Mechanisms for Hiding Sensitive Genotypes with Information-Theoretic Privacy

Abstract

Motivated by the growing availability of personal genomics services, we study an information-theoretic privacy problem that arises when sharing genomic data: a user wants to share his or her genome sequence while keeping the genotypes at certain positions hidden, which could otherwise reveal critical health-related information. A straightforward solution of erasing (masking) the chosen genotypes does not ensure privacy, because the correlation between nearby positions can leak the masked genotypes. We introduce an erasure-based privacy mechanism with perfect information-theoretic privacy, whereby the released sequence is statistically independent of the sensitive genotypes. Our mechanism can be interpreted as a locally-optimal greedy algorithm for a given processing order of sequence positions, where utility is measured by the number of positions released without erasure. We show that finding an optimal order is NP-hard in general and provide an upper bound on the optimal utility. For sequences from hidden Markov models, a standard modeling approach in genetics, we propose an efficient algorithmic implementation of our mechanism with complexity polynomial in sequence length. Moreover, we illustrate the robustness of the mechanism by bounding the privacy leakage from erroneous prior distributions. Our work is a step towards more rigorous control of privacy in genomic data sharing.

I. Introduction

A. Motivation

The rise of personal genomics, whereby private individuals are exposed to an increasing range of direct-to-consumer services for sequencing, sharing, or analyzing their genomes, is leading to growing concerns for genomic privacy [1]-[3]. A personal genome is a rich trove of information about the underlying individual, including predictors for disease risks and other health-related traits, which holds great potential for improving one’s health, yet may cause harm if used against the individual. Unlike other types of personal data like passwords, one’s genetic data cannot be replaced once leaked, and a data breach may even affect the relatives of the individual whose genome is leaked. In order to facilitate the sharing of genomes to improve public health and advance science, we need principled strategies for controlling the privacy risks associated with genomic data sharing.

A key need in this regard is to selectively limit the leakage of information about biological or health-related traits of an individual that can be inferred from the shared genetic data. For example, one may wish to hide certain genotypes (an individual’s genetic information at specific genomic positions) with well-established disease association before sharing his or her data with others (e.g., analytic service providers or researchers). Such a capability would give the individuals more fine-grained control over their genomic privacy.

A simple approach to privacy protection, whereby specific positions in the genome deemed sensitive by the individual are masked before sharing the data, does not provide sufficient privacy protection. This is because the correlation structure among nearby genomic positions induced by the biological processes of genetic inheritance can be used to reconstruct the masked data as demonstrated in a number of studies [4], [5]. To prevent such an attack, one could alternatively erase all positions that are highly correlated with the sensitive sites [6], which may be achieved by masking the data within a large window around each sensitive position. Unfortunately, depending upon the chosen size of window, these approaches either provide incomplete privacy protection or require an excessive amount of data to be erased in order to achieve strong privacy (as we demonstrate in our results), thus limiting the usefulness of the shared data. Here, we aim to design a principled and effective mechanism for sharing a personal genome that provably hides sensitive positions, while introducing a small amount of erasure. Our techniques build upon the recent work on ON-OFF privacy [31], [32] while extending the theory to general data distributions beyond Markov chains addressed in the previous work.

It is worth noting that information-theoretic approaches are being increasingly explored for a diverse range of applications in genomics, including sequencing [7], genome-wide association study (GWAS) [8], [9], genome assembly [10], [11], regulatory network of gene interactions (RNGI) [12], and DNA-based information storage [13]. There are also recent works addressing the issue of genomic privacy, including a solution for private shotgun sequencing [14] based on the intensively researched private information retrieval (PIR) problems [15]-[20] and differential privacy mechanisms for sharing aggregate genomic data [21]-[23]. Broadly, our work can be viewed as a continuation of these efforts to develop effective genomic data processing tools from an information-theoretic perspective, yet for a novel problem that we introduce, i.e., the design of mechanisms for selectively hiding sensitive positions in genetic sequences.

B. Genetics background

An individual’s genome consists of a pair of sequences, one from each parent, each consisting of around 3 billion nucleotides (A, C, G, and T). Each sequence is referred to as a haplotype. Since most of the genome sequence is identical between different individuals, a common way to compactly represent a personal genome is as a list of positions of variation, paired with the observed nucleotide(s) in the given individual (referred to as a genotype). In this work, we consider the problem of sharing a list of genotypes corresponding to a single haplotype of an individual. Although standard sequencing or genotyping pipelines produce a genotype at each position that convolves the two haplotypes, well-established methods exist [24], [25] for resolving this ambiguity in order to separate the two haplotypes (a process called phasing), after which each haplotype could be individually considered.

In the setting of our work, we consider an adversary whose goal is to infer the target individual’s genotypes at specific positions in the genome, given a partially masked genetic sequence of the individual. In principle, this reconstruction task is equivalent to an extensively studied problem in bioinformatics known as genotype imputation, originally developed for coping with the presence of missing data in the existing experimental pipelines for characterizing personal genomes. If one were to mask only the sensitive positions before sharing the data, existing imputation algorithms are expected to be effective at revealing the hidden genotypes using other genotypes in their respective neighborhoods.

A state-of-the-art algorithm for genotype imputation, Minimac [26], is based on a classical model of genetic sequences introduced by Li and Stephens [27]. In this model, a person’s genetic sequence is modelled as a mosaic of a large group of reference sequences from other individuals. This model intuitively captures the underlying biological process of recombination, which describes the interleaving of two haplotypes of each parent when their genetic material is passed onto the child. Formally, these models are expressed as hidden Markov models (HMMs), where a sequence of genotypes of an individual is generated from a sequence of hidden states indicating which reference haplotype to copy the genotype from, for each corresponding position. The parameters of these models are typically inferred from a large reference panel including tens of thousands of sequenced human genomes [28]. Although alternative approaches to imputation (e.g. based on matrix factorization [29]) exist, in our work we are especially interested in HMMs as the primary means to model the distribution of genotypes, considering the wide adoption of HMMs in genetics not only for imputation, but also for other standard tasks like phasing [24] and simulation [30]. Further details of this model is provided in Section VII-A.

C. Setup and contributions

In this paper, we formulate the genotype hiding problem: We consider a user who wishes to share a partially erased version of their genetic sequence while protecting a list of sensitive positions. Privacy is measured by the mutual information between the sensitive positions and the released sequence, and we adopt a stringent privacy requirement that enforces zero mutual information (i.e., perfect privacy). The goal of the problem is to design a privacy mechanism that satisfies this requirement, while minimizing the number of erasures introduced so as to maximize the utility of the data.

We present such a mechanism with perfect privacy and provide a range of theoretical insights into its performance with respect to its utility, measured by the erasure rate. The proposed mechanism sequentially processes the positions in the sequence in a given ordering and determines a suitable erasure rate at each position based on the previously released positions and the data generating distribution. We prove that our mechanism can be viewed as a locally-optimal, greedy solution for minimizing the erasure rate at each position. Furthermore, we give a lower bound on the number of erasures required for any mechanism satisfying the privacy constraint, and show that our privacy mechanism is in fact (globally) optimal for a class of data generative distributions defined by Markov chains. We also show that finding the optimal ordering for the sequential mechanism is generally intractable (NP-hard), illustrating the limits of current techniques. Lastly, we derive an upper bound on potential privacy leakage due to inaccuracies in the estimation of the data generative model, suggesting that our mechanism is relatively robust to a small amount of noise in the data distribution.

For practical applications, we are particularly interested in data generating distributions induced by hidden Markov models (HMMs), which are broadly adopted in genetics as described in Section VII-A. To this end, we also present a computationally-efficient algorithm to implement the proposed privacy mechanism based on HMMs, and provide an empirical evaluation of its performance on simulated datasets.

The rest of this paper is organized as follows. In Section II, we formalize the genotype-hiding problem. Performance bounds are summarized in Section III. In Section IV, we introduce our privacy mechanism for hiding sensitive genotypes. In Section V, we describe its interpretation as a locally-optimal solution in detail and demonstrate the NP-hardness of finding the optimal ordering in general. The robustness of our privacy mechanism to model mismatch is discussed in Section VI. In Section VII, we propose an efficient implementation of the privacy mechanism for hidden Markov models. Simulation experiments are presented in Section VIII. Finally in Section IX, we conclude the paper and discuss future directions.

II. The Genotype-Hiding Problem

Let X = (X₁, …, X_n) be the user’s personal genome sequence of length n, and each X_i takes values in the alphabet $𝒳$. The user wishes to share X with others, but is concerned about revealing information about certain positions of X. To hide the values at these sensitive positions, the user generates a masked version of the data Y = (Y₁, …, Y_n), which only partially reveals X.

The desired properties of Y are given as follows. First, since we expect substitution errors to be considerably more undesirable than erasures in genetic analyses, we impose a constraint that Y_i can be either X_i or the erasure symbol *. We refer to this property as the faithfulness condition, i.e.,

$$Y_i=X_i\text{or}\ast .(\mathbf{Faithfulness})$$ (1)

Note that the alphabet of Y_i is $𝒳\cup \{\ast \}$.

Next, let $𝒦\subset [n]≔\{1,\dots ,n\}$ be the user-provided set of indices of X containing sensitive information. We assume that $𝒦$ is chosen irrespective of the sequence (i.e., independently from X) based on information such as family history or curated disease associations. We use $X_{𝒦}$ to denote a collection of random variables, i.e., $X_{𝒦}≔\{X_i:i\in 𝒦\}$. We require that no information about $X_{𝒦}$ is revealed when Y is shared. In other words, we require that

$$I(X_{𝒦};\mathbf{Y})=0,(\mathbf{Privacy})$$ (2)

where I(·) denotes the mutual information. We refer to this requirement as the privacy condition. Note that our notion of privacy is stronger than alternatives such as local differential privacy [33], which allows a small amount of leakage. Our work focuses on maximizing the utility over all mechanisms satisfying the perfect privacy condition.

We aim to design a privacy mechanism w (y∣x) to generate Y from given X and $𝒦$ such that both the faithfulness and privacy conditions are satisfied. Here, we consider the ideal scenario where the data generating distribution p (x) is known to the mechanism. We discuss the impact of having an inaccurate p (x) in Section VI; even under this challenging scenario, we show that the potential privacy leakage is bounded by the divergence between the given p (x) and the true distribution. Note that we use uppercase symbols to represent random variables and lowercase symbols to denote their realizations.

