1 Introduction
The field of streaming algorithms was formalized by Alon, Matias, and Szegedy [3]
, and has generated a large body of work that intersects many other fields in computer science such as theory, databases, networking, and natural language processing. Consider a scenario in which data items are being generated one by one, e.g., IP traffic monitoring or web searches. Generally speaking, streaming algorithms aim to process such data streams while using only a limited amount of memory, significantly smaller than what is needed to store the entire data stream.
^{1}^{1}1We remark, however, that streaming algorithms are also useful in the offline world, for example in order to process a large unstructured database that is located on an external storage.Typical streaming problems include estimating frequency moments, counting the number of distinct elements in the stream, identifying heavyhitters in the stream, estimating the median of the stream, and much more
[22, 13, 4, 34, 16, 14, 15, 28, 37, 21, 31, 38].Usually, streaming algorithms can be queried a lot of times throughout the execution. The reason is that (usually) the space requirement of streaming algorithms scales as , where
is the failure probability of the algorithm. By a union bound, this means that in order to guarantee accuracy for
queries (with probability ) the space only scales proportionally to , so we can tolerate quite a few queries without blowing up space. However, for this argument to go through, we need to assume that the entire stream is fixed in advanced (and is just given to us one item at a time), or at least that the choice of the items in the stream is independent of the internal state (and coin tosses) of our algorithm. This setting is sometimes referred to as the oblivious setting. The vast majority of the work on streaming algorithms is focused on the oblivious setting.Now suppose that the items in the stream, as well as the queries issued to the algorithm, are chosen by an adaptive (stateful) adversary. Specifically, every item in the stream (and each of the queries) is chosen by the adversary as a function of the previous items in the stream, the previous queries, and the previous answers given by our streaming algorithm. As a result, the items in the stream are no longer independent of the internal state of our algorithm. Oblivious streaming algorithms fail to provide meaningful utility guarantees in such a situation. In this work we aim to design adversarially robust streaming algorithms that maintain (provable) accuracy against such adaptive adversaries, while of course keeping the memory and runtime requirements to a minimum. We stress that such dependencies between the items in the stream and the internal state of the algorithm may occur unintentionally (even when there is no “adversary”). For example, consider a large system in which a streaming algorithm is used to analyze data coming from one part of the system while answering queries generated by another part of the system, but these (supposedly) different parts of the system are connected via a feedback loop. In such a case, it is no longer true that the items in the stream are generated independently of the previous answers, and the vast majority of the existing streaming algorithms would fail to provide meaningful utility guarantees.
Recall that (typically) in the oblivious setting the memory requirement only grows logarithmically with the number of queries that we want to support. For the adaptive setting, one can easily show that a memory blowup of suffices. This can be achieved, e.g., by running independent copies of the algorithm (where we feed the input stream to each of the copies) and using each copy in order to answer at most one query. Can we do better?
This question has motivated a recent line of work that is focused on constructing adversarially robust streaming algorithms [36, 23, 24, 1, 2, 27, 9, 8]. The formal model we consider was recently put forward by BenEliezer et al. [8], who presented adversarially robust streaming algorithms for many problems in the insertiononly model (i.e., when the stream contains only positive updates). Moreover, their results extend to turnstile streams (where both positive and negative updates are allowed), provided that the number of negative updates is small. The question remained largely open for the general turnstile model where there might be a large number of negative updates.
1.1 Existing Results
We now give an informal overview of the techniques of [8]. This intuitive overview is generally oversimplified, and hides many of the difficulties that arise in the actual analysis. See [8] for the formal details and for additional results.
Consider a stream of updates , where is the th element and is its weight. For we write to denote the first elements of the stream. Let be a function (for example, might count the number of distinct elements in the stream). At every time step , after obtaining the next element in the stream , our goal is to output an approximation for .
BenEliezer et al. [8] focused on the case where all of the weights are positive (this assumption is known as the insertiononly model). To illustrate the results of [8], let us consider the the distinct elements problem, in which the function counts the number of distinct elements in the stream. Specifically, after every update we need to output an estimation of . Observe that, in the insertiononly model, this quantity is monotonically increasing. Furthermore, since we are aiming for a multiplicative error, even though the stream is large (of length ), the number of times we actually need to modify the estimates we release is quite small (roughly times). Informally, the idea of [8] is to run several independent sketches in parallel, and to use each sketch to release answers over a part of the stream during which the estimate remains constant. In more detail, the generic transformation of [8] (applicable not only to the distinct elements problem) is as based on the following definition.
