in T there is h ∈ H such that h(xi) = yi, for all i ≤ d . The Littlestone dimension of H, denoted by Ldim(H), is the depth of the largest complete tree that is shattered by H.

Definition 3.1 (Subtree). Let T be labeled binary tree. We will use the following notion of a subtree T ′ of depth h of T by induction on h:

1. Any leaf of T is a subtree of height 0.

2. For h ≥ 1 a subtree of height h is obtained from an internal vertex of T together with a subtree of height h − 1 of the tree rooted at its left child and a subtree of height h − 1 of the tree rooted at its right child.

Note that if T is a labeled tree and it is shattered by the class H, then any subtree T ′ of it with the same labeling of its internal vertices is shattered by the class H.

Threshold Dimension. A classical theorem of Shelah in model-theory connects bounds on 2-rank (Littlestone dimension) to the concept of thresholds: let H ⊆ {0, 1}X be a hypothesis class. We say that a sequence x1, . . . , xk ∈ X is threshold-shattered by H if there are h1, . . . , hk ∈ H such that hi(xj) = 1 if and only if i ≤ j for all i, j ≤ k . Define the threshold dimension, T(H), as the maximum size of a sequence that is threshold-shattered by H.

Theorem 3.2 (Littlestone Dimension versus Threshold Dimension [Shelah, 1978, Hodges, 1997]). Let H be a hypothesis class, then:

3.2 Preliminaries on Private Learning

Differential Privacy. Consider a database where each record contains information of an individual. An algorithm is said to preserve differential privacy if a change of a single record of the database (i.e., information of an individual) does not significantly change the output distribution of the algorithm. Intuitively, this means that the information inferred about an individual from the output of a differentially-private algorithm is similar to the information that would be inferred had the individual’s record been arbitrarily modified or removed. Formally:

Definition 3.3 (Differential privacy [Dwork et al., 2006b,a]). A randomized algorithm A is (ε, δ) -differentially private if for all neighboring databases S1, S2 ∈ Xm (i.e., databases differing in one entry), and for all sets F of outputs,

where the probability is taken over the random coins of A. When δ = 0 we omit it and say that A preserves pure -differential privacy. When δ > 0 , we use the term approximate differential privacy , in which case is typically a negligible function of the database size m.

PAC Learning. We next define the probably approximately correct (PAC) model of Valiant [1984]. A hypothesis c : X → {0, 1} is a predicate that labels examples taken from the domain X by either 0 or 1. We sometime refer to a hypothesis as a concept. A hypothesis class H over X is a set of hypotheses (predicates) mapping X to {0, 1}. A learning algorithm is given examples sampled according to an unknown probability distribution P over X, and labeled according to an unknown target concept c ∈ H . The learning algorithm is successful when it outputs a hypothesis h that approximates the target concept over samples from P. More formally:

Definition 3.4. The generalization error of a hypothesis h : X → {0, 1} with respect to a concept c and a distribution P over X is defined as errorP(c, h) = Prx∼P[h(x) ̸= c(x)]. If errorP(c, h) ≤ α we say that h is α-good for c and P.

Definition 3.5 (PAC Learning [Valiant, 1984]). An algorithm A is an (α, β) -accurate PAC learner for a hypothesis class H over X if for all concepts c ∈ H , all distributions P on X, given an input of m samples S = (z1, . . . , zm), where zi = (xi, c(xi)) and each xi is drawn i.i.d. from P, algorithm A outputs a hypothesis h satisfying

where the probability is taken over the random choice of the examples in S according to P and the random coins of the learner A. If the output hypothesis h always satisfies h ∈ H then A is called a proper PAC learner; otherwise, it is called an improper PAC learner.

Definition 3.6. For an unlabeled sample S = (xi)mi=1, the empirical error of two concepts c, h is errorS(c, h) =

m|{i : c(xi) ̸= h(xi)}|. For a labeled sample S = (xi, yi)mi=1, the empirical error of h is errorS(h) =

m|{i : h(xi) ̸= yi}|.

The previous definition of PAC learning captures the realizable case, that is, the examples are drawn from some distribution and labeled according to some concept c ∈ H . We next define agnostic learning, i.e., where there is a distribution over labeled examples and the goal is to find a hypothesis whose error is close to the error of the best hypothesis in H with respect to the distribution. Formally, for a distribution on X × {0, 1} and a function f : X → {0, 1} we define errorµ(f) = Pr(x,a)∼µ[f(x) ̸= a].

Definition 3.7 (Agnostic PAC Learning). Algorithm A is an (α, β)-accurate agnostic PAC learner for a hypothesis class H with sample complexity m if for all distributions µ on X × {0, 1} , given an input of m labeled samples S = (z1, . . . , zm) , where each labeled example zi = (xi, ai) is drawn i.i.d. from algorithm A outputs a hypothesis h ∈ H satisfying

where the probability is taken over the random choice of the examples in S according to and the random coins of the learner A. If the output hypothesis h always satisfies h ∈ H then A is called a proper agnostic PAC learner; otherwise, it is called an improper agnostic PAC learner.

The following bound is due to [Vapnik and Chervonenkis, 1971, Blumer et al., 1989].

Theorem 3.8 (VC-Dimension Generalization Bound). Let H and P be a concept class and a distribution over a domain X. Let α, β > 0, and

Suppose that we draw an unlabeled sample S = (xi)mi=1, where xi are drawn i.i.d. from P. Then,

The next theorem, due to [Vapnik and Chervonenkis, 1971, Anthony and Bartlett, 2009, Anthony and Shawe-Taylor, 1993], handles (in particular) the agnostic case.

Theorem 3.9 (VC-Dimension Agnostic Generalization Bound). There exists a constant such that for every domain X, every concept class H over the domain X, and every distribution over the domain For a sample S = (xi, yi)mi=1 where

and {(xi, yi)} are drawn i.i.d. from , it holds that

Notice that in Theorem 3.9 the sample complexity is proportional to 1α2 , as opposed to in Theorem 3.8.

Private Learning. Consider an algorithm A in the probably approximately correct (PAC) model of Valiant [1984]. We say that A is a private learner if it also satisfies differential privacy w.r.t. its training data.

Definition 3.10 (Private PAC Learning [Kasiviswanathan et al., 2011]). Let A be an algorithm that gets an input S = (z1, . . . , zm) , where each is a labeled example. Algorithm A is an (ε, δ) -differentially private (α, β) -accurate PAC learner with sample complexity m for a class H over X if

Note that the utility requirement in the above definition is an average-case requirement, as the learner is only required to do well on typical samples. In contrast, the privacy requirement is a worst-case requirement that must hold for every pair of neighboring databases (no matter how they were generated).