While satisfying the above two conditions, we wish to share as much of X as possible. More precisely, let e(Y) be the number of erasure symbols in Y. Our goal is to minimize the expected number of erasures $\mathbb{E}[e(\mathbf{Y})]$, or equivalently the erasure rate $\frac{1}{n}\mathbb{E}[e(\mathbf{Y})]$, where

$$\mathbb{E}[e(\mathbf{Y})]=\sum _{i=\mathbb{1}}^n\mathbb{E}[1\{Y_i=\ast \}]=\sum _{i=1}^{n}p(y_i=\ast ),$$ (3)

and $1\{\cdot \}$ denotes the indicator function.

A formal description of the genotype-hiding problem is given below. We start by defining the privacy mechanism for the genotype-hiding problem as follows.

Definition 1. An (n, $𝒦$) privacy mechanism for a given data generative distribution p (x) with input alphabet ${𝒳}^n$ and output alphabet ${𝒴}^n$ is defined by a probabilistic encoding function

$$\mathsf{Enc}:{𝒳}^n\to {𝒴}^n,$$

where Enc satisfies both the faithfulness condition (Y_i ∈ {X_i, *}, ∀i) and the privacy condition (I($X_{𝒦}$; Y) = 0).

The performance of the privacy mechanism is measured by the expected number of erasures per symbol in an output sequence y. This measure captures the distortion between the input and output sequences induced by a set of single-letter erasures. Following the convention, we define the rate of a privacy mechanism as the fraction of positions that are not erased in the output:

Definition 2. The rate of an (n, $𝒦$) privacy mechanism for a given data generative distribution p (x) is defined by $1-\frac{1}{n}\mathbb{E}[e(\mathsf{Enc}(\mathbf{X}))]$ per symbol.

Definition 3. For any given data distribution p (x), a rate R is achievable if there exists an (n, $𝒦$) privacy mechanism such that

$$1-\frac{1}{n}\mathbb{E}[e(\mathbf{Y})]\ge R,$$ (4)

where Y = Enc(X).

Clearly, if R is achievable then R − ϵ for any ϵ > 0 is also achievable by the definition, so we are interested in finding the maximum achievable rate.

It is worth noting that the encoder Enc(·) can be potentially stochastic, so we may use conditional probabilities w (y∣x) to represent the encoding function. If we treat conditional probabilities w (y∣x) where $\mathbf{x}\in {𝒳}^n$, $\mathbf{y}\in {𝒴}^n$ as decision variables, the genotype-hiding problem can be defined as the following optimization problem:

$$\begin{gathered} \underset{w(\mathbf{y}\mid \mathbf{x})}{\text{maximize}}1-\frac{1}{n}\sum _{i=1}^{n}p(y_i=\ast ) \\ \text{subject to}I(X_{𝒦};\mathbf{Y})=0(\text{Privacy}) \\ {Y}_i\in \{X_i,\ast \},\forall i(\text{Faithfulness}) \end{gathered}$$ (5)

Note that this problem maximizes the information rate (utility) under the stringent privacy constraint such that no information about the sensitive positions is leaked.

If we express the objective and the constraints explicitly in terms of the conditional probabilities w (y∣x), the optimization problem (5) can be viewed as an instance of linear programming (LP). However, the scale of the problem is intractable in practice, given the exponential blowup in the number of variables and constraints as the length of the sequence n grows; the number of decision variables is $\mid 𝒳{\mid }^n\mid 𝒴{\mid }^n$, and the number of constraints is in the order of $\mid 𝒳{\mid }^{\mid 𝒦\mid }\mid 𝒴{\mid }^n+n\mid 𝒳\mid \mid 𝒴\mid$.

Therefore, the ultimate goal of this paper is to identify a solution to the genotype-hiding problem in a tractable and computationally-efficient manner. To this end, we first present an achievable privacy mechanism as well as an upper bound on the maximum achievable rate. Then we show that the proposed privacy mechanism is computationally efficient for a particular data generative distribution, namely hidden Markov models, which is of broad interest in our motivating application in genomics.

III. Performance Bounds

In this section, we state the performance bounds on the achievable rate in the following theorems.

Theorem 1. For a given data distribution p (x), a rate R is achievable if

$$R\le \frac{1}{n}\sum _{i=1}^n\sum _{x_i\in 𝒳}{\mathbb{E}}_{Y_{[i-1]}}\left[\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p\left(x_i\mid x_{𝒦}=u,Y_{[i-1]}\right)\right].$$ (6)

A detailed description of the achievable scheme will be presented in Section IV. The right-hand side of (6) may appear unconventional, given that conditioning on Y_[i−1] for each i makes the probability term generally hard to compute as the sequence length n grows. However, this expression corresponds to a sequential mechanism where the encoder generates Y₁, …, Y_n one position at a time, and an efficient update exists for incrementally expanding the conditioning set. As an example, in Section VII, we present a concrete implementation of the privacy mechanism for data distributions governed by hidden Markov models, which indeed allows the right-hand side of (6) to be efficiently computed.

Theorem 2. For a given data distribution p (x), any achievable rate R must satisfy

$$R\le \frac{1}{n}\sum _{i=1}^n\sum _{x_i\in 𝒳}\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p(x_i\mid x_{𝒦}=u).$$ (7)

It is worth noting that, given a data distribution p (x), each summand in the right-hand side of (7) represents the conditional probability of the observation x_i at coordinate i when the sensitive positions $x_{𝒦}$ take on the least-likely values, which can be determined from the given p (x).

Proof: From (3), we know that to establish (7), it is sufficient to show

$$p(y_i\ne \ast )\le \sum _{x_i\in 𝒳}\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p(x_i\mid x_{𝒦}=u)$$ (8)

for any mechanism satisfying the privacy and faithfulness conditions. Consider

$$\begin{gathered} p(y_i\ne \ast )=\sum _{y_i\in 𝒳}p(y_i) \\ \stackrel{(\mathrm{a})}{=}\sum _{y_i\in 𝒳}\underset{u}{\text{min}}p(y_i\mid x_{𝒦}=u) \\ \stackrel{(\mathrm{b})}{=}\sum _{y_i\in 𝒳}\underset{u}{\text{min}}p(y_i=x_i\mid x_{𝒦}=u) \\ =\sum _{x_i\in 𝒳}\underset{u}{\text{min}}p(x_i\mid x_{𝒦}=u)p(y_i=x_i\mid x_i,x_{𝒦}=u) \\ \stackrel{(\mathrm{c})}{\le }\sum _{x_i\in 𝒳}\underset{u}{\text{min}}p(x_i\mid x_{𝒦}=u), \end{gathered}$$ (9)

where (a) is due to the fact that Y_i is independent of $X_{𝒦}$ (privacy condition); (b) follows from the faithfulness condition Y_i ∈ {X_i; *}; and (c) follows from the fact that probabilities are bounded above by 1.

Although not true in general, the upper bounds in (6) and (7) match under special circumstances, implying the optimality of an achievable mechanism. That is,

$$\begin{gathered} \sum _{x_i\in 𝒳}\sum _{y_{[i-1]}}p\left(y_{[i-1]}\right)\underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right) \\ =\sum _{x_i\in 𝒳}\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p(x_i\mid x_{𝒦}=u). \end{gathered}$$ (10)

We observe that a sufficient condition for this equality is given by the following: for any x_i, if

$$u^{\ast }\in \text{arg}\underset{u}{\text{min}}p(x_i\mid x_{𝒦}=u),$$ (11)

then

$$u^{\ast }\in \text{arg}\underset{u}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)$$ (12)

for all possible y_[i−1]. Intuitively, this means that for any given position x_i, the least-likely values of the (unobserved) sensitive positions $x_{𝒦}$ remains the same regardless of the positions that have been previously released in the output y_[i−1] during the course of the mechanism.

A special case that satisfies this optimality condition is when random variables X₁, …, X_n form a Markov chain (i.e., p (x) is induced by a Markov chain), with a single sensitive position. Without loss of generality, we assume $𝒦=\{1\}$.

Corollary 1 (Markov chain). If X₁, …, X_n forms a Markov chain and the sensitive position is $𝒦=\{1\}$, then a rate R is achievable if and only if

$$R\le \frac{1}{n}\sum _{i=1}^n\sum _{x_i\in 𝒳}\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p(x_i\mid x_{𝒦}=u).$$ (13)

It is sufficient to justify the corollary by showing that the aforementioned sufficient condition holds. The proof is included in Appendix A.

IV. Privacy Mechanism

In this section, we present a privacy mechanism for generating Y based on a given p (x), whose performance matches the bound given in (6), while satisfying both faithfulness and privacy conditions.

Let us first recall the genotype-hiding problem introduced in (5), i.e.,

$$\begin{gathered} \underset{w(\mathbf{y}\mid \mathbf{x})}{\text{maximize}}1-\frac{1}{n}\sum _{i=1}^{n}p(y_i=\ast ) \\ \text{subject to}I(X_{𝒦};\mathbf{Y})=0(\text{Privacy}) \\ {Y}_i\in \{X_i,\ast \},\forall i.(\text{Faithfulness}) \end{gathered}$$ (14)

This problem is difficult to solve in its general form given the exponentially growing number of decision variables in w (y∣x) as the sequence length n grows. Instead, we adopt a greedy optimization approach, whereby the erasure probability of y_i is locally minimized, one position at a time, from 1 to n. In other words, for each i = 1, …, n, we solve

$$\begin{gathered} \underset{w\left(y_i\mid \mathbf{x},y_{[i-1]}\right)}{\text{minimize}}p(y_i=\ast \mid y_{[i-1]}) \\ \text{subject to}I(X_{𝒦};Y_i\mid Y_{[i-1]})=0 \\ {Y}_i\in \{X_i,\ast \}, \end{gathered}$$ (15)

for any given y_[i−1]. Note that

$$I(X_{𝒦};\mathbf{Y})=\sum _{i=1}^{n}I(X_{𝒦};Y_i\mid Y_{[i-1]})=0,$$ (16)

by the chain rule, so if the first constraint of (15) is satisfied for all i, then the solution preserves the required privacy constraint $I(X_{𝒦};\mathbf{Y})=0$ as defined in (2). The second constraint is inherited directly from the faithfulness condition. In other words, any solution satisfying the constraints of (15) for all i will naturally be a feasible solution to the genotype-hiding problem in (5).

We observe that solving the local optimization problem (15) gives rise to a sequential mechanism for generating Y. That is, we generate Y one position at a time, where the conditional distribution for Y_i may depend on the values of Y₁, …, Y_i−1 that have been previously generated. The following defines our chosen privacy mechanism for any given position i, which is in fact an optimal solution to the local optimization problem (15). A detailed proof of the local optimality of this scheme is deferred to Section V.