Definition 1.1 (Flip number [8]).
Given a function , the flip number of , denoted as , is the maximal number of times that the value of can change (increase or decrease) by a factor of during a stream of length .
The generic construction of [8] for a function is as follows.

Instantiate independent copies of an oblivious streaming algorithm for the function , and set .

When the next update arrives:

Feed to all of the copies.

Release an estimate using the th copy (rounded to the nearest power of ). If this estimate is different than the previous estimate, then set .

BenEliezer et al. [8] showed that this can be used to transform an oblivious streaming algorithm for into an adversarially robust streaming algorithm for . In addition, the overhead in terms of memory is only , which is typically small in the insertiononly model (typically ). Moreover, [8] showed that their techniques extend to the turnstile model (when the stream might contain updates with negative weights), provided that the number of negative updates is small (and so remains small).
Theorem 1.2 ([8], informal).
Fix any function and let be an oblivious streaming algorithm for that for any uses space and guarantees accuracy with success probability for streams of length . Then there exists an adversarially robust streaming algorithm for that guarantees accuracy with success probability for streams of length using space
1.2 Our Results
We establish a connection between adversarial robustness of streaming algorithms and differential privacy, a model to provably guarantee privacy protection when analyzing data. Consider a database containing (sensitive) information pertaining to individuals. An algorithm operating on such a database is said to be differentially private if its outcome does not reveal information that is specific to any individual in the database. More formally, differential privacy requires that no individual’s data has a significant effect on the distribution of the output. Intuitively, this guarantees that whatever is learned about an individual could also be learned with her data arbitrarily modified (or without her data). Formally,
Definition 1.3 ([18]).
Let be a randomized algorithm that operates on databases. Algorithm is differentially private if for any two databases that differ on one row, and any event , we have
Our main conceptual contribution is to show that the notion of differential privacy can be used as a tool in order to construct new adversarially robust streaming algorithms. In a nutshell, the idea is to protect the internal state of the algorithm using differential privacy. Loosely speaking, this limits (in a precise way) the dependency between the internal state of the algorithm and the choice for the items in the stream, and allows us to analyze the utility guarantees of the algorithm even in the adaptive setting. Notice that differential privacy is not used here in order to protect the privacy of the data items in the stream. Rather, differential privacy is used here to protect the internal randomness of the algorithm.
For many problems of interest, even in the general turnstile model (with deletions), this technique allows us to obtain adversarially robust streaming algorithms with sublinear space. To the best of our knowledge, our technique is the first to provide meaningful results for the general turnstile model. In addition, for interesting regimes of parameters, our algorithm outperforms the current stateoftheart constructions also for the insertiononly model (strictly speaking, our results for the insertiononly model are incomparable with [8]).
We obtain the following theorem.
Theorem 1.4.
Fix any function and let be an oblivious streaming algorithm for that for any uses space and guarantees accuracy with success probability for streams of length . Then there exists an adversarially robust streaming algorithm for that guarantees accuracy with success probability for streams of length using space
Compared to [8], our space bound grows only as instead of linearly in . This means that in the general turnstile model, when can be large, we obtain a significant improvement at the cost of additional logarithmic factors. In addition, as typically scales at least linearly with , we obtain improved bounds even for the insertiononly model in terms of the dependency of the memory in (again, at the expense of additional logarithmic factors).
1.3 Other Related Results
Over the last few years, differential privacy has proven itself to be an important algorithmic
notion (even when data privacy is not of concern), and has found itself useful in many other fields, such as machine learning, mechanism design, secure computation, probability theory, secure storage, and more.