The following definition and lemma are taken from Bun et al. [2015].

Definition 3.11 (Empirical Learner). Algorithm A is an (α, β) -accurate empirical learner for a class H over X with sample complexity m if for every c ∈ H and for every sample S of size m that is labeled by c, the algorithm A outputs a hypothesis h ∈ H satisfying

Lemma 3.12 (Bun et al. [2015]). Suppose A is an (ε, δ) -differentially private (α, β) -accurate PAC learner for a concept class H with sample complexity m. Let A′ be an algorithm, whose input sample S contains 9m randomly labeled examples. Further assume that samples with repetitions m labeled examples from S and returns the output of A on these examples. Then, A′ is an (ε, δ) -differentially private (α, β)-accurate empirical learner for H with sample complexity 9m. Clearly, if A is proper, then so is A′.

The Exponential Mechanism. We next describe the exponential mechanism of McSherry and Talwar [2007]. Let X be a domain and H a set of solutions. Given a score function q : X∗ × H → N, and a database S ∈ X∗ , the goal is to chooses a solution h ∈ H approximately minimizing q(S, h). The mechanism chooses a solution probabilistically, where the probability mass that is assigned to each solution h decreases exponentially with its score q(S, h):

Kasiviswanathan et al. [2011] showed that the exponential mechanism can be used as a generic private learner – when used with the score function q(S, h) = |{i : h(xi) ̸= yi}| = m · errorS(h) , the probability that the exponential mechanism outputs a hypothesis h such that errorS(h) > minf∈H{errorS(f)} + ∆ is at most |H| · exp(−ε∆m/2) . This results in a generic private proper-learner for every finite concept class H, with sample complexity Oα,β,ε(log |H|).

Generalization Properties of Differentially Private Algorithms. In this paper we use the fact that differential privacy implies generalization [Dwork et al., 2015, Bassily et al., 2016, Rogers et al., 2016, Feldman and Steinke, 2017, Nissim and Stemmer, 2017, Jung et al., 2020]: differentially private learning algorithms satisfy that their empirical loss is typically close to their population loss. We use the following variant of this result, which is a multiplicative version that applies also to the case that ε > 1 (as needed in this paper).

Theorem 3.14 (DP Generalization – Multiplicative version [Dwork et al., 2015, Bassily et al., 2016, Feld- man and Steinke, 2017, Nissim and Stemmer, 2017]). Let A be an (ε, δ) -differentially private algorithm that operates on a database of S ∈ Xn and outputs a predicate test : X → {0, 1}. Let P be a distribution over X and S be a database containing n i.i.d. elements from P. Then,

4 Closure of Littlestone Classes

In this section we study closure properties for Littlestone classes. We begin in Section 4.1 with a rather simple (and tight) analysis of the behavior of the Littlestone and Threshold dimension under unions. Then, in Section 4.2 we prove our main results in this part (Theorems 2.1 and 2.2) which bound the variability of the Littlestone and Thresholds dimension under arbitrary compositions.

4.1 Closure Under Unions

We begin with two basic bounds on the variability of the Littlestone/Threshold dimension under union. Note that here H1 ∪ H2 denotes the usual union: H1 ∪ H2 = {h : h ∈ H1 or h ∈ H2} . These bounds are useful as they allows us to reduce a bound on the dimension of G(H1, H2) for arbitrary H1, H2 to the case where H1 = H2 (because G(H1, H2) ⊆ G(H, H) for H = H1 ∪ H2).

Observation 4.1. [Threshold Dimension Under Union] Let H1, H2 ⊆ {0, 1}X be hypothesis classes with T(Hi) = ti. Then,

Moreover, this bound is tight: for every t1, t2 , there are classes H1, H2 with Threshold dimension t1, t2 respectively such that T(H1 ∪ H2) = t1 + t2.

Proof. For the upper bound, observe that if h1 . . . hm ∈ H1 ∪ H2 threshold-shatters the sequence x1 . . . xm then {hi : hi ∈ Hj} threshold-shatters {xi : hi ∈ Hj} for j ∈ {1, 2} . For the lower bound, set X = [t1+t2], H1 = {hi : i ≤ t1}, and H2 = {hi : t1 < i ≤ t1 + t2}, where hi(j) = 1 if and only if i ≤ j.

Proposition 4.2 (Littlestone Dimension Under Union). Let H1, H2 ⊆ {0, 1}X be hypothesis classes with Ldim(Hi) = di. Then,

Moreover, this bound is tight: for every d1, d2 , there are classes H1, H2 with Littlestone dimension d1, d2 respectively such that Ldim(H1 ∪ H2) = d1 + d2 + 1.

Proof of Proposition 4.2. There are several ways to prove this statement. One possibility is to use the realizable online mistake-bound setting [Littlestone, 1987] and argue that H1 ∪ H2 can be learned with at most d1 + d2 + 1 mistakes in this setting. We present here an alternative inductive argument, which may be of independent interest. Towards this end, it is convenient to define the depth of the empty tree as −1, and that of a tree consisting of one vertex (leaf) as 0.

Consider a shattered tree T of depth d = Ldim(H1 ∪H2) with leaves labelled H1 and H2 in the obvious way. Recall the notion of a subtree in Definition 3.1, and let x ≤ Ldim(H1) be the maximum depth of a complete binary subtree all whose leaves are leaves, and y ≤ Ldim(H2) the maximum depth of a subtree all whose leaves are -leaves. Similarly, let xL, yL denote the maximum depth of a H1-subtree and a -subtree in the tree rooted at the left child of the root of T, and let xR, yR be the same for the tree rooted at the right child.

It suffices to show that x + y ≥ d − 1: clearly x ≥ max(xL, xR) and also x ≥ min(xL, xR) + 1 thus x ≥ (xL + xR)/2 + 1/2 . Similarly y ≥ (yL + yR)/2 + 1/2, hence

and this gives by induction on d (starting with d = 0 or 1) that x + y ≥ d − 1 as required. To see that this bound is tight, pick n ≥ d1 + d2 + 1 and set

One can verify that Ldim(Hi) = di, for i = 1, 2 and that Ldim(H1 ∪ H2) = d1 + d2 + 1 , as required (in fact, even the VC dimension of H1 ∪ H2 is d1 + d2 + 1).

Proposition 4.2 implies that Ldim(∪ki=1Hi) = O(k · d) provided that Ldim(Hi) ≤ d for al i, and that this inequality can be tight when k = 2. The following proposition shows that for a larger k this bound can be significantly improved:

Proposition 4.3 (Littlestone Dimension Under Multiple Unions). Let H1, . . . , Hk ⊆ {0, 1}X be hypothesis classes with Ldim(Hi) ≤ d . Then, for every 0 < ε < 1/2,

Moreover, this bound is tight up to a constant factor: for every k, there are classes H1, . . . , Hk with Ldim(Hi) ≤ d such that Ldim(∪iHi) ≥ d + ⌊log k⌋.