Privacy mechanism: Generate each Y_i according to the following conditional distribution

$$\begin{gathered} w\left(y_i\mid x_i,x_{𝒦},y_{[i-1]}\right) \\ =\{\begin{array}{cc}\frac{{\text{min}}_{u\in {𝒳}^{\mid 𝒦\mid }}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)}{p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)},\hfill & \text{if}{y}_i=x_i,\hfill \\ 1-\frac{{\text{min}}_{u\in {𝒳}^{\mid 𝒦\mid }}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)}{p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)},\hfill & \text{if}{y}_i=\ast ,\hfill \\ 0,\hfill & \text{otherwise},\hfill \end{array}\phantom{\}} \end{gathered}$$ (17)

for any x_i, $x_{𝒦}$ and y_[i−1], where [i − 1] := {1, …, i − 1}.

The expression for the erasure probability in the above mechanism can be intuitively understood as follows. We first identify the values of the sensitive positions with the smallest likelihood of generating the observed symbol x_i at the i-th position (as indicated by the numerator in the fractional term), conditioned on the previously released positions y_[i−1]. Note that u is an auxiliary variable denoting the possible values in the alphabet ${𝒳}^{\mid 𝒦\mid }$, whereas $x_{𝒦}$ denotes the observed values at the sensitive positions. We then choose the erasure probability such that, the probability of releasing the original symbol (without erasure) becomes identical among different hypothetical values of $x_{𝒦}$, thus ensuring privacy.

It is worth noting that our privacy mechanism satisfies the faithfulness condition (i.e., y_i ∈ {x_i, *}) by design, so we only need to verify that it satisfies the privacy constraint (2). Before verifying the privacy constraint, we note the following properties of the mechanism.

1. If $i\in 𝒦$, then

   $$\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)=0,$$ (18)

   which yields

   $$w\left(y_i=\ast \mid x_i,x_{𝒦},y_{[i-1]}\right)=1.$$ (19)

   This implies that X_i is always erased if it corresponds to one of the sensitive positions in $𝒦$.

2. We notice from (17) that X_i is not erased with some nonzero probability, so this mechanism is strictly better than the naïve approach of always erasing any position that have a nonzero correlation with the sensitive positions.

Proof of privacy: To show that the proposed mechanism in (17) satisfies the privacy condition (2), it is sufficient to show

$$I(Y_i;X_{𝒦}\mid Y_1,\dots ,Y_{i-1})=0,$$ (20)

for all i = 1, …, n, since this implies

$$I(X_{𝒦};\mathbf{Y})=\sum _{i=1}^{n}I(X_{𝒦};Y_i\mid Y_{[i-1]})=0$$ (21)

by the chain rule. To establish (20), we will equivalently prove that

$$p\left(y_i\mid x_{𝒦},y_{[i-1]}\right)=p\left(y_i\mid y_{[i-1]}\right)$$ (22)

for any $x_{𝒦}$, y_[i−1] and y_i. Since

$$\begin{gathered} p\left(y_i\mid x_{𝒦},y_{[i-1]}\right) \\ =\sum _{x_i\in 𝒳}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)w\left(y_i\mid x_i,x_{𝒦},y_{[i-1]}\right), \end{gathered}$$ (23)

by substituting (17), we have

$$\begin{gathered} p\left(y_i=\ast \mid x_{𝒦},y_{[i-1]}\right) \\ =\sum _{x_i}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)w\left(y_i=\ast \mid x_i,x_{𝒦},y_{[i-1]}\right) \\ =1-\sum _{x_i\in 𝒳}\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right). \end{gathered}$$ (24)

Similarly, for $y_i\in 𝒳$, we have

$$\begin{gathered} p\left(y_i\mid x_{𝒦},y_{[i-1]}\right) \\ =\sum _{x_i\in 𝒳}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)w\left(y_i=x_i\mid x_i,x_{𝒦},y_{[i-1]}\right) \\ =\sum _{x_i\in 𝒳}\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right). \end{gathered}$$ (25)

We can observe that the right-hand sides of both (24) and (25) are independent of $x_{𝒦}$, and hence by combining (24) and (25), we have

$$p\left(y_i\mid x_{𝒦},y_{[i-1]}\right)=p\left(y_i\mid y_{[i-1]}\right),$$ (26)

for any $x_{𝒦}$, y_[i−1] and y_i, which finishes the proof of (22).

Finally, we can easily verify that our sequential privacy mechanism (17) achieves the rate

$$\begin{gathered} 1-\frac{1}{n}\sum _{i=1}^{n}p\left(y_i=\ast \right) \\ =1-\frac{1}{n}\sum _{i=1}^n\sum _{y_{[i-1]}}p\left(y_i=\ast \mid y_{[i-1]}\right)p\left(y_{[i-1]}\right) \\ \stackrel{(\mathrm{a})}{=}1-\frac{1}{n}\sum _{i=1}^n\sum _{y_{[i-1]}}p\left(y_{[i-1]}\right) \\ \left(1-\sum _{x_i\in 𝒳}\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)\right) \\ =\frac{1}{n}\sum _{i=1}^n\sum _{y_{[i-1]}}p\left(y_{[i-1]}\right)\sum _{x_i\in 𝒳}\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right) \\ =\frac{1}{n}\sum _{i=1}^n\sum _{x_i\in 𝒳}\sum _{y_{[i-1]}}p\left(y_{[i-1]}\right)\underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right), \end{gathered}$$ (27)

where (a) follows by (24) and (26). The final expression is identical to the right-hand side of (6) as desired.

Example. We present an example to illustrate the operations of the proposed privacy mechanism in a simplified setting. Let us consider a data distribution p (x) where X₁; …, X_n form a Markov chain, as in Corollary 1, and a single sensitive position $𝒦=\{1\}$.

By inspecting the privacy mechanism in (17), we know that if y_i−1 ≠ * for some i > 1, then

$$\begin{gathered} p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)=p\left(x_i\mid x_{𝒦}=u,y_{[i-1]},x_{i-1}=y_{i-1}\right) \\ =p(x_i\mid x_{i-1}=y_{i-1}), \end{gathered}$$ (28)

for any x_i and y_[i−1] by the Markov property and the fact that $𝒦=\{1\}$. This implies that

$$\begin{gathered} w\left(y_i=x_i\mid x_i,x_{𝒦},y_{[i-1]}\right)=\frac{{\text{min}}_{u\in {𝒳}^{\mid 𝒦\mid }}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)}{p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)} \\ =\frac{p\left(x_i\mid x_{i-1}=y_{i-1}\right)}{p\left(x_i\mid x_{i-1}=y_{i-1}\right)} \\ =1, \end{gathered}$$ (29)

which means that if y_i−1 ≠ * then y_i ≠ * with probability one.

Thus, when p (x) is specified by a Markov chain, we see that the privacy mechanism erases all positions within a window from the sensitive position and releases the rest without erasure, and the size of the window is stochastically chosen. This observation suggests that, in contrast to the heuristic approach of deterministically choosing a window for erasure, our mechanism introduces additional uncertainty about sensitive data (in fact achieving perfect privacy) by randomizing the choice of the window. Later in Section VIII, we present a simulation experiment comparing our mechanism with the deterministic window-based erasure approach with respect to the privacy-utility trade-off, based on a more realistic data distribution defined by hidden Markov models.

V. Local Optimality

In the previous section, we proposed a privacy mechanism for the genotype-hiding problem satisfying both privacy and faithfulness conditions. Here, we provide further insights into the optimality of the proposed mechanism. We first prove that the mechanism is indeed an optimal solution to the local optimization problem in (15) as claimed, and thus can be viewed as a greedy solution to the general genotype-hiding problem in (5) given a fixed variable ordering (i.e., the order in which Y_i’s are sampled). We then present a negative result to inform future investigation, showing that finding an optimal variable ordering for the mechanism is intractable (NP-hard) in general, thus illustrating the limits of current techniques in achieving global optimality.

A. Optimality with respect to the local optimization problem

Let us first recall the local optimization problem (15), i.e.,

$$\begin{gathered} \underset{w\left(y_i\mid \mathbf{x},y_{[i-1]}\right)}{\text{minimize}}p\left(y_i=\ast \mid y_{[i-1]}\right) \\ \text{subject to}I(X_{𝒦};Y_i\mid Y_{[i-1]})=0 \\ {Y}_i\in \{X_i,\ast \}. \end{gathered}$$ (30)

As we have shown,

$$I(X_{𝒦};\mathbf{Y})=\sum _{i=1}^{n}I(X_{𝒦};Y_i\mid Y_{[i-1]})=0,$$ (31)

by the chain rule, so any solution satisfying the constraints of (15) for all i is a feasible solution to the general genotypehiding problem in (5).

We now show that the privacy mechanism in (17) is optimal with respect to the above optimization problem. First, for any given y_[i−1], note that

$$\begin{gathered} p\left(y_i=\ast \mid y_{[i-1]}\right) \\ =1-\sum _{y_i\in 𝒳}p\left(y_i\mid y_{[i-1]}\right) \\ \stackrel{(\mathrm{a})}{=}1-\sum _{y_i\in 𝒳}\underset{x_{𝒦}}{\text{min}}p\left(y_i\mid x_{𝒦},y_{[i-1]}\right) \\ \stackrel{(\mathrm{b})}{=}1-\sum _{y_i\in 𝒳}\underset{x_{𝒦}}{\text{min}}p\left(y_i=x_i\mid x_{𝒦},y_{[i-1]}\right) \\ =1-\sum _{x_i\in 𝒳}\underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)w\left(y_i=x_i\mid x_i,x_{𝒦},y_{[i-1]}\right) \\ \stackrel{(\mathrm{c})}{\ge }1-\sum _{x_i\in 𝒳}\underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right), \end{gathered}$$ (32)

where (a) follows from the privacy condition, (b) follows from the faithfulness condition, and (c) holds because probability values are at most 1. This implies that any feasible solution to the local optimization problem (15) has to satisfy

$$p\left(y_i=\ast \mid y_{[i-1]}\right)\ge 1-\sum _{x_i\in 𝒳}\underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right),$$ (33)

and that it is optimal if the last step holds with equality, i.e.,

$$\begin{gathered} \underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)w\left(y_i=x_i\mid x_i,x_{𝒦},y_{[i-1]}\right) \\ =\underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right), \end{gathered}$$ (34)

for any x_i and y_[i−1].