[35, 17, 26, 41, 5, 39, 40, 33, 6] In particular, our results utilize a connection between differential privacy and generalization, which was first discovered by Dwork et al. [17] in the context of adaptive data analysis.2 Preliminaries
A stream of length over a domain consists of a sequence of updates where and . For we write to denote the first elements of the stream. Let be a function (for example, might count the number of distinct elements in the stream). At every time step , after obtaining the next element in the stream , our goal is to output an approximation for . We assume throughout the paper that and that is bounded polynomially in .
2.1 Streaming against adaptive adversary
The adversarial streaming model, in various forms, was considered by [36, 23, 24, 1, 2, 27, 9, 8]. We give here the formulation presented by BenEliezer et al. [8]. The adversarial setting is modeled by a twoplayer game between a (randomized) StreamingAlgorithm and an Adversary. At the beginning, we fix a function . Then the game proceeds in rounds, where in the th round:

The Adversary chooses an update for the stream, which can depend, in particular, on all previous stream updates and outputs of StreamingAlgorithm.

The StreamingAlgorithm processes the new update and outputs its current response .
The goal of the Adversary is to make the StreamingAlgorithm output an incorrect response at some point in the stream. For example, in the distinct elements problem, the adversary’s goal is that at some step , the estimate will fail to be a approximation of the true current number of distinct elements.
We remark that our techniques extend to a model in which the StreamingAlgorithm only needs to release an approximation for in at most time steps (which are chosen adaptively by the adversary), in exchange for lower space requirements. For simplicity, we will focus on the case where the StreamingAlgorithm needs to release an approximate answer in every time step.
2.2 Preliminaries from differential privacy
The Laplace Mechanism.
The most basic constructions of differentially private algorithms are via the Laplace mechanism as follows.
Definition 2.1 (The Laplace distribution).
Definition 2.2 (Sensitivity).
A function has sensitivity if for every two databases that differ in one row it holds that .
Theorem 2.3 (The Laplace mechanism [18]).
Let be a sensitivity function. The mechanism that on input returns preserves differential privacy.
The sparse vector technique.
Consider a large number of lowsensitivity functions which are given (one by one) to a data curator (holding a database ). Dwork, Naor, Reingold, Rothblum, and Vadhan [19] presented a simple (and elegant) tool that can privately identify the first index such that the value of is “large”.
Algorithm AboveThreshold Input: Database , privacy parameter , threshold , and a stream of sensitivity1 queries . [topsep=1pt,rightmargin=5pt,itemsep=1pt] Let . In each round , when receiving a query , do the following: [topsep=3pt,rightmargin=5pt] Let . If , then output and halt. Otherwise, output and proceed to the next iteration.
Notice that the number of possible rounds unbounded. Nevertheless, this process preserves differential privacy:
Privately approximating the median of the data.
Given a database , consider the task of privately identifying an approximate median of . Specifically, for an error parameter , we want to identify an element such that there are at least elements in that are bigger or equal to , and there are at least elements in that are smaller or equal to . The goal is to keep as small as possible, as a function of the privacy parameters , the database size , and the domain size .
There are several advanced constructions in the literature with error that grows very slowly as a function of the domain size (only polynomially with ). [7, 12, 11, 32] In our application, however, the domain size is already small, and hence, we can use simpler constructions (where the error grows logarithmically with the domain size).
Theorem 2.5.
There exists an differentially private algorithm that given a database outputs an element such that with probability at least there are at least elements in that are bigger or equal to , and there are at least elements in that are smaller or equal to , where .
Composition of differential privacy.
The following theorem allows to argue about the privacy guarantees of an algorithm that accesses its input database using several differentially private mechanisms.
Theorem 2.6 ([20]).
Let , and let . A mechanism that permits adaptive interactions with mechanisms that preserves differential privacy (and does not access the database otherwise) ensures differential privacy, for .
Generalization properties of differential privacy.
3 Differential Privacy as a Tool for Robust Streaming
In this section we present our main construction – algorithm RobustSketch. Recall that the main challenge when designing adversarially robust streaming algorithms is that the elements in the stream can depend on the internal state of the algorithm. To overcome this challenge, we protect the internal state of algorithm RobustSketch using differential privacy.