Proposition 4.3 demonstrates a difference with the threshold dimension. Indeed, while the bound above scales logarithmically with k, in the case of the threshold dimension a linear dependence in k is necessary: indeed, set X = [k · t], Hi = {hj : (i − 1) · t < ji ≤ i · t}, where hi(j) = 1 if and only if i ≤ j. Thus, Ldim(Hi) = t for all i and Ldim(∪ki=1Hi) = k · t >> t + log k.

Figure 1: An illustration of the tree shattered by in the construction in Proposition 4.3. In this illustration ⌊log k⌋ equals 3.

Proof of Proposition 4.3. We begin with the lower bound: pick any class H ⊆ {0, 1}X with Littlestone dimension d, and let T be a tree of depth d which is shattered by H. Pick ⌊log k⌋ new points z1, . . . , z⌊log k⌋ /∈ X, and extend the domain X to X′ = X ∪ {z1 . . . , z⌊log k⌋}. Define H′ ⊆ {0, 1}X′ by extending each h ∈ H to the zi ’s in each of the k′ = 2⌊log k⌋ possible ways. (So, each h ∈ H has k′ copies in H′, one for each possible pattern on the zi’s.) Thus, H′ is a union of k′ copies of H , one copy for each boolean pattern on the ’s. In particular, is the union of classes with Littlestone dimension d. Also note that Ldim(H′) ≥ ⌊log k⌋ + d , as witnessed by the tree which is illustrated in Figure 1.

The upper bound is based on a multiplicative-weights argument. Recall that the Littlestone dimension equals the optimal number of mistakes performed by a deterministic online learner in the mistake-bound model (i.e. online learning when the sequence of input examples is labelled by some h ∈ H ). Thus, it suffices to demonstrate an online learner for ∪ki=1Hi which makes at most 3d + 3 log k mistakes. Pick for every an online learner which makes at most d mistakes on input sequences consistent with Hi. We set the online learning algorithm A for H = ∪ki=1Hi to be The Weighted Majority Algorithm by Littlestone and Warmuth [1989] with the k experts being the algorithms A1, . . . , Ak . Now, consider an input sequence S = (x1, y1), . . . (xT , yT ) consistent with H. Thus, S is consistent with Hi for some i ≤ k and therefore makes at most d mistakes on it. Thus, by the multiplicative weights analysis (see e.g. Corollary 2.1 in Littlestone and Warmuth [1989]), the number of mistakes A makes on S is at most

where 0 ≤ β < 1 is multiplicative factor which discounts the weights of wrong experts. The upper bound follows by setting β = 1/2.

4.2 Closure Under Composition

4.2.1 Threshold Dimension

Proof of Theorem 2.1. We begin with the upper bound. Let T(G(H1, . . . , Hk)) = n . It suffices to show that if n ≥ 24k4k·t then there is i ≤ k such that T(Hi) ≥ t . By assumption, there are x1, x2 . . . xn ∈ X and

functions hij ∈ Hj, for 1 ≤ i ≤ n, 1 ≤ j ≤ k such that

Construct a coloring of the edges of the complete graph on [n] by 4k colors as follows: for each 1 ≤ p < q ≤ n , the color of the edge {p, q} is given by the following ordered sequence of 2k bits:

By Ramsey Theorem [Ramsey, 1930], if n ≥ (4k)2t·4k = 24k4k·t then there is a monochromatic set A ⊆ [n] of size |A| = 2t.6 Denote the elements of A by

and let u = (u1 . . . uk), v = (v1 . . . vk) such that the color of every pair in A is

Thus, for every pair p, q ≤ d and every r ≤ k:

We claim that u ̸= v: indeed, xj1, xj2, xj3, . . . , xjt is threshold-shattered by the functions

Thus,

Therefore, v ∈ G−1(0) and u ∈ G−1(1) and in particular u ̸= v . Pick an index r so that ur ̸= vr . Therefore, for every p, q ≤ t:

This shows that either x1 . . . xt is threshold shattered by Hr (if vr = 1, ur = 0), or xt . . . x1 is thresholds shattered by Hr (if vr = 0, ur = 1 ); in either way, the threshold dimension of is at least t. This completes the proof of the upper bound.

Lower Bound. We next prove the lower bound. Let m = 2⌊t/5⌋ , and construct H ⊆ {0, 1}m randomly as follows: H consists of 2m random functions

where for each i set fi(j) = gj(j) = 0 for j > i, and for j ≤ i , pick uniformly at random one of fi, gi, set it to be 1 in position j and set the other to be 0 in position j. All of the above �m−12 � random choices are done independently. By construction, {h1 ∨ h2 : h1, h2 ∈ H} threshold-shatters the sequence 1, 2 . . . , m with probability 1 and hence has threshold dimension at least m. It suffices to show that with a positive probability it holds that

We set out to prove (3). Consider the following event:

Note that E implies that T(H) ≤ 2k and therefore it suffices to show that Pr[E] > 0. Towards this end we use a union bound: we define a family of “bad” events whose total sum of probabilities is less than one with the property that if none of the bad events occurs then E occurs. The bad events are defined as follows: for any pair of subsets A, B ⊆ [m] of size |A| = |B| = k, let BA,B denote the event

Note that indeed ¬E implies BA,B for some A, B and thus it suffices to show that with a positive probability none of the BA.B occurs. We claim that

Indeed, for a fixed i ∈ A , the probability that one of fi, gi equals to 1 on all j ∈ B is at most 2−(k−1). By independence, the probability that the latter simultaneously holds for every i ∈ A is at most 2−k(k−1). Thus, the probability that BA,B occurs for at least one pair A, B is at most

where the last inequality holds because k = (2 + 1log m) log m.

4.2.2 Littlestone Dimension

Proof of Theorem 2.1. We will first show that for an odd k, the majority-vote G = MAJk satisfies

(Recall that d = maxi Ldim(Hi) .) Then, we use this to argue that for any G,

We start with proving (4). Let H = ∪ki=1Hi and Hk = MAJk(H, . . . , H). Since MAJk(H1, . . . , Hk) ⊆ , it suffices to show that Ldim(Hk) ≤ ˜O(k2d) . We use online boosting towards this end.