By plugging in the proposed mechanism in (17), we have

$$\begin{gathered} \underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)w\left(y_i=x_i\mid x_i,x_{𝒦},y_{[i-1]}\right) \\ =\underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)\frac{{\text{min}}_{u\in {𝒳}^{\mid 𝒦\mid }}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)}{p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)} \\ =\underset{x_{𝒦}}{\text{min}}\underset{u\in {𝒳}^{\mid 𝒦\mid }}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right) \\ =\underset{x_{𝒦}}{\text{min}}p\left(x_i\mid x_{𝒦},y_{[i-1]}\right), \end{gathered}$$ (35)

where the last step follows because the two minimizations, both over the alphabet of $X_{𝒦}$, are equivalent and can be merged. This implies that the mechanism (17) attains the minimum probability of erasing Y_i and thus is an optimal solution to the local optimization problem (15). Therefore, our sequential privacy mechanism can be viewed as a locally-optimal algorithm for solving the general genotype-hiding problem (5), given a fixed variable ordering.

B. NP-hardness of finding an optimal variable ordering

So far, we considered the privacy mechanism that generates a masked sequence Y₁, …, Y_n in a linear order from 1 to n. A natural question is then whether this linear ordering is optimal in terms of the erasure rate that the locally-optimal mechanism achieves. Here, we illustrate the difficulty of determining the optimal variable ordering for the mechanism from a complexity theory perspective, by proving that it is NP-hard in general. This suggests that devising an efficient mechanism with better optimality guarantees in the general setting requires additional assumptions or techniques to circumvent this impossibility result, which is an interesting direction for further research.

To formalize the problem, let (o₁, …, o_n) be any permutation of (1, …, n). We consider generating Y in the order of o₁, …, o_n instead. In this setting, the privacy mechanism (17) is defined by the conditional distribution

$$\begin{gathered} w\left(y_{o_i}\mid x_{o_i},x_{𝒦},y_{o_{[i-1]}}\right) \\ =\{\begin{array}{cc}\frac{{\text{min}}_{u\in {𝒳}^{\mid 𝒦\mid }}p\left(x_{o_i}\mid x_{𝒦}=u,y_{o_{[i-1]}}\right)}{p\left(x_{o_i}\mid x_{𝒦},y_{o_{[i-1]}}\right)},\hfill & \text{if}{y}_{o_i}=x_{o_i},\hfill \\ 1-\frac{{\text{min}}_{u\in {𝒳}^{\mid 𝒦\mid }}p\left(x_{o_i}\mid x_{𝒦}=u,y_{o_{[i-1]}}\right)}{p\left(x_{o_i}\mid x_{𝒦},y_{o_{[i-1]}}\right)},\hfill & \text{if}{y}_{o_i}=\ast ,\hfill \\ 0,\hfill & \text{otherwise},\hfill \end{array}\phantom{\}} \end{gathered}$$ (36)

for any x_oi, $x_{𝒦}$ and y_o[i−1], where o_[i−1] := {o₁, …, o_i−1}. It is easy to see that the faithfulness and privacy conditions are still satisfied regardless of the ordering.

In the following, we show that finding the best ordering (o₁, …, o_n) that minimizes the erasure rate of the mechanism is NP-hard by constructing a polynomial-time reduction of the well-known hitting set problem [34] to our problem. More specifically, given an arbitrary instance of a hitting set problem, we construct an instance of the genotype-hiding problem for which finding the optimal ordering for the privacy mechanism is equivalent to solving the original hitting set problem.

At the core of this reduction is a bipartite graph, illustrated in Figure 2, which we use to represent both an instance of the hitting set problem and to construct a corresponding instance of the genotype-hiding problem, as we explain in detail below. To clarify the dimensions of the problems upfront, note that we represent a hitting set problem for k sets over m elements using a bipartite graph with m left nodes and k right nodes, and the resulting genotype-hiding problem is over a sequence of length n = m + k with k sensitive positions $(\mid 𝒦\mid =k)$ and a specially constructed p (x).

Fig. 2:

A graphical illustration of the bipartite graph used in our NP-hardness proof, representing an instance of the hitting set problem. The universe U is represented by vertices on the left, sets are represented by vertices on the right, and the edges represent the inclusion of elements in each set. To facilitate reduction to the genotype-hiding problem, we associate each edge with an independent and uniformly random bit b_i,j.

We first review the hitting set problem. Consider a universe U = {v₁, …, v_m} and a collection of non-empty subsets $𝒮=\{S_1,\dots ,S_{𝒦}\}$ such that S_j ⊆ U for all j ∈ [k]. Without loss of generality, assume that $U={\bigcup }_{j=1}^k{S}_j$, and U = [m]. A universe U and sets {S₁, …, S_k} can be represented by a bipartite graph, as depicted in Fig. 2. The goal of the hitting set problem is to find the minimum cardinality h* of a set V ⊆ U that satisfies V ∩ S_i ≠ ∅ for all i, that is

$$h^{\ast }=\underset{V\subseteq U:V\cap S_j\ne \varnothing ,\forall j\in [k]}{\text{min}}\mid V\mid .$$ (37)

Next, we construct the corresponding genotype-hiding problem from the given hitting set problem instance (U, $𝒮$). For any i ∈ [m], j ∈ [k] such that i ∈ S_j, let b_i,j be a random variable which is independently and uniformly drawn from {0,1}. In other words, each edge in the bipartite graph is associated with a random bit b_i,j (see Fig. 2). Then, we define X to be a sequence of length n = m + k as follows. Let X_i for i ∈ [m] be a tuple of random bits associated with edges connected to node v_i, i.e.,

$$X_i=(b_{i,j_1},\dots ,b_{i,j_r}),$$ (38)

where {j₁, …, j_r} = {j : i ∈ S_j}. Next, let X_m+j for j ∈ [k] be

$$X_{m+j}=\underset{i\in S_j}{\oplus }{b}_{i,j},$$ (39)

which can be viewed as a parity check bit over the edges connected to node S_j. In other words, the first m positions of the sequence are uniform and independently distributed symbols (a tuple of random bits), whereas the remaining k positions are parity check bits defined over the first m positions.

Note that the joint distribution p (x) = p(x₁, …, x_m+k) is succinctly characterized by the random bits b_i,j‘s and the associated bipartite graph, and thus the description of the genotype-hiding problem can be generated in polynomial time with respect to m and k. In the following, we refer to the above data generating distribution as p (x; U, $𝒮$), with respect to which the corresponding genotype-hiding problem is defined.

Theorem 3. Given a data generating distribution p (x; U, S) for a sequence of length n = m + k and sensitive positions $𝒦=\{m+1,\dots ,m+k\}$, finding the best ordering (o₁, …, o_m+k) that minimizes the erasure rate of our mechanism (36) is NP-hard.

We provide a sketch of the proof here and defer the details to Appendix C . First, we note the key property of p (x; U, S) that whether or not our mechanism erases the o_i-th position is deterministic given the variable ordering, as stated in the following lemma.

Lemma 2. Given a data generating distribution p (x; U, S) for a sequence of length n = m + k and sensitive positions $𝒦=\{m+1,\dots ,m+k\}$, the conditional sampling distribution of our privacy mechanism satisfies

$$w\left(y_{o_i}=\ast \mid x_{o_i},x_{𝒦},y_{o_{[i-1]}}\right)\in \{0,1\}$$ (40)

for all i, given any ordering π = (o₁; …, o_m+k).

Proof: See Appendix B.

As a result of Lemma 2, the overall erasure rate of the privacy mechanism can be calculated simply by counting the number of erased positions. Note that, if $o_i\in 𝒦$, then

$$w\left(y_{o_i}=\ast \mid x_{o_i},x_{𝒦},y_{o_{[i-1]}}\right)=1,$$ (41)

regardless of the ordering as we have previously shown. Thus, we need to compare only the erased indices in $[m]=[m+k]\setminus 𝒦$ for finding the best ordering.

Let E_π be the set of erased indices in [m] for a given ordering π = (o₁, …, o_n), i.e.,

$$E_{\pi }=\{i:y_i=\ast ,i\in [m]\},$$ (42)

where the distribution over Y is determined by the privacy mechanism. Then, finding the best ordering corresponds to finding π that leads to the minimum cardinality e* of the corresponding E_π:

$$e^{\ast }=\underset{\pi }{\text{min}}\mid E_{\pi }\mid .$$ (43)

Intuitively, whether a particular index i ∈ [m] is included in E_π can be easily determined based on the bipartite graph representation of the underlying hitting set problem (see Fig. 2) as follows. The ordering π = (o₁, …, o_m+k) specifies the order in which the m nodes on the left-hand side of the graph, each with a corresponding X_i, is visited by the mechanism (disregarding the sensitive indices o_i ∉ [m], which are always erased). As we show in the proof of Lemma 2, when we visit the node o_i ∈ [m], X_oi is erased if and only if there exists a node j ∈ [k] on the right-hand side of the graph that is connected to o_i and only to other nodes (if any) that are previously visited and not erased. The presence of such a node j indicates that the sensitive variable X_m+j is directly revealed by X_oi (since the rest of random bits contributing to X_m+j are already released in Y without erasure), while the absence of such j indicates the existence of other positions that are erased or have not been released that fully mask the correlation between X_oi and the sensitive positions.

Finally, we complete the reduction by showing that solving (43) also produces a solution for the hitting set problem (37), i.e., e* = h*. This is achieved by showing both that the set of erased indices E_π is in fact a valid hitting set (e* ≥ h*), and that there exists an ordering π satisfying ∣E_π∣ ≤ ∣V∣ for any given hitting set V(e* ≤ h*). A detailed proof is included in Appendix C.

Since the hitting set problem is equivalent to the set cover problem and is well-known to be NP-hard, our reduction proves that finding the best ordering π for our privacy mechanism given any p (x) and $𝒦$ is also NP-hard. We note that this result does not preclude the possibility that for a restricted class of genotype-hiding problems (e.g., with a structured p (x) defined by HMMs), one could still find an efficient polynomial-time algorithm for determining the optimal variable ordering, which remains an interesting open question.

VI. Robustness

In this section, we discuss the robustness of our mechanism with respect to the underlying data distribution. In our formulation of the privacy mechanism, the distribution (or the data generative model) p (x), from which the input genome sequence originated, is assumed to be known. In practice, one can only empirically estimate this distribution based on existing data resources, e.g., by obtaining maximum likelihood estimates of the model parameters based on a large collection of reference genomes in public data repositories. Consequently, the generative model used by the mechanism is bound to have deviations from the true generative process, both in terms of the limitations of the model as well as the noisy estimation of the parameters. These discrepancies can potentially lead to privacy leakage if the adversary has access to a more accurate distribution for the underlying input. Here, we study the potential privacy leakage under the worst-case scenario, where the adversary has access to the true underlying distribution. We bound the potential leakage as a function of the distance between the data distribution used by the mechanism and the true underlying distribution, suggesting that our mechanism is robust to small deviations in the noisy data distribution we expect to encounter in real-world use cases.