Suppose that we have an oblivious streaming algorithm for a function . In our construction we run independent copies of with independent randomness, and feed the input stream to all of the copies. When a query comes, we aggregate the responses from the copies in a way that protects the internal randomness of each of the copies using differential privacy. In addition, assuming that the flip number [8]
of the stream is small, we get that the number of times that we need to compute such an aggregated response is small. We use the sparse vector technique (algorithm AboveThreshold)
[19] in order to identify the time steps in which we need to aggregate the responses of the copies of , and the aggregation itself is done using a differentially private algorithm for approximating the median of the responses.Lemma 3.1.
Algorithm RobustSketch satisfies differential privacy (w.r.t. the collection of strings ).
Proof sketch.
Each execution of the outer loop consists of applying algorithm AboveThreshold and applying algorithm PrivateMed, each of which satisfies differential privacy. The lemma now follows from composition theorems for differential privacy (see Theorem 2.6). ∎
Recall that algorithm RobustSketch might halt before the stream ends. In the following lemma we show that (w.h.p.) all the answers that RobustSketch returns before it halts are accurate. Afterwards, in Lemma 3.3, we show that (w.h.p.) the algorithm does not halt prematurely.
Lemma 3.2.
Let be an oblivious streaming algorithm for a functionality , that guarantees that with probability at least , all its estimates are accurate to within multiplicative error of . Then, with probability at least all the estimates returned by RobustSketch before it halts are accurate to within multiplicative error of , even when the stream is chosen by an adaptive adversary, provided that
Proof.
First observe that the algorithm samples at most noises from the Laplace distribution with parameter throughout the execution. By the properties of the Laplace distribution, with probability at least it holds that all of these noises are at most in absolute value. We continue with the analysis assuming that this is the case.
For let denote the stream consisting of the first updates. Let denote the estimate returned by the oblivious streaming algorithm after the th update, when it is executed with the random string and receives the stream . Consider the following function:
Then, by the generalization properties of differential privacy (see Theorem 2.7), assuming that , with probability at least , for every it holds that
We continue with the analysis assuming that this is the case. Now observe that by the utility guarantees of (because when the stream is fixed its answers are accurate to within multiplicative error of with probability at least ). Thus, for , for at least of the executions of we have that , which means that . That is, in every time step we have that at least of the ’s satisfy .
Case (a)
If the algorithm outputs an estimate on Step 3(b)iii, then, by our assumption on the noise magnitude we have that
where the last inequality follows by asserting that
So, for at least of the ’s we have that , and for at least of them we have that . Therefore, there must exist an index that satisfies both conditions, in which case , and the estimate we output is accurate.
Case (b)
If the algorithm outputs an estimate on Step 3d, then it is computed using algorithm PrivateMed, which is executed on the database . By theorem 2.5, assuming that^{2}^{2}2We assume that the estimates that returns are in the range for some constant . In addition, before running PrivateMed we may round each to its nearest power of , which has only a small effect on the error. There are at most possible powers of in that range, and hence, PrivateMed guarantees error at most . See Theorem 2.5.
then with probability at least algorithm PrivateMed returns an approximate median for the estimates , satisfying
Since of the ’s satisfy , such an approximate median must also be in the range . This holds simultaneously for all the estimates computed in Step 3d with probability at least . Note that in Case (b) our estimate is actually accurate to within rather than .
Overall, with probability at least , all the estimates returned by the algorithm are accurate to within a multiplicative error of . ∎
We now show that, with high probability, the algorithm does not halt before the stream ends.
Lemma 3.3.
Let algorithm RobustSketch be executed with a parameter . With probability at least , the algorithm does not halt before the stream ends.
Proof.
As in the proof of Lemma 3.2, with probability at least it holds that

All of the Laplace noises sampled throughout the execution are at most in absolute value,

All of the estimates returned on Step 3d are accurate to within a multiplicative error of ,

In every time step we have that at least of the ’s satisfy .
We continue with the proof assuming that these statements hold. For let denote the th estimate that we output. Let denote sequential time steps in which the algorithm outputs an estimate on Step 3d (and such that between and we compute the estimation using Step 3(b)iii). Since we do not change our estimate between time steps and , we know that .
Now, since in time step we exit the inner loop (in order to output the estimation using Step 3d), it holds that
Since at least of the ’s satisfy , there must exist a such that and . Hence, .