Online boosting (in the realizable setting) is an algorithmic framework which allows to transform a weak online learner for H with a non-trivial mistake-bound of (1/2 − γ)T + R(T), where R(T) = o(T) is a sublinear regret function, to a strong online learner with a vanishing mistake-bound of O(R(T)/γ). Online boosting has been studied by several works (e.g. Chen et al. [2012], Beygelzimer et al. [2015], Brukhim et al. [2020]). We use here the variant given by Brukhim et al. [2020] (see Theorem 2 there)7.

Which weak learner to use? Recall that by Ben-David et al. [2009] (see Equation (1)) there exists an agnostic online learning algorithm W for H whose (expected) regret bound is

We claim that W is a weak learner for with mistake-bound

To prove this, it suffices to show that for every sequence of examples (x1, y1) . . . (xT , yT ) which is consistent with there exists h ∈ H which makes at most (1/2 − 1/k) · T mistakes on it. Indeed, let h1 . . . hk such that yt = MAJk(h1(xt) . . . hk(xt)) for t ≤ T . Thus, on every example $(xt, yt) at most 1/2 − 1/k fraction$ of the ’s make a mistake on it. By averaging, this implies that one of the makes at most (1/2 − 1/k)T mistakes in total, and (6) follows.

Now, by applying online boosting with W as a weak learner, we obtain an algorithm with a mistake-bound of at most

Thus, since the Littlestone dimension characterizes the optimal mistake-bound, letting D = Ldim(Hk), we get that

and in particular D ≤ O�k�Ldim(H)D log D� , which implies that

and finishes the proof of (4).

We next set out to prove (5). The idea is to represent an arbitrary G using a formula which only uses majority-votes and negations. Let G : {0, 1}k → {0, 1} be an arbitrary boolean function. It is a basic fact that G can be represented by a Disjunctive Normal Form (DNF) as follows:

where each zi,j ∈ {xj, ¬xj}, and m ≤ 2k . Now, note that

Thus, G(H1, . . . , Hk) can be written as MAJ2m−1(H′1, . . . H′2m−1) , where for i > m, H′i = {h0} is the class which contains the all-zero function h0, and for i ≤ m,

such that each class H′′i,j is either Ht or its negation ¬Ht for some t ≤ k, or H′′i,j is the class {h1} which contains the all-one function. We now apply (4) to conclude that Ldim(H′i) = ˜O(k2d) for all i ≤ m, and that

as required.

5 Private Agnostic Learning and Closure of Private Learning

In this section we describe our private learning algorithm. We start by discussing a relabeling procedure (discussed in 2), explaining the difficulties in designing the procedure and how we overcome them. We then provide a formal description of the relabeling procedure in ARelabel and prove that it can be used to construct a private algorithm that produces hypothesis that has good generalization properties; this is done by presenting an algorithm ARelabelAndLearn.

Let H be a hypothesis class, and suppose that we have a differentially private learning algorithm A for H for the realizable setting. That is, A is guaranteed to succeed in its learning task whenever it is given a labeled database that is consistent with some hypothesis in H. Now suppose that we are given a database S sampled from some distribution P on X and labeled by some concept (not necessarily in H). So, S might not be consistent with any hypothesis in H, and we cannot directly apply A on S. Heuristically, one might first relabel the database S using some function from H, and then apply A on the relabeled database. Can we argue that such a paradigm would satisfy differential privacy, or is it the case that the relabeling process “vaporises” the privacy guarantees of algorithm A?

Building on a result of Beimel et al. [2015], we show that it is possible to relabel the database before applying algorithm A while maintaining differential privacy. As we mentioned in the introduction, the relabeling procedure of Beimel et al. [2015] instantiates the exponential mechanism in order to choose a hypothesis h that is (almost) as close as possible to the original labels in S, uses this hypothesis to relabel the database, and applies the given differentially private algorithm A on the relabeled database to obtain an outcome f.

Now we want to argue that f has low generalization error. We known (by the guarantees of the exponential mechanism) that the hypothesis h with which we relabeled S has a relatively small empirical error on S (close to the lowest possible error). Via standard VC arguments, we also know that h has a relatively small generalization error. Therefore, in order to show that the returned hypothesis f has low generalization

error, it suffices to show that errorP(f, h) is small. This might seem trivial at first sight: Since as A is a PAC learner, and since it is applied on a database S labeled by the hypothesis h ∈ H , it must (w.h.p.) return a hypothesis f with small error w.r.t. h. Is that really the case? The difficulty with formalizing this argument is that A is only guaranteed to succeed in identifying a good hypothesis when it is applied on an i.i.d. sample from some underlying distribution. This is not true in our case. Specifically, we first sampled the database S from the underlying distribution, then based on S, we identified the hypothesis h and relabeled S using h. For all we know, A might completely fail when executed on such a database (not sampled in an i.i.d. manner).8 Therefore, before applying A on the relabeled database, we subsample i.i.d. elements from it, and apply A on this newly sampled database. Now we know that A is applied on an i.i.d. sampled database, and so, by the utility guarantees of A, the hypotheses f and h are close w.r.t. the underlying distribution. However, this subsampling step changes the distribution from which the inputs of A are coming from. This distribution is no longer P (the original distribution from which S was sampled), rather it is the uniform distribution on the empirical sample S. This means that what we get from the utility guarantees of A is that errorS(f, h) is small. We need to show that errorP(f, h) is small. If A is a proper learner, then f is itself in H, and hence, using standard VC arguments, the fact that is small implies that is small. However, if A is an improper learner, then this argument breaks because f might come from a different hypothesis class with a much larger VC dimension. To overcome this difficulty, we will instead relate errorS(f, h) and errorP(f, h) using the generalization properties of differential privacy. These generalization properties state that if a predicate t was identified using a differentially private algorithm, then (w.h.p.) the empirical average of this predicate and its expectation over the underlying distribution are close. More formally, we would like to consider the predicate (h⊕f)(x) = h(x) ⊕ f(x) , which would complete our mission because the empirical average of that predicate on S is errorS(f, h) , and its expectation over P is errorP(f, h) . However, while f is indeed the outcome of a differentially private computation, h is not, and we cannot directly apply the generalization properties of differential privacy to this predicate. Specifically, our relabeling procedure does not reveal the chosen hypothesis h. We overcome this issue by introducing the following conceptual modification to the relabeling procedure. Let us think about the input database S as two databases S = D◦T . In the relabeling procedure we still relabel all of S using h. We show that (a small variant of) this relabeling procedure still satisfies differential privacy w.r.t. D even if the algorithm publicly releases the relabeled database T. This works in our favour because given the relabeled database T we can identify a hypothesis h′ ∈ H that agrees with it, and by standard VC arguments we know that errorP(h, h′) is small (since both h, h′ come from H). In addition, is computed by post-processing the relabeled database T which we can view as the result of a private computation w.r.t. D. Therefore, we can now use the generalization properties of differential privacy to argue that errorD(f, h) ≈ errorP(f, h) , which would allow us to complete the proof. We remark that the conceptual modification of treating S as two databases S = D◦T is crucial for our analysis. We do not know if the original relabeling procedure of Beimel et al. [2015] can be applied when A is an improper learner. In Algorithm 2 we formally describe ARelabel . We next provide an informal description of the algorithm.