We denote the noisy data distribution used by the mechanism by q (x) and the true distribution by p (x). The privacy mechanism constructs the sampling distribution w(y∣x) based on the available q (x) such that the output Y is independent of sensitive genotypes $X_{𝒦}$ with respect to the joint distribution q (x, y) induced by q (x) and the mechanism w(y∣x), i.e.,

$$\begin{gathered} q(x_{𝒦},\mathbf{y})=\sum _{x_{[n]\setminus 𝒦}}q(\mathbf{x},\mathbf{y}) \\ =\sum _{x_{[n]\setminus 𝒦}}w(\mathbf{y}\mid \mathbf{x})q(\mathbf{x})=q(x_{𝒦})q(\mathbf{y}). \end{gathered}$$ (44)

Since X is actually generated from p (x) not q (x), we also define the true joint distribution p (x, y) induced by p (x) and the mechanism w(y∣x); note that the mechanism is still based on q (x).

Then, we can measure the unforeseen privacy leakage due to the mismatch in data distribution by the mutual information I(p($x_{𝒦}$); p (y)) between the sensitive genotypes and the output sequence with respect to p (x, y), as follows:

$$\begin{gathered} I(p(x_{𝒦});p(\mathbf{y})) \\ =\sum _{x_{𝒦},\mathbf{y}}p(x_{𝒦},\mathbf{y})\log \frac{p(x_{𝒦},\mathbf{y})}{p(\mathbf{y})p(x_{𝒦})} \\ =\sum _{x_{𝒦},\mathbf{y}}p(x_{𝒦},\mathbf{y})\log \frac{p(x_{𝒦},\mathbf{y})q(x_{𝒦},\mathbf{y})}{p(\mathbf{y})p(x_{𝒦})q(x_{𝒦},\mathbf{y})} \\ \stackrel{(\mathrm{a})}{=}\sum _{x_{𝒦},\mathbf{y}}p(x_{𝒦},\mathbf{y})\log \frac{p(x_{𝒦},\mathbf{y})q(x_{𝒦})q(\mathbf{y})}{p(\mathbf{y})p(x_{𝒦})q(x_{𝒦},\mathbf{y})} \\ =D(p(x_{𝒦},\mathbf{y})\Vert q(x_{𝒦},\mathbf{y}))-D(p(x_{𝒦})\Vert q(x_{𝒦})) \\ -D(p(\mathbf{y})\Vert q(\mathbf{y})), \end{gathered}$$ (45)

where D(· ∥ ·) denotes relative entropy or equivalently Kullback-Leibler (KL) divergence, and (a) follows from (44). This leads to the following theorem.

Theorem 4. I(p ($x_{𝒦}$); p (y)) ≤ D(p (x) ∥q (x)).

Proof: See Appendix D.

This result implies that the amount of privacy leakage due to the potential mismatch between the data distribution used by the mechanism and the true underlying generative process gracefully scales with the extent to which the two distributions diverge.

VII. Privacy Mechanism for Hidden Markov Models

Thus far, we considered the data generative model p (x) of the privacy mechanism to be an arbitrary distribution. Here, we address a particular form of p (x) of great interest for our application setting in genomics, namely the Li and Stephens model [27], which is based on a hidden Markov model. This model is widely adopted in genetics for a wide range of tasks that require a probabilistic model of the genome [35]. For this class of p (x), we propose an efficient algorithm to implement the privacy mechanism introduced in Section IV.

A. Review of hidden Markov models for genomes

The classical hidden Markov model (HMM) describing the distribution of personal genomes [27] is as follows. First, let X = (X₁, X₂, …, X_n) represent an individual’s (haplotype) genetic sequence of length n. Following standard practice in genetics, we adopt a binary alphabet $𝒳=\{0,1\}$ for each element X_i, representing whether the observed nucleotide is identical to the one in the reference human genome (called reference allele) or not (alternative allele). In addition, we are given a reference dataset of m personal genome sequences $\mathscr{H}=\{{\mathbf{h}}_j:j=1,\dots ,m\}$, where each sequence h_j is of length n. The i-th coordinate of h_j is denoted by h_i,j, which also takes a value in $𝒳$.

In this model, X is viewed as a “mosaic” of reference sequences in $\mathscr{H}$ with potential substitution errors arising from mutations or experimental noise in sequencing. Formally, X depends on a sequence of hidden states $\{S_i{\}}_{i=1}^n$ forming a Markov chain, where each S_i takes an integer in the range {1, …, m}, representing an index into $\mathscr{H}$. Without loss of generality, we assume that the initial state S₁ is uniformly distributed over {1, …, m}. The transition probability π_i,j from state i to j is set to $\frac{ϵ}{m-1}$ and 1 − ϵ for i ≠ j and i = j, respectively. The parameter ϵ is often called the recombination probability; in the following we also use the term crossover probability to refer to this quantity.

Next, each X_i is sampled based on the hidden state S_i by copying the corresponding symbol in the selected reference sequence with a small probability of error. In other words, X_i is equal to the symbol in the i-th position of h_Si with error probability θ. The overall data distribution p (x) is fully specified by the tuple ($\mathscr{H}$, ϵ, θ). We provide a graphical illustration of p (x) in Fig. 3. In our work, we treat the parameters of the above model as given. In practice, these parameters are estimated from a large collection of reference genomes, e.g., including hundreds of thousands of individuals, which are available in public data repositories such as the UK Biobank [36].

Fig. 3:

A graphical illustration of HMM for genomes. The state space of the hidden states is {1, …, m}, where each element corresponds to an index into the reference dataset {h₁, …, h_m} (each of length n). A Markov process $\{S_i{\}}_{i=1}^n$ indicates which reference sequence the user reads the data from at the i-th position. For each i, X_i differs from the i-th position of h_Si with probability θ, representing noise in the data. BSC_θ: Binary symmetric channel with crossover probability θ.

B. An efficient algorithm for HMMs

In this section, we propose an efficient algorithm to implement the privacy mechanism introduced in Section IV for p (x) based on a hidden Markov model (H, ϵ, θ) described in the previous section. The outline of our algorithm is provided in Algorithm 1.

As seen in (17), the privacy mechanism determines the probability of erasing x_i mainly based on the probability p (x_i∣$x_{𝒦}$, y_[i−1]). By employing a belief propagation approach akin to the well-known forward-backward algorithm [37], we track the computation of p (x_i∣$x_{𝒦}$ = u y_[i−1]), for all $u\in {𝒳}^{\mid 𝒦\mid }$ efficiently. The novelty of our algorithm is that it incorporates the stochasticity of the privacy mechanism in addition to that of the HMM.

First, note that it is sufficient to describe how to compute p (x_i∣$x_{𝒦}$ = u, y_[i−1]) for all $u\in {𝒳}^{\mid 𝒦\mid }$ and i ∈ [n], which fully determines the distribution of y₁, …, y_n specified by our privacy mechanism, i.e.,

$$\begin{gathered} p\left(y_i\mid x_i,x_{𝒦},y_{[i-1]}\right) \\ =\{\begin{array}{cc}\frac{{\text{min}}_{u\in {𝒳}^{\mid 𝒦\mid }}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)}{p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)},\hfill & \text{if}{y}_i=x_i,\hfill \\ 1-\frac{{\text{min}}_{u\in {𝒳}^{\mid 𝒦\mid }}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)}{p\left(x_i\mid x_{𝒦},y_{[i-1]}\right)},\hfill & \text{if}{y}_i=\ast ,\hfill \\ 0,\hfill & \text{otherwise}.\hfill \end{array}\phantom{\}} \end{gathered}$$ (46)

We begin by expressing p (x_i∣$x_{𝒦}$ = u, y_[i−1]) as

$$\begin{gathered} p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right) \\ =\sum _{s_i}p\left(s_i\mid x_{𝒦}=u,y_{[i-1]}\right)p\left(x_i\mid s_i,x_{𝒦}=u,y_{[i-1]}\right) \\ =\sum _{s_i,s_{i-1}}p\left(s_{i-1}\mid x_{𝒦}=u,y_{[i-1]}\right)p\left(s_i\mid s_{i-1},x_{𝒦}=u\right)p(x_i\mid s_i). \end{gathered}$$ (47)

Note that

$$\begin{gathered} p\left(s_i\mid s_{i-1},x_{𝒦}=u\right) \\ =\frac{p(s_i,s_{i-1},x_{𝒦}=u)}{p(s_{i-1},x_{𝒦}=u)} \\ =\frac{p\left(s_{i-1}\mid x_{{𝒦}_{i-}}=u_{-}\right)p\left(s_i\mid s_{i-1}\right)p\left(x_{{𝒦}_{i+}}=u_{+}\mid s_i\right)}{p\left(s_{i-1}\mid x_{{𝒦}_{i-}}=u_{-}\right)p\left(x_{{𝒦}_{i+}}=u_{+}\mid s_{i-1}\right)} \\ =\frac{p\left(s_i\mid s_{i-1}\right)p\left(x_{{𝒦}_{i+}}=u_{+}\mid s_i\right)}{p\left(x_{{𝒦}_{i+}}=u_{+}\mid s_{i-1}\right)} \\ =\frac{p\left(s_i\mid s_{i-1}\right)p\left(x_{{𝒦}_{i+}}=u_{+}\mid s_i\right)}{{\sum }_{s_i}p\left(s_i\mid s_{i-1}\right)p\left(x_{{𝒦}_{i+}}=u_{+}\mid s_i\right)}, \end{gathered}$$ (48)

where ${𝒦}_{i-}≔𝒦\cap \{1,\dots ,i-1\}$, ${𝒦}_{i+}≔𝒦\cap \{i,\dots ,n\}$, u₋ and u₊ are corresponding values of $x_{{𝒦}_{i-}}$ and $x_{{𝒦}_{i+}}$ specified by u.

