Long Abstract: 

We revisit the framework of interactive proofs for distribution testing, first introduced by

Chiesa and Gur (ITCS 2018), which has recently experienced a surge in interest, accompanied

by notable progress (e.g., Herman and Rothblum, STOC 2022, FOCS 2023; Herman, RAN-

DOM 2024). In this model, a data-poor verifier determines whether a probability distribution

has a property of interest by interacting with an all-powerful, data-rich but untrusted prover

bent on convincing them that it has the property. While prior work gave sample-, time-, and

communication-efficient protocols for testing and estimating a range of distribution properties,

they all suffer from an inherent issue: for most interesting properties of distributions over a

domain of size 𝑁, the verifier must draw at least Ω(√𝑁) samples of its own. While sublinear in

𝑁, this is still prohibitive for large domains encountered in practice.

In this work, we circumvent this limitation by augmenting the verifier with the ability to

perform an exponentially smaller number of more powerful (but reasonable) pairwise conditional

queries, effectively enabling them to perform “local comparison checks” of the prover’s claims.

We systematically investigate the landscape of interactive proofs in this new setting, giving

polylogarithmic query and sample protocols for (tolerantly) testing all label-invariant properties,

thus demonstrating exponential savings without compromising on communication, for this large

and fundamental class of testing tasks.

Long Abstract: 

We study differentially-private statistics in the fully dynamic continual observation model, where many updates can arrive at each time and updates to a stream can involve both insertions and deletions of an item. Earlier work (e.g., Jain et al., NeurIPS 2023 for counting distinct elements; Raskhodnikova & Steiner, PODS 2025 for triangle counting with edge updates) reduced the respective cardinality estimation problem to continual counting on the difference stream associated with the true function values on the input stream. In such reductions, a change in the original stream can cause many changes in the difference stream, a challenge in applying private continual counting algorithms to obtain optimal error bounds. We improve the accuracy of several such reductions by studying the associated ℓ2-sensitivity vectors of the resulting difference streams and isolating their properties.

Our improved accuracy stems from applying various factorization mechanisms for the counting matrix. While our primary application is to counting distinct elements, we demonstrate how our framework extends naturally to the estimation of degree histograms and triangle counts (under a slightly relaxed privacy model), thus offering a general approach to continual cardinality estimation in streaming settings. The key technical challenge is arguing that one can use state-of-the-art factorization mechanisms for sensitivity vector sets with the properties we isolate. In particular, we show that for approximate DP, the celebrated square-root factorization of the counting matrix (Henzinger et al., SODA 2023; Fichtenberger et al., ICML 2023) can be employed to give a constant-factor improvement in accuracy over past work based on the binary tree mechanism. We also give a tight analysis of b-ary tree mechanisms with subtraction under these sensitivity patterns, including a polytime routine for exactly computing the ℓp sensitivity, yielding time and space efficient algorithm for both pure and approximate DP. Empirically and analytically, we demonstrate that our improved error bounds offer a substantial improvement for cardinality estimation problems over a large range of parameters.

Long Abstract: 

Privacy is a central challenge for systems that learn from sensitive data sets, especially when a system's outputs must be continuously updated to reflect changing data. 

We consider the achievable error for the differentially private continual release of a basic statistic---the number of distinct items---in a stream where items may be both inserted and deleted (the turnstile model). With only insertions, existing algorithms have additive error just polylogarithmic in the length of the stream T. 

We uncover a much richer landscape in the turnstile model, even without considering memory restrictions. We show that any differentially private mechanism that handles insertions and deletions has a worst-case additive error at least T^{1/4} even under a relatively weak, event-level privacy definition. 

Then, we identify a property of the input stream, its maximum flippancy, that is low for natural data streams and for which one can give tight parameterized error guarantees. Specifically, the maximum flippancy is the largest number of times the count of a single item changes from a positive number to zero over the course of the stream. We present an item-level differentially private mechanism that, for all turnstile streams with maximum flippancy  w, continually outputs the number of distinct elements with an O(\sqrt{w} polylog T) additive error,  without requiring prior knowledge of w. 