Let H be a hypothesis class, and let q be a score function. Algorithm ARelabel takes two input databases D, T ∈ (X × {0, 1})∗ , where the labels in D and T are arbitrary. The algorithm relabels D and T using a hypothesis h ∈ H with near optimal score q(D, h). The output of this algorithm is the two relabeled databases ˜D and ˜T . Observe that algorithm is clearly not differentially private, since it outputs its input database (with different labels). Before formally presenting algorithm ARelabel , we introduce the following definition.

Definition 5.1. Let X be a domain and let H be a class of functions over X. A function q : (X ×{0, 1})∗ × H → R has matched-sensitivity k if for every S ∈ (X × {0, 1})∗, every (x, y), (x′y′) ∈ X × {0, 1}, and every h, h′ ∈ H that agree on every element of S we have that

In words, a score function q has low matched-sensitivity if given “similar” databases it assigns “similar” scores to “similar” solutions. Note that if a function q has matched-sensitivity 1, then in particular, it has (standard) sensitivity (at most) 1.

Example 5.2. Let H be a concept class over X. Then, the score function q(S, h) that takes a labeled database S ∈ (X × {0, 1})∗ and a concept h ∈ H and returns the number of errors h makes on S has matched-sensitivity at most 1.

We next present an algorithm ARelabelAndLearn and analyze its properties. This algorithm is an abstraction of parts of APrivateAgnostic and AClosureLearn and is used for unifying the proofs of privacy and correctness of these algorithms. We start with an informal description of algorithm ARelabelAndLearn. The algorithm first applies the relabeling algorithm and then applies a private algorithm to the relabeled database. For the analysis of our algorithms in the sequence, also publishes part of the relabeled database. We prove that guarantees differential privacy w.r.t. to the part of the database that it did not publish.

In Lemma 5.3, we analyze the privacy properties of algorithm ARelabelAndLearn.

Lemma 5.3. Let A be an (ε, δ) -differentially private algorithm and q be a score function with matched-sensitivity 1. Then, for every V , algorithm

Thus, |H1| ≤ 2|H2| and similarly |H2| ≤ 2|H1|.

More specifically, for every t ∈ {1, 2} and every pattern h ∈ ΠC(K) there are either one or two (but not more) patterns in that agree with h on K. We denote these one or two patterns by h(0)t and h(1)t , which may be identical if only one unique pattern exists. By the fact that q has matched-sensitivity at most 1, for every t1, t2 ∈ {1, 2} and every b1, b2 ∈ {0, 1} we have that

where the last inequality is because h(b1)t1 and h(b2)t2 agree on every point in D and because q has matched-sensitivity at most 1.

For every h ∈ ΠH(K) and t ∈ {1, 2}, let wt,h be the probability that the exponential mechanism chooses either h(0)t or h(1)t in Step (3) of the execution of ARelabel on Si . We get that for every h ∈ ΠC(K),

We are now ready to conclude the proof. For every h ∈ ΠH(K), let It be the event that the exponential mechanism chooses in Step (3) of the execution on St either h(0)t or h(1)t and ht be the random variable denoting the pattern that the exponential mechanism chooses in Step (3) of the execution on conditioned on the event . Observe that Sh0 and Sh1 are distributions on neighboring databases; thus, applying the differentially private A on them satisfies differential privacy, i.e., for every possible sets of outputs F of A:

Recall that algorithm ARelabelAndLearn returns three outcomes: the relabeled database V h , hypothesis h that is consistent with V h , and the output of algorithm A. As h is computed from V h , we can consider it as post-processing and ignore it, and assume for the the privacy analysis that ARelabelAndLearn only has two outputs: V h and the output of algorithm A. Also recall that the database V is fixed, and observe that once the hypothesis h is fixed (in Step (3) of algorithm ), the relabeled database V h is also fixed. Furthermore, for every h ∈ ΠH(K) we have that V h(0)t = V h(1)t , since h(0)t and h(1)t agree on all of V .

Let F ⊆ (X × {0, 1})∗ × R be a set of possible outcomes for algorithm ARelabelAndLearn, where R is the range of algorithm A. For every h we denote

Observe that for every h ∈ ΠC(K) we have that

because h(0)1 , h(1)1 , h(0)2 , h(1)2 agree on all points in V . We calculate,

The next claim proves that ARelabel returns a hypothesis whose score is close to the hypothesis with smallest score in the class H.

Claim 5.4. Fix α and β, and let S = D◦T ∈ (X × {0, 1})∗ be a labeled database such that

Consider the execution of ARelabel on S, and let h denote the hypothesis chosen on Step (3). With probability at least (1−β) we have that q(D, h) ≤ minc∈H{q(D, c)}+α|D| . In particular, assuming that |D| ≥ |S|/2, it suffices that

Proof. Note that by Sauer-Shelah-Perles lemma,

As H contains all patterns of H restricted to S, the set H contains a pattern f∗ s.t. q(D, f∗) = minc∈H{q(D, c)} . Hence, Proposition 3.13 (properties of the exponential mechanism) ensures that the probability of the exponential mechanism choosing an h s.t. q(D, h) > minc∈H{q(D, c)} + α is at most

which is at most β whenever |D| ≥ 2α ln( 1β) + 2 VC(H)α ln� e|S|VC(H)�.

Let f denote the hypothesis returned by A and let h be a hypothesis consistent with the pattern chosen on Step (3) of ARelabel . The next lemma relates the generalization error errorP(f, h) to the empirical error errorD(f, h).