As p (x_i∣s_i) and p (s_i∣s_i−1) are directly given by the HMM, we need only to consider how to compute the two terms p (s_i−1∣$x_{𝒦}$ = u, y_[i−1]) and p ($x_{{𝒦}_{i+}}$ = u₊∣s_i). To simplify our notation, we introduce the following variables to represent these terms:

$$\begin{gathered} {\psi }^{(i)}(u,s_i)≔p(s_i\mid x_{𝒦}=u,y_1,\dots ,y_i), \\ {\gamma }^{(i)}(u,s_i)≔p\left(x_{{𝒦}_{i+}}=u_{+}\mid s_i\right). \end{gathered}$$

With ψ⁽ⁱ⁾(u, s_i) and γ⁽ⁱ⁾(u, s_i) for a given position i, we can calculate (47) as

$$\begin{gathered} p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right) \\ =\sum _{s_{i-1}}\frac{{\sum }_{s_i}{\psi }^{(i-1)}(u,s_{i-1})p(s_i\mid s_{i-1}){\gamma }^{(i)}(u,s_i)p(x_i\mid s_i)}{{\sum }_{s_i}p(s_i\mid s_{i-1}){\gamma }^{(i)}(u,s_i)}. \end{gathered}$$ (49)

First, note that γ⁽ⁱ⁾(u, s_i) can be recursively computed in the same manner as calculating the backward probabilities in the forward-backward algorithm, as described below:

Initialization: We initialize γ⁽ⁿ⁾(u, s_n) by

$${\gamma }^{(n)}(u,s_n)=\{\begin{array}{cc}p(x_n=u_n\mid s_n),\hfill & n\in 𝒦,\hfill \\ 1,\hfill & n\notin 𝒦.\hfill \end{array}\phantom{\}}$$ (50)

Iterations: For i = n − 1, …, 1, we compute γ⁽ⁱ⁾(u, s_i) as

$$\begin{gathered} {\gamma }^{(i)}(u,s_i) \\ =\{\begin{array}{cc}{\sum }_{s_{i+1}}p(x_i=u_i\mid s_i)p(s_{i+1}\mid s_i){\gamma }^{(i+1)}(u,s_{i+1}),\hfill & i\in 𝒦\hfill \\ {\sum }_{s_{i+1}}p(s_{i+1}\mid s_i){\gamma }^{(i+1)}(u,s_{i+1}),\hfill & i\notin 𝒦.\hfill \end{array}\phantom{\}} \end{gathered}$$ (51)

Next, to efficiently compute ψ⁽ⁱ⁾(u, s_i) for i ∈ [n], we analogously adopt the following iterative steps.

Initialization: ψ⁽¹⁾(u, s₁) is initialized by

$${\psi }^{(1)}(u,s_1)\propto p(s_1\mid x_{𝒦}=u)p(y_1\mid s_1,x_{𝒦}=u),$$ (52)

where p (s₁∣$x_{𝒦}$ = u) can be calculated by (48) given γ⁽¹⁾(u, s₁), and p (y₁∣s₁, $x_{𝒦}$ = u) is given by our mechanism as shown in (46).

Iterations: Using Bayes’ rule, we can express φ⁽ⁱ⁾(u, s_i) as

$$\begin{gathered} {\psi }^{(i)}(u,s_i)=p\left(s_i\mid x_{𝒦}=u,y_{[i]}\right) \\ \propto p\left(s_i\mid x_{𝒦}=u,y_{[i-1]}\right)p\left(y_i\mid s_i,x_{𝒦}=u,y_{[i-1]}\right), \end{gathered}$$ (53)

where

$$\begin{gathered} p\left(s_i\mid x_{𝒦}=u,y_{[i-1]}\right) \\ =\sum _{s_{i-1}}{\psi }^{(i-1)}(u,s_{i-1})p\left(s_i\mid s_{i-1},x_{𝒦}=u\right), \end{gathered}$$ (54)

and

$$\begin{gathered} p\left(y_i\mid s_i,x_{𝒦}=u,y_{[i-1]}\right) \\ =\sum _{x_i}p(x_i\mid s_i)p\left(y_i\mid x_i,x_{𝒦}=u,y_{[i-1]}\right). \end{gathered}$$ (55)

Therefore, ψ⁽ⁱ⁾(u, s_i) can be computed based on ψ⁽ⁱ⁻¹⁾(u, s_i−1). We note that the probability p (s_i∣s_i−1, $x_{𝒦}$) can be calculated using γ⁽ⁱ⁾(u, s_i) as shown in (48), and p(y_i∣x_i, $x_{𝒦}$, u, y_[i−1]) is given by our mechanism as shown in (46). Using this recurrence relation, ψ⁽ⁱ⁾(u, s_i) for all i ∈ [n] can be computed.

Analogous to the forward-backward algorithm, our algorithm has polynomial computational complexity of $𝒪(n{m}^2)$ for a fixed u, with respect to the sequence length n and the number of reference sequences m, for a given u. Clearly, ${\text{min}}_{u\in {𝒳}^{\mid 𝒦\mid }}p\left(x_i\mid x_{𝒦}=u,y_{[i-1]}\right)$ can be easily obtained once p(x_i∥$x_{𝒦}$ = u, y_[i−1]) for all u have been computed. This overhead involves a factor of $2^{\mid 𝒦\mid }$ in the computational complexity, but we expect $\mid 𝒦\mid$ to be a small constant in practice (e.g., less than 10); since genotype correlation is predominantly local, the user may apply our mechanism to local regions of the genome of a permissive length, each of which including only a few sensitive positions.

VIII. Simulations

In this section, we provide insights into the empirical performance of our privacy mechanism for hidden Markov models (HMMs) on simulated datasets. We randomly generated 100 haplotype sequences of length 100, which together with the choices of error probability θ and crossover probability ϵ induce p (x), as described in Section VII-A. For simplicity, we suppose the sensitive position $𝒦=\{1\}$.

We first illustrate the privacy-utility trade-off of the heuristic window-based erasure approach described in the Introduction. In particular, this approach erases the first ω positions of the sequence to hide information about the sensitive position (the first position). The results are shown in Figure 4. The erasure rate is defined by the size of the erased window over the sequence length, i.e., ω/n (note n = 100). The privacy leakage is measured by the mutual information between the released positions and the sensitive position X₁, normalized by the entropy of X₁, i.e., I(X₁; X_[n]\[ω])/H(X₁). We also show the expected erasure rate of our proposed privacy mechanism for comparison, whose privacy leakage is strictly zero by design. We observe that the window-erasure approach requires a high erasure rate (around 0.3) to keep the privacy leakage close to zero, whereas our mechanism achieves a considerably smaller erasure rate (around 0.12) while providing perfect privacy. On the other hand, choosing a window size for the baseline approach to match the erasure rate of our mechanism leads to a considerable privacy leakage.

Fig. 4:

Privacy-utility trade-off of the window-based erasure approach on simulated HMM data with m = 100, n = 100, 𝒦 = {1}, crossover probability ϵ = 0.1 and error probability θ = 0.01. Erasure rate denotes the size of window that is erased normalized by the sequence length n. Privacy leakage denotes the mutual information between the released data and the sensitive symbol normalized by the entropy of the sensitive symbol.

Algorithm 1 Mechanism for hiding sensitive genotypes in X

$$\begin{array}{cc}\hfill & \mathrm{Require}:\text{Genome}\text{sequence}\mathbf{X}=(X_1,\dots ,X_n)\text{from}\text{an}\hfill \\ \hfill & \text{HMM with parametes}(\mathscr{H},ϵ,\theta ),\text{and indices of sensitive}\hfill \\ \hfill & \text{positions}𝒦\subset [n]\hfill \\ \hfill & \mathrm{Ensure}:\text{Masked genome sequence}\mathbf{Y}=(Y_1,\dots ,Y_n),\text{such}\hfill \\ \hfill & \text{that}I(X_{𝒦};\mathbf{Y})=0\text{and}{Y}_i\in \{X_i,\ast \}\text{for all}i\in [n]\hfill \\ \hfill & 1:\text{Initialize}{\gamma }^{(n)}(u,s_n)\text{according to}(50)\hfill \\ \hfill & 2:\mathbf{for}i=n-1,\dots ,1\mathbf{do}\hfill \\ \hfill & 3:\mathbf{for}u\in {𝒳}^{\mid 𝒦\mid }\mathbf{do}\hfill \\ \hfill & 4:\text{Compute}{\gamma }^{(i)}(u,s_i)\text{according to}(51)\hfill \\ \hfill & 5:\text{Compute}p(s_i\mid s_{i-1},x_{𝒦}=u)\text{according to}(48)\hfill \\ \hfill & 6:\mathbf{end}\mathbf{for}\hfill \\ \hfill & 7:\mathbf{end}\mathbf{for}\hfill \\ \hfill & 8:\text{Initialize}{\psi }^{(1)}(u,s_1)\text{according to}(50)\hfill \\ \hfill & 9:\mathbf{for}i=2,\dots ,n\mathbf{do}\hfill \\ \hfill & 10:\text{Calculate the erasure probability for}{Y}_i\text{using}(46)\hfill \\ \hfill & 11:\text{Generate}{Y}_i\in \{X_i,\ast \}\text{according to the erasure proba-}\hfill \\ \hfill & \text{bility}\hfill \\ \hfill & 12:\mathbf{for}u\in {𝒳}^{\mid 𝒦\mid }\mathbf{do}\hfill \\ \hfill & 13:\text{Compute}{\psi }^{(i)}(u,s_i)\text{according to}(53)\hfill \\ \hfill & 14:\mathbf{end}\text{for}\hfill \\ \hfill & 15:\mathbf{end}\mathbf{for}\hfill \end{array}$$

We next evaluate our privacy mechanism over a range of different parameter settings. We consider θ ∈ {0.01, 0.05} and vary ϵ from 0.01 to 0.5, both of which reflect reasonable ranges of the parameters for the scale of the dataset we simulated. We provide each instance of p (x) to our privacy mechanism with $𝒦=\{1\}$ to calculate its achievable rate R (i.e., one minus the expected erasure rate). Figure 5 shows the comparison between the rate of our mechanism and the upper bound we derived in Section III. The results suggest that the performance of our mechanism shows varying degrees of closeness to the theoretical upper bound depending on the characteristics of the underlying data distribution. In particular, for higher values of ϵ, representing the regime where the hidden Markov model mixes faster and thus the correlation with the sensitive position decays more quickly, the rate of our mechanism is nearly identical to the upper bound. On the other hand, for lower values of ϵ, which lead to stronger correlations in the sequence, we observed that the gap between our mechanism and the upper bound can grow considerable large. Note that this does not necessarily imply that our mechanism achieves a significantly suboptimal performance, given that the upper bound we considered is not tight in general. We also note that the rate of our mechanism is generally higher when the error probability is larger (θ = 0.05 vs 0.01), which agrees with the intuition that higher levels of noise in the data distribution lower the requirement for hiding sensitive information, thus leading to lower erasure probabilities and higher rates as a result.

Fig. 5:

Comparison of our mechanism and the upper bound on simulated HMM data with m = 100, n = 100, 𝒦 = {1} and different choices of crossover probability ϵ and error probability θ.