Now recall that since in time step we return the estimate using Step 3d, it holds that . So, we have established that and that , which means that
This means that every time we recompute on Step 3d, it holds that the true value of has changed by a multiplicative factor larger than or smaller than . In that case, the number of times we recompute on Step 3d cannot be bigger than . Thus, if the algorithm is executed with a parameter , then (w.h.p.) the algorithm does not halt before the stream ends. ∎
Theorem 3.4.
Let be an oblivious streaming algorithm for a functionality , that uses space and guarantees accuracy with success probability for streams of length . Then there exists an adversarially robust streaming algorithm for that guarantees accuracy with success probability for streams of length using space
4 Applications
Our algorithm can be applied to a wide range of streaming problems, such as estimating frequency moments, counting the number of distinct elements in the stream, identifying heavyhitters in the stream, estimating the median of the stream, entropy estimation, and more. As an example, we now state the resulting bounds for estimation.
Definition 4.1.
The frequency vector of a stream , where , is the vector whose th coordinate is
We write to denote the frequency vector restricted to the first updates.
In this section we focus on estimating , the second moment of the frequency vector. That is, after every time step we want to output an estimation for
We will use the following definition.
Definition 4.2 ([29]).
Fix any . A data stream , where , is said to be an bounded deletion stream if at every time step we have
where is the frequency vector of the stream with updates .
The following lemma relates the bounded deletion parameter to the flip number of the stream.
Lemma 4.3 ([8]).
The flip number of a bounded deletion stream is at most .
The following theorem is now obtained by applying algorithm RobustSketch with the oblivious algorithm of [30] that uses space .
Theorem 4.4.
There is an adversarially robust estimation algorithm for bounded deletion streams of length that guarantees accuracy with probability at least . The space used by the algorithm is
In contrast, the estimation algorithm of [8] for bounded deletion streams uses space . Specifically, the space bound of [8] grows as , whereas ours only grows as (at the cost of additional factors). As we mentioned, our results are also meaningful for the insertiononly model. Specifically,
Lemma 4.5 ([8]).
The flip number of an insertiononly stream is at most .
The following theorem is obtained by applying algorithm RobustSketch with the oblivious algorithm of [10] that uses space .
Theorem 4.6.
There is an adversarially robust estimation algorithm for insertiononly streams of length that guarantees accuracy with probability at least . The space used by the algorithm is
In contrast, the estimation algorithm of [8] for insertiononly streams uses space . Our bound, therefore, improves the space dependency on (at the cost of additional logarithmic factors).
Acknowledgments
The authors are grateful to Amos Beimel and Edith Cohen for many helpful discussions.
References
 [1] K. J. Ahn, S. Guha, and A. McGregor. Analyzing graph structure via linear measurements. In Y. Rabani, editor, Proceedings of the TwentyThird Annual ACMSIAM Symposium on Discrete Algorithms, SODA 2012, Kyoto, Japan, January 1719, 2012, pages 459–467. SIAM, 2012.
 [2] K. J. Ahn, S. Guha, and A. McGregor. Graph sketches: sparsification, spanners, and subgraphs. In M. Benedikt, M. Krötzsch, and M. Lenzerini, editors, Proceedings of the 31st ACM SIGMODSIGACTSIGART Symposium on Principles of Database Systems, PODS 2012, Scottsdale, AZ, USA, May 2024, 2012, pages 5–14. ACM, 2012.
 [3] N. Alon, Y. Matias, and M. Szegedy. The space complexity of approximating the frequency moments. J. Comput. Syst. Sci., 58(1):137–147, 1999.
 [4] Z. BarYossef, T. S. Jayram, R. Kumar, D. Sivakumar, and L. Trevisan. Counting distinct elements in a data stream. In J. D. P. Rolim and S. Vadhan, editors, Randomization and Approximation Techniques in Computer Science, pages 1–10, Berlin, Heidelberg, 2002. Springer Berlin Heidelberg.

[5]
R. Bassily, K. Nissim, A. D. Smith, T. Steinke, U. Stemmer, and J. Ullman.
Algorithmic stability for adaptive data analysis.