Lemma 5.5. Fix α and β, and let µ be a distribution on X × {0, 1} and P be the marginal distribution on unlabeled examples from X. Furthermore, let S = D◦V ◦W ∈ (X × {0, 1})∗ be database sampled i.i.d. from µ such that

and

Consider the execution of ARelabelAndLearn on S, let h ∈ H be a hypothesis consistent with the pattern chosen on Step (3) of and assume that A outputs some hypothesis f. With probability at least 1 − O(β + δ|D|) we have that

Proof. Let h be the third output of ARelabelAndLearn , i.e., a hypothesis from H that is consistent with V h. Since h and h agree on V and |V | is big enough, by Theorem 3.8, with probability at least 1 − β (over sampling V ),

Since |D| is big enough, by Theorem 3.9 (applied to H ⊕ H and the distribution that samples x according to P and labels it with 0), with probability at least 1 − β,

We will now use the generalization properties of differential privacy to argue that errorP(f, h) is small. By Lemma 5.3, algorithm ARelabelAndLearn is (O(1), O(δ)) -differentially private w.r.t. the database D. In addition, by post-processing the outcomes of (the hypotheses f and h) we can define the following predicate test : X × {0, 1} → {0, 1} where test(x, y) = 1 if h(x) ̸= f(x), and test(x, y) = 0 otherwise. Now observe that

Similarly,

Recall that test is the result of a private computation on the database D (obtained as a post-processing of the outcomes of ARelabelAndLearn ). Also observe that since ARelabelAndLearn is (O(1), O(δ)) -differentially private, it is in particular, �O(1), O�δ + β|D|�� -differentially private for every choice of β and |D|. Hence, assuming |D| ≥ O�1α log 1β� , Theorem 3.14 (the generalization properties of differential privacy) states that with probability at least 1 − O(δ|D| + β),

So, by (9), (10), and (11), with probability at least 1 − O(β + δ|D|)

Thus, the next inequality, which concludes the proof, holds with probability 1 − O(β + δ|D|).

6 Private PAC Implies Private Agnostic PAC

In this section we show that private learning implies private agnostic learning (with essentially the same sample complexity) even for improper learning algorithms. Algorithm APrivateAgnostic , the agnostic algorithm for a class H, first applies algorithm ARelabel on the data and relabels the sample using a hypothesis in H that has close to minimal empirical error, and then uses the private learning algorithm (after sub-sampling) to learn the relabeled database.

Theorem 6.1 (Theorem 2.4 Restated). Let 0 < α, β, δ < 1, m ∈ N, and A be a (1, δ) -differentially private (α, β) -accurate PAC learner for H with sample complexity m. Then, APrivateAgnostic is an (O(1), O(δ))- differentially private (O(α), O(β + δn))-accurate agnostic learner for H with sample complexity

Proof. The privacy properties of the algorithm are straightforward. Specifically, by Lemma 3.12, Step (3) the algorithm (applying A on a subsample from ˜D) satisfies (O(1), O(δ)) -differential privacy. Algorithm APrivateAgnostic is, therefore, -differentially private by Lemma 5.3. In particular, if A is (1, 0)-differentially private then APrivateAgnostic is (O(1), 0) -differentially private.

As for the utility analysis, fix a target distribution µ over X × {0, 1} , and denote

Also let P denote the marginal distribution on unlabeled examples from X. Let S be a sample containing n i.i.d. samples from , and denote S = D◦T where |D| = |T| = |S|/2 . By Theorem 3.9 (the agnostic VC generalization bound), assuming that |S| ≥ O�1α2�VC(H) + ln 1β�� , with probability at least 1 − β (over sampling S), the following event occur.

We continue with the analysis assuming that this event occurs, and show that (w.h.p.) the hypothesis f returned by the algorithm has low generalization error. Consider the execution of APrivateAgnostic on S. In Step (2) we apply algorithm ARelabel to obtain the relabeled databases ˜D, ˜T. Let h ∈ H be a hypothesis extending the pattern used by algorithm to relabel these databases. By Claim 5.4, assuming that |D| is big enough, with probability at least 1 − β it holds that

In this case, by Event we have that

Recall that A is executed on the database Q containing | ˜D|/9 i.i.d. samples from . By Lemma 3.12, with probability at least 1 − β , the hypothesis f chosen in Step (3) satisfies

By Lemma 5.5 and (15) with probability at least 1 − O(β + |D|δ)

7 Closure of Private Learning

In this section we prove Theorem 7.1 – if H1, . . . , Hk are privately learnable, then G(H1, . . . , Hk) is pri- vately learnable.

Theorem 7.1 (Closure Theorem for Private Learning). Let G : {0, 1}k → {0, 1} be a boolean function and H1, . . . , Hk ⊆ {0, 1}X be classes that are (ε, δ) -differentially private and (α, β) -accurate learnable by a possibly improper learning algorithms with sample complexity mi(α, β, ε, δ) respectively. Then, G(H1, . . . , Hk) is (O(1), O(δ)) -private and (O(α), O(β + δm)) -accurate learnable with sample complexity

To prove Theorem 7.1, we present AClosureLearn – a generic transformation of private learning algorithms A1, . . . , Ak for the classes H1, . . . , Hk respectively to a private learner for G(H1, . . . , Hk). This transformation could be applied to proper as well as improper learners, and to a learners that preserves pure or approximate privacy. Given a labeled sample S of size N, algorithm AClosureLearn finds hypotheses in steps, where in the i’th step, the algorithm finds a hypothesis have a completion ci+1, . . . , ck to a hypothesis G(h1, . . . , hi, ci+1, . . . , ck) with small error (assuming that h1, . . . , hi−1 have a good completion). In the i’th step, AClosureLearn relabels the input sample S so that the relabeled sample is realizable by . The relabeling h is chosen using ARelabel in a way that guarantees completion to a hypothesis with small empirical error. That is, using an appropriate score-function in (i.e., in the exponential mechanism), it is guaranteed that for the hypotheses h1, . . . , hi−1 computed in the previous steps there are some ci+1 ∈ Hi, . . . , ck ∈ Hk such that the function G(h1, . . . , hi−1, h, ci+1, . . . , ck) has a small loss with respect to the original sample S. The relabeled sample is fed (after subsampling) to the private algorithm to produce a hypothesis and then the algorithm proceeds to the next step i + 1.

In Lemma 7.2, we analyze the privacy guarantees of AClosureLearn.

Lemma 7.2. Let ε < 1 and assume the algorithms A1, . . . , Ak are (1, δ) -private. Then, AClosureLearn is (ε, O(δ)) -differentially private.

Proof. Fix i ∈ [k] and consider the i’th step of the algorithm. By Lemma 3.12, Step (2c) of algorithm AClosureLearn (i.e., sub-sampling with replacement and executing a (1, δ) -private algorithm) is (1, δ)- differentially private. Thus, by Lemma 5.3, Steps (2b)–(2c) of algorithm AClosureLearn are (O(1), O(δ))- differentially private. Since each step is executed on a disjoint set of examples, differentially private.

In the next lemma we prove that AClosureLearn is an accurate learner for the class G(H1, . . . , Hk).

Lemma 7.3. Assume that A1, . . . , At are (1, δ) -differentially private (α/k, β/k) -accurate (possibly improper) learning algorithms for H1, . . . , Hk with sample complexity mi(α/k, β/k, 1, δ) . If at each iteration

then with probability at least 1 − O(β + kδ|Si|) we have that is the hypothesis returned by AClosureLearn on S.