To gain further insights into the noticeable gap between the upper bound and our mechanism in the small ϵ regime, we additionally implemented a linear programming (LP) approach for directly obtaining the optimal mechanism w (y∣x). However, since the size of LP grows exponentially with the length of the sequence n, we could only evaluate this approach for small problem instances due to numerical instability. We took the same simulated data as before and truncated each reference haplotype down to the first six positions to obtain a tractable LP instance for this experiment (n = 6).

The rate comparisons of our privacy mechanism, LP-based optimal mechanism, and the upper bound in this setting are shown in Fig. 6. As expected, we observed that the optimal rate lies between the upper bound and the rate of our mechanism, demonstrating that the gap between the optimal rate and the rate of our mechanism is indeed smaller than the ostensible gap suggested by the upper bound.

Fig. 6:

Comparison of our mechanism, the upper bound and the optimal rate based on a linear programming (LP) solution on simulated HMM data with m = 100, n = 6, 𝒦 = {1} based on a truncated version of the dataset used in Fig. 5.

Taken together, these results suggest that, although the performance of our mechanism is often quite close to the upper bound, the difference between the maximum achievable rate and the rate of our mechanism can vary based on the properties of the data distribution. We note that it is yet unknown whether there exists a privacy mechanism that can be as efficiently constructed as our mechanism while achieving performance that is closer to the optimal rate. Closing this performance gap both by devising enhanced privacy mechanisms that achieve higher rates and by developing tighter upper bounds are important directions for future work.

IX. Conclusion and Future Work

In this paper, we introduced the genotype hiding problem and proposed an information-theoretic privacy mechanism as a solution. We analyzed the theoretical properties of the mechanism, and proposed an efficient algorithmic implementation of the mechanism for hidden Markov models, a main model of interest for our application in genomics.

It is worth noting that our mechanism does not rule out the possibilities of genotype reconstruction attacks that leverage (i) alternative genetic sequence models and imputation strategies or (ii) a larger set of reference dataset using which HMM parameters could be more accurately estimated. However, our model based on HMMs is consistent with the state-of-the-art techniques for genotype imputation, which is a relatively mature field. In addition, given the high cost of amassing large-scale genomic data, it would be a significant challenge for an attacker to gain access to a larger dataset than those in the public realm. As such, our mechanism could be thought of as providing privacy protection according to the best knowledge of the field. Our results in Section VI show that any unforeseen privacy leakage arising from the discrepancies in the data distribution scales gracefully with the relative entropy between the true distribution and the one used by the mechanism.

There are several key directions for future work. Our work focused on hiding the content of the sensitive positions, yet a potential concern remains regarding information revealed by the choice of sensitive positions $𝒦$. Any approach relying on erasures for privacy protection may inevitably leak information about $𝒦$, since preventing such leakage would generally require erasures to be consistently applied throughout the sequence, which is highly costly in terms of utility if only a small fraction is considered sensitive. An interesting extension of our work is then to relax the faithfulness condition when hiding the positions is deemed important. A promising approach is to re-sample the erased positions from the data distribution as a post-processing step to the mechanism presented in this paper. That said, we note that in our application setting, $𝒦$ is neither necessarily or nor solely decided by the sequence, as it may be determined based on family history of diseases or curated disease associations in public repositories. Thus, we believe the mechanism presented in this work is directly applicable in many practical scenarios.

Next, although we focused on achieving perfect privacy (with respect to the given data distribution), it may be useful in practice to consider a relaxed notion such as local differential privacy [38]. This may give the user the ability to determine a more desirable trade-off between the level of privacy and the amount of data to be erased. From an analytical standpoint, this direction would also lead to useful insights about the achievable points along the privacy-utility trade-off curve defined by the genotype-hiding problem with a relaxed notion of privacy, to complement the results in this work.

Furthermore, it would be interesting to explore the generalization of our efficient implementation strategies to a broader class of data generative models beyond HMMs, which may allow similar mechanisms to be employed to protect sensitive data in other domains.

Lastly, we plan to study the performance of our privacy mechanism on real genetic datasets and release the software implementation of our mechanism for the genetics community in the near future.

Growing threats to genetic privacy are necessitating principled strategies for protecting the privacy of individuals while maintaining the utility of data sharing. Our work illustrates how such a strategy could be designed from an information-theoretic perspective to enable selective disclosure of personal genomic data. Our methodology is broadly applicable to other data sharing scenarios involving sensitive data with complex correlation structure. We hope that our work will help spur the development of a wide range of information-theoretic tools for modelling and preserving private genomic information.

Fig. 1:

An illustration of (n, 𝒦) genotype-hiding privacy mechanism. The mechanism takes as input a genetic sequence along with a set of sensitive positions and outputs a masked sequence with erasures. We require the faithfulness and privacy conditions to be satisfied, and the goal is to minimize the expected number of erasures in the output.

Biographies

Fangwei Ye (Member, IEEE) received the B.Eng. degree in Information Engineering from Southeast University, in 2013, and the Ph.D. degree from Department of Information Engineering, The Chinese University of Hong Kong, in 2018. From 2018 to 2020, he was a Post-Doctoral Associate with Department of Electrical and Computer Engineering, Rutgers University. He is now with the Broad Institute of MIT and Harvard. His research interests include information theory and its applications to privacy, bioinformatics and coding opportunities in learning.

Hyunghoon Cho (Member, IEEE) received the B.S. and M.S. degrees in computer science from Stanford University, in 2013, and the Ph.D. degree in electrical engineering and computer science from the Massachusetts Institute of Technology, in 2019. He is currently a Schmidt Fellow with the Broad Institute of MIT and Harvard. His research interests include computational biology and biomedical data privacy. He is a recipient of the NIH Director’s Early Independence Award.

Salim El Rouayheb (Senior Member, IEEE) received the Diploma degree in electrical engineering from the Faculty of Engineering, Lebanese University, Roumieh, Lebanon, in 2002, the M.S. degree from the American University of Beirut, Lebanon, in 2004, and the Ph.D. degree in electrical engineering from Texas A&M University, College Station, in 2009. He is currently an Associate Professor with the ECE Department, Rutgers University, New Brunswick, NJ, USA. He was a Postdoctoral Research Fellow with UC Berkeley from 2010 to 2011, and a Research Scholar with Princeton University from 2012 to 2013. He was an Assistant Professor with the ECE Department, Illinois Institute of Technology from 2013 to 2017. His research interests are in the broad area of information theory and coding theory with applications to reliability, security, and privacy in distributed systems. He is a recipient of the NSF Career Award.

Appendix A

Proof of Corollary 1

We prove the sufficient condition of the optimality holds for the Markov chain case. We give an inductive proof for the sufficient condition by showing that, for a given x_i,

$$u^{\ast }\in \text{arg}\underset{u}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[j-1]}\right)$$ (56)

implies

$$u^{\ast }\in \text{arg}\underset{u}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[j]}\right)$$ (57)

for j = 1, …, i − 1. For each j, we consider the following two cases (y_j ≠ * and y_j = *):

1. If y_j ≠ *, then we have

   $$\begin{gathered} p\left(x_i\mid x_{𝒦},y_{[j]}\right)=\sum _{x_j}p\left(x_j\mid x_{𝒦},y_{[j]}\right)p\left(x_i\mid x_{𝒦},y_{[j]},x_j\right) \\ \stackrel{(\mathrm{a})}{=}1\{x_j=y_j\}p\left(x_i\mid x_{𝒦},y_{[j]},x_j\right) \\ \stackrel{(\mathrm{b})}{=}1\{x_j=y_j\}p(x_i\mid x_j), \end{gathered}$$ (58)

   where (a) follows because Y_j can either be X_j or *, and (b) follows from Markovity. In this case, argmin_u p (x_i∣x_𝒦 = u, y_[j]) is indeed independent of u, which means

   $$\text{arg}\underset{u}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[j]}\right)=\mid 𝒳\mid ,$$ (59)

   so the statement is trivially true.
2. If y_j = *, then we have

   $$\begin{gathered} p\left(x_i\mid x_{𝒦},y_{[j]}\right) \\ =\sum _{x_j}p\left(x_j\mid x_{𝒦},y_{[j]}\right)p\left(x_i\mid x_{𝒦},y_{[j]},x_j\right) \\ \stackrel{(\mathrm{a})}{=}\sum _{x_j}p\left(x_j\mid x_{𝒦},y_{[j]}\right)p\left(x_i\mid x_j\right) \\ \stackrel{(\mathrm{b})}{\propto }\sum _{x_j}\left\{p\left(x_j\mid x_{𝒦},y_{[j-1]}\right)-\underset{u}{\text{min}}p\left(x_j\mid x_{𝒦}=u,y_{[j-1]}\right)\right\} \\ p(x_i\mid x_j) \\ =\sum _{x_j}p\left(x_i\mid x_j\right)p\left(x_j\mid x_{𝒦},y_{[j-1]}\right) \\ -\sum _{x_j}p(x_i\mid x_j)\underset{u}{\text{min}}p\left(x_j\mid x_{𝒦}=u,y_{[j-1]}\right) \\ =p\left(x_i\mid x_{𝒦},y_{[j-1]}\right) \\ -\sum _{x_j}p(x_i\mid x_j)\underset{u}{\text{min}}p\left(x_j\mid x_{𝒦}=u,y_{[j-1]}\right), \end{gathered}$$ (60)

   where (a) follows from Markovity, and (b) follows from Bayes’s rule and our privacy mechanism (17). Since the second term of the right-hand side in (60) is independent of x_𝒦, we obtain

   $$\begin{gathered} \text{arg}\underset{u}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[j]}\right) \\ =\text{arg}\underset{u}{\text{min}}p\left(x_i\mid x_{𝒦}=u,y_{[j-1]}\right). \end{gathered}$$ (61)

For both cases, we have verified that the sufficient condition holds, which completes the proof.