In D. Wichs and Y. Mansour, editors,
Proceedings of the 48th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2016, Cambridge, MA, USA, June 1821, 2016
, pages 1046–1059. ACM, 2016.  [6] A. Beimel, I. Haitner, N. Makriyannis, and E. Omri. Tighter bounds on multiparty coin flipping via augmented weak martingales and differentially private sampling. In M. Thorup, editor, 59th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2018, Paris, France, October 79, 2018, pages 838–849. IEEE Computer Society, 2018.
 [7] A. Beimel, K. Nissim, and U. Stemmer. Private learning and sanitization: Pure vs. approximate differential privacy. In APPROXRANDOM, volume 8096 of Lecture Notes in Computer Science, pages 363–378. Springer, 2013.
 [8] O. BenEliezer, R. Jayaram, D. P. Woodruff, and E. Yogev. A framework for adversarially robust streaming algorithms. CoRR, abs/2003.14265, 2020.
 [9] O. BenEliezer and E. Yogev. The adversarial robustness of sampling. CoRR, abs/1906.11327, 2019.

[10]
J. Blasiok, J. Ding, and J. Nelson.
Continuous monitoring of l_p norms in data streams.
In K. Jansen, J. D. P. Rolim, D. Williamson, and S. S. Vempala,
editors,
Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques, APPROX/RANDOM 2017, August 1618, 2017, Berkeley, CA, USA
, volume 81 of LIPIcs, pages 32:1–32:13. Schloss Dagstuhl  LeibnizZentrum für Informatik, 2017.  [11] M. Bun, C. Dwork, G. N. Rothblum, and T. Steinke. Composable and versatile privacy via truncated CDP. In STOC, pages 74–86, 2018.
 [12] M. Bun, K. Nissim, U. Stemmer, and S. P. Vadhan. Differentially private release and learning of threshold functions. In FOCS, pages 634–649, 2015.
 [13] M. Charikar, K. Chen, and M. FarachColton. Finding frequent items in data streams. In Proceedings of the 29th International Colloquium on Automata, Languages and Programming, ICALP ’02, page 693–703, Berlin, Heidelberg, 2002. SpringerVerlag.
 [14] G. Cormode and S. Muthukrishnan. An improved data stream summary: the countmin sketch and its applications. Journal of Algorithms, 55(1):58 – 75, 2005.
 [15] G. Cormode and S. Muthukrishnan. What’s hot and what’s not: Tracking most frequent items dynamically. ACM Trans. Database Syst., 30(1):249–278, Mar. 2005.
 [16] M. Datar, A. Gionis, P. Indyk, and R. Motwani. Maintaining stream statistics over sliding windows. SIAM Journal on Computing, 31(6):1794–1813, 2002.
 [17] C. Dwork, V. Feldman, M. Hardt, T. Pitassi, O. Reingold, and A. L. Roth. Preserving statistical validity in adaptive data analysis. In STOC, pages 117–126. ACM, 2015.
 [18] C. Dwork, F. McSherry, K. Nissim, and A. Smith. Calibrating noise to sensitivity in private data analysis. In TCC, volume 3876 of Lecture Notes in Computer Science, pages 265–284. Springer, 2006.
 [19] C. Dwork, M. Naor, O. Reingold, G. N. Rothblum, and S. P. Vadhan. On the complexity of differentially private data release: efficient algorithms and hardness results. In M. Mitzenmacher, editor, STOC, pages 381–390. ACM, 2009.
 [20] C. Dwork, G. N. Rothblum, and S. P. Vadhan. Boosting and differential privacy. In FOCS, pages 51–60. IEEE Computer Society, 2010.
 [21] M. Elkin and J. Zhang. Efficient algorithms for constructing (1+epsilon, beta)spanners in the distributed and streaming models. Distributed Comput., 18(5):375–385, 2006.
 [22] P. Flajolet and G. N. Martin. Probabilistic counting algorithms for data base applications. Journal of Computer and System Sciences, 31(2):182 – 209, 1985.
 [23] A. C. Gilbert, B. Hemenway, A. Rudra, M. J. Strauss, and M. Wootters. Recovering simple signals. In 2012 Information Theory and Applications Workshop, pages 382–391, 2012.