Proof. Let h1, . . . , hk be the hypotheses that AClosureLearn computes in Step (2c). We prove by induction that for every i ∈ [k] with probability at least 1− O(i)·βk +O(i·δ|Si|) there exist ci+1 ∈ Hi+1, . . . , ck ∈ Hk such that

The induction basis for i = 0 is implied by the fact that the examples are labeled by some G(c1, . . . , ck) from G(H1, . . . , Hk) . For the induction step, assume that there are ci ∈ Hi, . . . , ck ∈ Hk such that

We need to prove that with probability at least 1 − O(1)·βk − O(δ|Si|) there are c′i+1 ∈ Hi+1, . . . , c′k ∈ Hk such that

Recall that each example in S, and hence in , is chosen i.i.d. from the distribution in P. Since

by Theorem 3.9 applied to G(H1, . . . , Hk) ⊕ G(H1, . . . , Hk) , with probability at least 1 − βk (over the sampling of ) the following event occurs:

We continue proving the induction step assuming that occurs. The proof of the induction step is as follows: Since E1 occurs:

By the definition of H, there is h = hopt ∈ H that agrees with ci on Si , and therefore

By Claim 5.4, if

We assume that the above event occurs, thus, the latter implies that there are c′i+1, . . . , c′k such that

Since occurs, by (22),

Since

Lemma 3.12 implies that Step (2c) of AClosureLearn is an ( αk , βk ) empirical learner and, therefore, with probability at least 1 − βk

Again, we assume in the rest of the proof that the above event occurs. By Lemma 5.5, since

with probability at least 1 − O(β)k − O(δ|Di|)

Thus, by (25), with probability at least 1 − O(β)k

The latter, combined with (23), implies the induction step: with probability at least 1 − O(β)k − O(δ|Di|)

By (19), (21), (24), and (26), the sample complexity |Si| the i ’th step is

To conclude, by a union bound, AClosureLearn returns, with probability at least 1 − O(β + δ �ki=1 |Si|), a hypothesis G(h1, . . . , hk) with error less than O(α) with respect to the distribution P.

Proof of Theorem 7.1.

Proof. Theorem 7.1 follows from Lemmas 7.2 and 7.3. Specifically, by Lemma 7.3, to prove that AClosureLearn is -accurate it suffices that

By Lemma 7.2, AClosureLearn is (O(1), O(δ)) -differentially private.

Remark 7.4. Since each Ai is an (α, β) -accurate learning algorithm for the class H1,

Furthermore, by the Sauer-Shelah-Perles Lemma, VC(G(H1, . . . , Hk) = ˜O(�ki=1 VC(Hi)). Thus, the sample complexity of AClosureLearn is

For constant k, α, β this is nearly tight. By using sub-sampling (see e.g., Kasiviswanathan et al. [2011], Beimel et al. [2014]), we can achieve (ε, O(δ)) -differential privacy by increasing the sample complexity by a factor of O(1/ε) . Furthermore, by using private boosting Dwork et al. [2010], one can start with a private algorithm that is, for example, (1/4, β) accurate and get a private algorithm that is (α, β) by increasing the sample complexity by a factor of O(1/α) , and by simple technique, one can boost by increasing the sample complexity by a factor of O(log(1/β)) . Thus, we get an (ε, O(δ)) -differentially private (α, β)- accurate learner for G(H1, . . . , Hk) whose sample complexity is

Acknowledgements

We thank Adam Klivans and Roi Livni for insightful discussions.

References

Jacob D. Abernethy, Chansoo Lee, Audra McMillan, and Ambuj Tewari. Online learning via differential privacy. CoRR, abs/1711.10019, 2017. URL http://arxiv.org/abs/1711.10019.

Noga Alon, Roi Livni, Maryanthe Malliaris, and Shay Moran. Private PAC learning implies finite Littlestone dimension. In Proceedings of the 51st Annual ACM Symposium on the Theory of Computing, STOC ’19, New York, NY, USA, 2019. ACM.

Martin Anthony and John Shawe-Taylor. A result of Vapnik with applications. Discrete Applied Mathematics, 47(3):207–217, 1993.

Matin Anthony and Peter L. Bartlett. Neural Network Learning: Theoretical Foundations. Cambridge University Press, 2009. ISBN 9780521118620. URL http://books.google.co.il/books?id= UH6XRoEQ4h8C.

Raef Bassily, Kobbi Nissim, Adam Smith, Thomas Steinke, Uri Stemmer, and Jonathan Ullman. Algo- rithmic stability for adaptive data analysis. In Proceedings of the 48th Annual ACM Symposium on the Theory of Computing, STOC ’16, pages 1046–1059, New York, NY, USA, 2016. ACM.

Amos Beimel, Hai Brenner, Shiva Prasad Kasiviswanathan, and Kobbi Nissim. Bounds on the sample complexity for private learning and private data release. Machine Learning, 94(3):401–437, 2014.

Amos Beimel, Kobbi Nissim, and Uri Stemmer. Learning privately with labeled and unlabeled examples. In Proceedings of the 26th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA ’15, pages 461–477, Philadelphia, PA, USA, 2015. SIAM.

Amos Beimel, Kobbi Nissim, and Uri Stemmer. Characterizing the sample complexity of pure private learn- ers. Journal of Machine Learning Research, 20(146):1–33, 2019. URL http://jmlr.org/papers/ v20/18-269.html.

Shai Ben-David, D´avid P´al, and Shai Shalev-Shwartz. Agnostic online learning. In COLT 2009 – The 22nd Conference on Learning Theory, 2009. URL http://www.cs.mcgill.ca/%7Ecolt2009/papers/ 032.pdf#page=1.

Alina Beygelzimer, Satyen Kale, and Haipeng Luo. Optimal and adaptive algorithms for online boosting. In International Conference on Machine Learning, pages 2323–2331, 2015.

Siddharth Bhaskar. Thicket density. Technical Report arXiv:1702.03956, ArXiV, 2017.

Anselm Blumer, Andrzej Ehrenfeucht, David Haussler, and Manfred K. Warmuth. Learnability and the Vapnik-Chervonenkis dimension. Journal of the ACM, 36(4):929–965, 1989.

Nataly Brukhim, Xinyi Chen, Elad Hazan, and Shay Moran. Online agnostic boosting via regret minimiza- tion. CoRR, abs/2003.01150, 2020.

Mark Bun, Kobbi Nissim, Uri Stemmer, and Salil Vadhan. Differentially private release and learning of threshold functions. In Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science, FOCS ’15, pages 634–649, Washington, DC, USA, 2015. IEEE Computer Society.