Appendix B

Proof of Lemma 2

We will prove (40) by induction. First, consider the base case:

$$w\left(y_{o_1}=\ast \mid x_{o_1},x_{𝒦}\right)=1-\frac{{\text{min}}_{x_{𝒦}}p\left(x_{o_1}\mid x_{𝒦}\right)}{p\left(x_{o_1}\mid x_{𝒦}\right)}.$$ (62)

From the previous discussion, we know that if o_i ∈ 𝒦, then

$$w\left(y_{o_i}=\ast \mid x_{o_i},x_{𝒦},y_{o_{[i-1]}}\right)=1,$$ (63)

so without loss of generality, we assume that

$$o_1\notin 𝒦=\{m+1,\dots ,m+k\}.$$ (64)

Since

$$x_{𝒦}=\left\{\sum _{i:i\in S_j}{b}_{i,j}:j\in [k]\right\},$$ (65)

and

$$x_{o_1}=\{b_{o_1,j}:o_1\in S_j\}$$ (66)

by definition, we can see that if there exists some j such that S_j = {o₁}, then b_o1,j ∈ x_𝒦 and b_o1,j ∈ x_o1. In this case, we can always find some assignments such that

$$\underset{x_{𝒦}}{\text{min}}p\left(x_{o_1}\mid x_{𝒦}\right)=0,$$ (67)

implying that

$$w\left(y_{o_1}=\ast \mid x_{o_1},x_{𝒦}\right)=1.$$ (68)

If there is no j such that S_j = {o_i}, each ${\sum }_{i:i\in S_j}{b}_{i,j}$ constituting $x_{𝒦}$ is a binary summation of some b_o1,j and (independent) random bits b_i,j such that i ≠ o₁, where the latter render the result uniformly random. This means that X_𝒦 is independent of X_o1, and thus we have

$$\begin{gathered} w\left(y_{o_1}=\ast \mid x_{o_1},x_{𝒦}\right)=1-\frac{{\text{min}}_{x_{𝒦}}p\left(x_{o_1}\mid x_{𝒦}\right)}{p\left(x_{o_1}\mid x_{𝒦}\right)} \\ =1-\frac{{\text{min}}_{x_{𝒦}}p\left(x_{o_1}\right)}{p\left(x_{o_1}\right)}=0, \end{gathered}$$ (69)

for all x_o1 and x_𝒦.

Assume the statement is true for o₁, …, o_i−1. Then for o_i, note that

$$p\left(x_{o_i}\mid x_{𝒦},y_{o_{[i-1]}}\right)=\frac{p\left(x_{o_i}\mid x_{𝒦}\right)p\left(y_{o_{[i-1]}}\mid x_{o_i},x_{𝒦}\right)}{p\left(y_{o_{[i-1]}}\mid x_{𝒦}\right)}.$$ (70)

By letting

$${\tilde{\epsilon }}_i=\left\{o_j:y_{o_j}\ne \ast ,j\le i-1\right\},$$ (71)

(70) can be written as

$$\begin{gathered} p\left(x_{o_i}\mid x_{𝒦},y_{o_{[i-1]}}\right)=\frac{p\left(x_{o_i}\mid x_{𝒦}\right)p\left(x_{{\tilde{\epsilon }}_i}\mid x_{o_i},x_{𝒦}\right)}{p\left(x_{{\tilde{\epsilon }}_i}\mid x_{𝒦}\right)} \\ =p\left(x_{o_i}\mid x_{{\tilde{\epsilon }}_i},x_{𝒦}\right), \end{gathered}$$ (72)

because of the inductive assumption that the decisions whether to erase y_o1, …, y_oi−1 are deterministic.

Hence, we have

$$\begin{gathered} w\left(y_{o_i}=\ast \mid x_{o_i},x_{𝒦},y_{o_{[i-1]}}\right)=1-\frac{{\text{min}}_{x_{𝒦}}p\left(x_{o_i}\mid x_{𝒦},y_{o_{[i-1]}}\right)}{p\left(x_{o_i}\mid x_{𝒦},y_{o_{[i-1]}}\right)} \\ =1-\frac{{\text{min}}_{x_{𝒦}}p\left(x_{o_i}\mid x_{{\tilde{\epsilon }}_i},x_{𝒦}\right)}{p\left(x_{o_i}\mid x_{{\tilde{\epsilon }}_i},x_{𝒦}\right)}. \end{gathered}$$ (73)

Analogous to our argument for the base case, if there exists some j such that $S_j\subseteq {\tilde{\epsilon }}_i\cup \{o_i\}$, then one can determine b_oi,j ∈ x_o1 from $x_{{\tilde{\epsilon }}_i}$, $x_{𝒦}$, and thus

$$\underset{x_{𝒦}}{\text{min}}p\left(x_{o_i}\mid x_{{\tilde{\epsilon }}_i},x_{𝒦}\right)=0,$$ (74)

implying that

$$w\left(y_{o_i}=\ast \mid x_{o_i},x_{𝒦},y_{o_{[i-1]}}\right)=1.$$ (75)

If there is no such j, each x_j for j ∈ 𝒦 is the binary summation of some b_oi,j ∈ x_oi and some independent random bits b_i′,j such that i′ ≠ o_i, which again guarantees that $X_{𝒦}$ is independent of X_oi conditioning on $X_{{\tilde{\epsilon }}_i}$. Thus, we have

$$w\left(y_{o_i}=\ast \mid x_{o_i},x_{𝒦},y_{o_{[i-1]}}\right)=1-\frac{{\text{min}}_{x_{𝒦}}p\left(x_{o_i}\mid x_{{\tilde{\epsilon }}_i}\right)}{p\left(x_{o_i}\mid x_{{\tilde{\epsilon }}_i}\right)}=0,$$ (76)

for all x_oi, x_𝒦 and y_o[i−1], which completes the inductive proof.

Appendix C

Proof of Theorem 3

First, let us show that e* ≥ h* by showing that E_π is a hitting set for any order π, i.e., E_π ∩ S_j ≠ ∅ for all j ∈ [k]. We prove it by contradiction. Suppose that there exists some S_j such that E_π ∩ S_j = ∅, which implies that S_j ⊆ [m]\E_π for some j. Assume that S_j = {i₁, …, i_t}, and i_t is the last index visited that specified by the given order π. Then, when we run our mechanism for i_t, since i₁, …, i_t−1 are all visited and not erased, by recalling the proof of Lemma 2, we know that ${\tilde{\epsilon }}_{i_t}\supseteq \{i_1,\dots ,i_{t-1}\}$, so we have $S_j\subseteq {\tilde{\epsilon }}_{i_t}\cup \{i_t\}$. It means that y_it is erased or i_t ∈ E_π, which contradicts with our assumption E_π ∩ S_j = ∅.

Next, we show that e* ≤ h* by showing that for any given hitting set V, there exists an order π such that ∣E_π∣ ≤ ∣V∣. Suppose V is a hitting set and ∣V∣ = h, i.e., V ∩ S_j ≠ ∅ for all j ∈ [k]. Consider an order π such that o_i ∉ V ∪ [m + 1 : m+k] for i ≤ m−h and o_i ∈ V for i ∈ [m−h+1 : m], i.e., visiting indices in the complementary of T before attaining V. When we visit o_i such that i ≤ m − h (or o_i ∈ [m]\V), by the assumption that V ∩ S_j ≠ ∅ for all j, we know that there exists some index t_j ∈ S_j ∩ V for each j. By recalling the definition (71), we know that ${\tilde{\epsilon }}_i\supseteq [m]\setminus V$, so $t_j\notin {\tilde{\epsilon }}_i$. Note that t_j ∈ V while o_i ∉ V, so $t_j\notin {\tilde{\epsilon }}_i\cup \{o_i\}$. Hence, we know that y_oi is not erased, or o_i ∉ E_π from the proof of Lemma 2. Since o_i ∉ E_π for i ≤ m − h given this particular order π, we have ∣E_π∣ ≤ h = ∣V∣, which completes the proof.

Appendix D

Proof of Theorem 4

From (45), we have

$$\begin{gathered} I(p(x_{𝒦});p(\mathbf{y}))=D(p(x_{𝒦},\mathbf{y})\Vert q(x_{𝒦},\mathbf{y})) \\ -D(p(x_{𝒦})\Vert q(x_{𝒦}))-D(p(\mathbf{y})\Vert q(\mathbf{y})), \end{gathered}$$ (77)

and it remains to show that the right-hand side is bounded above by D(p (x) ∥q (x)).

By applying the chain rule for relative entropy, we have

$$\begin{gathered} D(p(\mathbf{x},\mathbf{y})\Vert q(\mathbf{x},\mathbf{y})) \\ =D(p(\mathbf{x})\Vert q(\mathbf{x}))+D(p(\mathbf{y}\mid \mathbf{x})\Vert q(\mathbf{y}\mid \mathbf{x})), \end{gathered}$$ (78)

and

$$\begin{gathered} D(p(\mathbf{x},\mathbf{y})\Vert q(\mathbf{x},\mathbf{y}))=D(p(x_{𝒦},\mathbf{y})\Vert q(x_{𝒦},\mathbf{y})) \\ +D(p\left(x_{[n]\setminus 𝒦}\mid x_{𝒦},\mathbf{y}\right)\Vert q\left(x_{[n]\setminus 𝒦}\mid x_{𝒦},\mathbf{y}\right)). \end{gathered}$$ (79)

The definition of conditional relative entropy and the proof of the chain rule for relative entropy can be found in [40, p. 24]. From these equations, we obtain

$$\begin{gathered} D(p(x_{𝒦},\mathbf{y})\Vert q(x_{𝒦},\mathbf{y})) \\ =D(p(\mathbf{x})\Vert q(\mathbf{x}))+D(p(\mathbf{y}\mid \mathbf{x})\Vert q(\mathbf{y}\mid \mathbf{x})) \\ -D(p\left(x_{[n]\setminus 𝒦}\mid x_{𝒦},\mathbf{y}\right)\Vert q\left(x_{[n]\setminus 𝒦}\mid x_{𝒦},\mathbf{y}\right)). \end{gathered}$$ (80)

By substituting (80) in (77), we have

$$\begin{gathered} I(p(x_{𝒦});p(\mathbf{y})) \\ =D(p(\mathbf{x})\Vert q(\mathbf{x}))+D(p(\mathbf{y}\mid \mathbf{x})\Vert q(\mathbf{y}\mid \mathbf{x}))-D(p(x_{𝒦})\Vert q(x_{𝒦})) \\ -D(p\left(x_{[n]\setminus 𝒦}\mid x_{𝒦},\mathbf{y}\right)\Vert q\left(x_{[n]\setminus 𝒦}\mid x_{𝒦},\mathbf{y}\right))-D(p(\mathbf{y})\Vert q(\mathbf{y})) \\ \stackrel{(\mathrm{a})}{\le }D(p(\mathbf{x})\Vert q(\mathbf{x}))+D(p(\mathbf{y}\mid \mathbf{x})\Vert q(\mathbf{y}\mid \mathbf{x})) \\ \stackrel{(\mathrm{b})}{=}D(p(\mathbf{x})\Vert q(\mathbf{x})), \end{gathered}$$ (81)

where (a) follows from the non-negativity of relative entropy, (b) follows from the assumption q (y∣x) = p (y∣x) = w(y∣x).