This is the best achievable error bound that depends only on w, for a large range of values of w. When w is small, our mechanism provides similar error guarantees to the polylogarithmic in $T$ guarantees in the insertion-only setting, bypassing the hardness in the turnstile model. 

Long Abstract: 

The notion of replicable algorithms was introduced in [Impagliazzo Lei Pitassi Sorrell' 22] to describe randomized algorithms that are stable under the resampling of their inputs. More precisely, a replicable algorithm gives the same output with high probability when its randomness is fixed and it is run on a new i.i.d. sample drawn from the same distribution. Using replicable algorithms for data analysis can facilitate the verification of published results by ensuring that the results of an analysis will be the same with high probability, even when that analysis is performed on a new data set. 

In this work, we establish new connections and separations between replicability and standard notions of algorithmic stability. In particular, we give sample-efficient algorithmic reductions between perfect generalization, approximate differential privacy, and replicability for a broad class of statistical problems. Conversely, we show any such equivalence must break down computationally: there exist statistical problems that are easy under differential privacy, but that cannot be solved replicably without breaking public-key cryptography. Furthermore, these results are tight: our reductions are statistically optimal, and we show that any computational separation between DP and replicability must imply the existence of one-way functions. 

Our statistical reductions give a new algorithmic framework for translating between notions of stability, which we instantiate to answer several open questions in replicability and privacy. This includes giving sample-efficient replicable algorithms for various PAC learning, distribution estimation, and distribution testing problems, algorithmic amplification of delta in approximate DP, conversions from item-level to user-level privacy, and the existence of private agnostic-to-realizable learning reductions under structured distributions.

Long Abstract: We study the accuracy of differentially private mechanisms in the continual release model. A continual release mechanism receives a sensitive dataset as a stream of T inputs and produces, after receiving each input, an output that is accurate for all the inputs received so far. In contrast, a batch algorithm receives the data as one batch and produces a single output. 

We provide the first strong lower bounds on the error of continual release mechanisms. In particular, for two fundamental problems that are widely studied and used in the batch model, we show that the worst-case error of every continual release algorithm is T^{1/3} times larger than that of the best batch algorithm.  Previous work shows only a poly-logarithmic (in T)  gap between the worst-case error achievable in these two models; further, for many problems, including the summation of binary attributes, the poly-logarithmic gap is tight (Dwork et al., 2010; Chan et al., 2010). Our results show that problems closely related to summation---specifically, those that require selecting the largest of a set of sums---are fundamentally harder in the continual release model than in the batch model. Our lower bounds assume only that privacy holds for streams fixed in advance (the ``nonadaptive'' setting). 

We also formulate a model that allows for adaptively selected inputs and prove the privacy of several known algorithms in that model. In particular, we show that our lower bounds are matched by the error of simple algorithms whose privacy holds even for adaptively selected streams. The adaptive model captures dependencies that arise in many applications of continual release.

Long Abstract: We initiate an investigation of private sampling from distributions. Given a dataset with n independent observations from an unknown distribution P, a sampling algorithm must output a single observation from a distribution that is close in total variation distance to P while satisfying differential privacy. Sampling abstracts the goal of generating small amounts of realistic-looking data. We provide tight upper and lower bounds for the dataset size needed for this task for three natural families of distributions: arbitrary distributions on {1,...,k},  arbitrary product distributions on {0,1}^d, and product distributions on {0,1}^d with bias in each coordinate bounded away from 0 and 1. We demonstrate that, in some parameter regimes, private sampling requires asymptotically fewer observations than learning a description of  P non-privately; in other regimes, however, private sampling proves to be as difficult as private learning. Notably, for some classes of distributions, the overhead in the number of observations needed for private learning compared to non-private learning is completely captured by the number of observations needed for private sampling.

Long Abstract: We show a generic reduction from multiclass differentially private PAC learning to binary private PAC learning. We apply this transformation to a recently proposed binary private PAC learner to obtain a private multiclass learner with sample complexity that has a polynomial dependence on the multiclass Littlestone dimension and a poly-logarithmic dependence on the number of classes. This yields an exponential improvement in the dependence on both parameters over learners from previous work. Our proof extends the notion of Ψ-dimension defined in the work of Ben-David et al. [JCSS '95] to the online setting and explores its general properties.