Inferensys

Glossary

Local Differential Privacy (LDP)

A trust model where each individual perturbs their own data before sending it to an untrusted aggregator, ensuring that the raw data is never revealed to any external party.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
DEFINITION

What is Local Differential Privacy (LDP)?

A trust model where each individual perturbs their own data before sending it to an untrusted aggregator, ensuring that the raw data is never revealed to any external party.

Local Differential Privacy (LDP) is a privacy model where the data subject applies a randomized perturbation algorithm to their own record before transmission, guaranteeing that the raw, sensitive data never leaves the user's device. Unlike the central model, LDP eliminates the need for a trusted data curator by mathematically ensuring that the aggregator receives only noisy, plausibly deniable inputs.

The mechanism provides plausible deniability through protocols like Randomized Response, where a user's true answer is flipped according to a controlled probability. This shifts the trust boundary entirely to the client side, allowing organizations to collect aggregate statistics and train machine learning models without ever accessing or being liable for storing unprotected personal information.

DEFINING CHARACTERISTICS

Core Properties of LDP

Local Differential Privacy (LDP) shifts the trust boundary from a central server to the individual user. Each record is randomized before collection, providing a provable guarantee against raw data exposure even when the aggregator is compromised.

01

Untrusted Aggregator Model

The fundamental architectural distinction of LDP. Unlike the central model, the server collecting data is assumed to be malicious or compromised. Privacy is guaranteed entirely by the client-side perturbation mechanism.

  • Zero Raw Data Exposure: The aggregator never sees a true value.
  • No Trusted Curator: Eliminates the need for a trusted third party to hold sensitive data.
  • Strong User Agency: Individuals control their own privacy before data leaves their device.
02

Randomized Response Mechanism

The foundational algorithm for LDP, originating from survey methodology. For a binary attribute, a user flips a coin and answers truthfully only with a controlled probability.

  • Plausible Deniability: A 'Yes' answer could be due to the coin flip, not the true value.
  • Parameterization: Governed by the privacy budget ε; a smaller ε forces a higher probability of random answering.
  • Aggregation: The true population proportion is estimated by correcting for the known noise injection rate.
03

Frequency Oracle Protocols

Advanced LDP protocols designed to handle categorical data with many possible values, reducing the variance of basic randomized response.

  • Unary Encoding (UE): Sends a length-d bit vector with 1 at the true position, then flips each bit with a specific probability.
  • Optimized Local Hashing (OLH): Hashes the true value into a smaller domain before applying randomized response, optimizing the variance for large domains.
  • Hadamard Response (HR): Uses a Hadamard matrix to encode the value, enabling efficient estimation with minimal communication cost.
04

Heavy Hitter Identification

The process of finding the most frequent items in a population under LDP, crucial for feature selection and dictionary learning.

  • TreeHistogram Protocol: Users randomize a prefix of their value's bit representation, allowing the server to build a noisy prefix tree to identify frequent items without enumerating the full domain.
  • Succinct Histograms: Memory-efficient structures that estimate frequencies of top-k items while suppressing the long tail of infrequent values.
  • Application: Identifying popular emojis, URLs, or search queries without revealing any individual's specific input.
05

Utility-Privacy Trade-off

The inherent tension in LDP between data fidelity and protection. Because noise is added per-user, the total noise scales with the population, often requiring larger sample sizes than the central model.

  • Error Scaling: Estimation error typically scales as O(1/√n), but with a constant factor that grows exponentially with the privacy parameter ε.
  • Sample Size Requirement: Achieving useful accuracy for complex statistics demands a large user base to average out the injected noise.
  • Local vs. Central: For the same ε, the central model generally offers higher utility, but LDP provides a stronger, user-verified trust model.
06

Shuffle Model Amplification

A hybrid architecture that bridges the utility gap between local and central models. Users still randomize data locally, but reports pass through a trusted shuffler that randomly permutes them before the analyzer sees them.

  • Anonymity Effect: The shuffler breaks the link between a report and its source, amplifying the privacy guarantee from ε-local to ε-central.
  • Prochlo Framework: A practical instantiation using secure enclaves for the shuffler, deployed in Google's metric collection.
  • Benefit: Achieves near-central-model accuracy while maintaining the local model's protection against a compromised aggregator.
TRUST MODEL COMPARISON

Local vs. Central Differential Privacy

Architectural distinctions between the two primary trust models for deploying differential privacy, comparing where data is perturbed, who is trusted, and the resulting accuracy-privacy trade-offs.

FeatureLocal DP (LDP)Central DP (CDP)Shuffle Model

Perturbation Point

On-device, before transmission

Server-side, after aggregation

On-device, then anonymized by shuffler

Trusted Aggregator Required

Raw Data Visible to Server

Privacy Guarantee Scope

Per-record against aggregator and downstream

Per-record in final output only

Per-record against analyzer; amplified by anonymity

Typical Epsilon Range

ε = 2–10 per query

ε = 0.1–2 per query

ε = 0.5–5 per query

Accuracy at Fixed Privacy Budget

Lower (high noise per user)

Higher (noise amortized across users)

Intermediate (amplification improves utility)

Communication Overhead

High (per-user randomization)

Low (raw data sent to server)

Moderate (shuffler adds a network hop)

User-Side Computation

Moderate (local randomizer execution)

None

Moderate (local randomizer execution)

LOCAL DIFFERENTIAL PRIVACY

Frequently Asked Questions

Clear, technical answers to the most common questions about the Local Differential Privacy trust model, its mechanisms, and its application in privacy-preserving machine learning.

Local Differential Privacy (LDP) is a trust model where the privacy guarantee is enforced on each individual's device before any data is transmitted to an untrusted aggregator. Unlike the central model, which relies on a trusted curator, LDP ensures that the raw data never leaves the user's control. The mechanism works by having each user apply a randomized algorithm—such as the Randomized Response technique—to their own data point, perturbing it with calibrated noise. This creates plausible deniability for every response. The aggregator then collects these noisy reports from a large population and applies statistical estimation to reconstruct the population-level distribution, all while maintaining a formal, provable privacy guarantee for each individual contributor.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.