 [24] A. C. Gilbert, B. Hemenway, M. J. Strauss, D. P. Woodruff, and M. Wootters. Reusable lowerror compressive sampling schemes through privacy. In 2012 IEEE Statistical Signal Processing Workshop (SSP), pages 536–539, 2012.
 [25] M. Hardt and G. N. Rothblum. A multiplicative weights mechanism for privacypreserving data analysis. In FOCS, pages 61–70. IEEE Computer Society, 2010.
 [26] M. Hardt and J. Ullman. Preventing false discovery in interactive data analysis is hard. In FOCS, pages 454–463, 2014.
 [27] M. Hardt and D. P. Woodruff. How robust are linear sketches to adaptive inputs? In STOC, pages 121–130. ACM, June 14 2013.
 [28] P. Indyk and D. Woodruff. Optimal approximations of the frequency moments of data streams. In Proceedings of the ThirtySeventh Annual ACM Symposium on Theory of Computing, STOC ’05, page 202–208, New York, NY, USA, 2005. Association for Computing Machinery.
 [29] R. Jayaram and D. P. Woodruff. Data streams with bounded deletions. In J. V. den Bussche and M. Arenas, editors, Proceedings of the 37th ACM SIGMODSIGACTSIGAI Symposium on Principles of Database Systems, Houston, TX, USA, June 1015, 2018, pages 341–354. ACM, 2018.
 [30] D. M. Kane, J. Nelson, and D. P. Woodruff. On the exact space complexity of sketching and streaming small norms. In M. Charikar, editor, Proceedings of the TwentyFirst Annual ACMSIAM Symposium on Discrete Algorithms, SODA 2010, Austin, Texas, USA, January 1719, 2010, pages 1161–1178. SIAM, 2010.
 [31] D. M. Kane, J. Nelson, and D. P. Woodruff. An optimal algorithm for the distinct elements problem. In Proceedings of the TwentyNinth ACM SIGMODSIGACTSIGART Symposium on Principles of Database Systems, PODS ’10, page 41–52, New York, NY, USA, 2010. Association for Computing Machinery.
 [32] H. Kaplan, K. Ligett, Y. Mansour, M. Naor, and U. Stemmer. Privately learning thresholds: Closing the exponential gap. CoRR, abs/1911.10137, 2019.
 [33] G. Kellaris, G. Kollios, K. Nissim, and A. O’Neill. Accessing data while preserving privacy. CoRR, abs/1706.01552, 2017.
 [34] G. S. Manku and R. Motwani. Approximate frequency counts over data streams. In Proceedings of 28th International Conference on Very Large Data Bases, VLDB 2002, Hong Kong, August 2023, 2002, pages 346–357. Morgan Kaufmann, 2002.
 [35] F. McSherry and K. Talwar. Mechanism design via differential privacy. In FOCS, pages 94–103. IEEE Computer Society, 2007.
 [36] I. Mironov, M. Naor, and G. Segev. Sketching in adversarial environments. SIAM J. Comput., 40(6):1845–1870, 2011.
 [37] S. Muthukrishnan. Data streams: Algorithms and applications. Foundations and Trends® in Theoretical Computer Science, 1(2):117–236, 2005.
 [38] J. Nelson. Sketching and streaming algorithms. PhD thesis, Massachusetts Institute of Technology, Cambridge, MA, USA, 2011.
 [39] K. Nissim, A. D. Smith, T. Steinke, U. Stemmer, and J. Ullman. The limits of postselection generalization. In S. Bengio, H. M. Wallach, H. Larochelle, K. Grauman, N. CesaBianchi, and R. Garnett, editors, Advances in Neural Information Processing Systems 31: Annual Conference on Neural Information Processing Systems 2018, NeurIPS 2018, 38 December 2018, Montréal, Canada, pages 6402–6411, 2018.
 [40] K. Nissim and U. Stemmer. Concentration bounds for high sensitivity functions through differential privacy. J. Priv. Confidentiality, 9(1), 2019.
 [41] T. Steinke and J. Ullman. Interactive fingerprinting codes and the hardness of preventing false discovery. In COLT, pages 1588–1628, 2015.