Mark Bun, Roi Livni, and Shay Moran. An equivalence between private classification and online prediction. CoRR, abs/2003.00563, 2020. URL https://arxiv.org/abs/2003.00563.

Hunter Chase and James Freitag. Model theory and combinatorics of banned sequences, 2018.

Hunter Chase and James Freitag. Model theory and machine learning. The Bulletin of Symbolic Logic, 25 (03):319332, Feb 2019. ISSN 1943-5894. doi: 10.1017/bsl.2018.71. URL http://dx.doi.org/10. 1017/bsl.2018.71.

Shang-Tse Chen, Hsuan-Tien Lin, and Chi-Jen Lu. An online boosting algorithm with theoretical justi- fications. In Proceedings of the 29th International Coference on International Conference on Machine Learning, ICML12, page 18731880, Madison, WI, USA, 2012. Omnipress. ISBN 9781450312851.

R. M. Dudley. Central limit theorems for empirical measures. Ann. Probab., 6(6):899–929, 12 1978. doi: 10.1214/aop/1176995384. URL https://doi.org/10.1214/aop/1176995384.

Cynthia Dwork, Krishnaram Kenthapadi, Frank McSherry, Ilya Mironov, and Moni Naor. Our data, our- selves: Privacy via distributed noise generation. In Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT ’06, pages 486–503, Berlin, Heidelberg, 2006a. Springer.

Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In Proceedings of the 3rd Conference on Theory of Cryptography, TCC ’06, pages 265–284, Berlin, Heidelberg, 2006b. Springer.

Cynthia Dwork, Guy N. Rothblum, and Salil Vadhan. Boosting and differential privacy. In Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science, FOCS ’10, pages 51–60, Washington, DC, USA, 2010. IEEE Computer Society.

Cynthia Dwork, Vitaly Feldman, Moritz Hardt, Toniann Pitassi, Omer Reingold, and Aaron Roth. The reusable holdout: Preserving validity in adaptive data analysis. Science, 349(6248):636–638, 2015.

Vitaly Feldman and Thomas Steinke. Generalization for adaptively-chosen estimators via stable median. In Satyen Kale and Ohad Shamir, editors, Proceedings of the 30th Conference on Learning Theory, COLT 2017, Amsterdam, The Netherlands, 7-10 July 2017, volume 65 of Proceedings of Machine Learning Research, pages 728–757. PMLR, 2017. URL http://proceedings.mlr.press/v65/feldman17a. html.

Alon Gonen, Elad Hazan, and Shay Moran. Private learning implies online learning: An efficient reduction. NeurIPS, 2019.

R. E. Greenwood and A. M. Gleason. Combinatorial relations and chromatic graphs. Canadian Journal of Mathematics, 7:1–7, 1955. doi: 10.4153/CJM-1955-001-4.

Wilfrid Hodges. A Shorter Model Theory. Cambridge University Press, New York, NY, USA, 1997. ISBN 0-521-58713-1.

Matthew Joseph, Jieming Mao, Seth Neel, and Aaron Roth. The role of interactivity in local differential privacy. In FOCS, 2019.

Christopher Jung, Katrina Ligett, Seth Neel, Aaron Roth, Saeed Sharifi-Malvajerdi, and Moshe Shenfeld. A new analysis of differential privacy’s generalization guarantees. In Thomas Vidick, editor, 11th Innovations in Theoretical Computer Science Conference, ITCS 2020, January 12-14, 2020, Seattle, Washington, USA, volume 151 of LIPIcs, pages 31:1–31:17. Schloss Dagstuhl - Leibniz-Zentrum f¨ur Informatik, 2020. doi: 10.4230/LIPIcs.ITCS.2020.31. URL https://doi.org/10.4230/LIPIcs.ITCS.2020.31.

Haim Kaplan, Katrina Ligett, Yishay Mansour, Moni Naor, and Uri Stemmer. Privately learning thresholds: Closing the exponential gap, 2019.

Shiva Prasad Kasiviswanathan, Homin K. Lee, Kobbi Nissim, Sofya Raskhodnikova, and Adam Smith. What can we learn privately? SIAM Journal on Computing, 40(3):793–826, 2011.

N. Littlestone and M. K. Warmuth. The weighted majority algorithm. In Proceedings of the 30th Annual Symposium on Foundations of Computer Science, SFCS 89, page 256261, USA, 1989. IEEE Computer Society. ISBN 0818619821. doi: 10.1109/SFCS.1989.63487. URL https://doi.org/10.1109/ SFCS.1989.63487.

Nick Littlestone. Learning quickly when irrelevant attributes abound: A new linear-threshold algorithm. Machine Learning, 2(4):285–318, 1987.

Frank McSherry and Kunal Talwar. Mechanism design via differential privacy. In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science, FOCS ’07, pages 94–103, Washington, DC, USA, 2007. IEEE Computer Society.

Kobbi Nissim and Uri Stemmer. Personal communication, 2017.

F. P. Ramsey. On a problem of formal logic. Proceedings of the London Mathematical Society, s2-30 (1):264–286, 1930. doi: 10.1112/plms/s2-30.1.264. URL https://londmathsoc.onlinelibrary. wiley.com/doi/abs/10.1112/plms/s2-30.1.264.

Ryan Rogers, Aaron Roth, Adam Smith, and Om Thakkar. Max-information, differential privacy, and post- selection hypothesis testing. In Proceedings of the 57th Annual IEEE Symposium on Foundations of Computer Science, FOCS ’16, pages 487–494, Washington, DC, USA, 2016. IEEE Computer Society.

F. Rosenblatt. The perceptron: A probabilistic model for information storage and organization in the brain. Psychological Review, 65(6):386–408, 1958. ISSN 0033-295X. doi: 10.1037/h0042519. URL http: //dx.doi.org/10.1037/h0042519.

N. Sauer. On the density of families of sets. J. Comb. Theory, Ser. A, 13:145–147, 1972. ISSN 0097-3165. doi: 10.1016/0097-3165(72)90019-2.

Saharon. Shelah. Classification theory and the number of non-isomorphic models. North-Holland Pub. Co. ; sole distributors for the U.S.A. and Canada, Elsevier/North-Holland Amsterdam ; New York : New York, 1978. ISBN 0720407575.

Leslie G. Valiant. A theory of the learnable. Communications of the ACM, 27(11):1134–1142, 1984.

V.N. Vapnik and A.Ya. Chervonenkis. On the uniform convergence of relative frequencies of events to their probabilities. Theory Probab. Appl., 16:264–280, 1971. ISSN 0040-585X; 1095-7219/e. doi: 10.1137/1116025.

Designed for Accessibility and to further Open Science