Differentially Private LQ Control

07/12/2018 ∙ by Kasra Yazdani, et al. ∙ 0

As multi-agent systems proliferate and share more and more user data, new approaches are needed to protect sensitive data while still guaranteeing successful operation. To address this need, we present a private multi-agent LQ control framework. We consider problems in which each agent has linear dynamics and the agents are coupled by a quadratic cost. Generating optimal control values for the agents is a centralized operation, and we therefore introduce a cloud computer into the network for this purpose. The cloud is tasked with aggregating agents' outputs, computing control inputs, and transmitting these inputs to the agents, which apply them in their state updates. Agents' state information can be sensitive and we therefore protect it using differential privacy. Differential privacy is a statistical notion of privacy enforced by adding noise to sensitive data before sharing it, and agents will therefore add noise to all data before sending it to the cloud. The result is a private multi-agent LQG framework in which agents' states are protected from both the cloud and other agents. Adding noise to agents' data certainly impacts the performance of the system, and we provide a trade-off between agents' privacy levels and the entropy seen at the cloud as a measure of how difficult it is to compute control values when privacy is enforced. We further characterize this system by bounding the accuracy with which an adversary could predict agents' states by using the differentially private information they share. Simulation results are provided to validate the theoretical developments made.



There are no comments yet.


page 22

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

MANY multi-agent systems, such as smart power grids, robotic swarms, and traffic monitoring systems, require agents to exchange information to work together. In some cases, the information shared may be rather sensitive. For example, power consumption data in a smart power grid can expose certain habits, behaviors, and activities of an individual including his or her daily schedule [1, 2, 3, 4, 5]. Sensitive user data should therefore be protected when it is shared, though of course it must remain useful in multi-agent coordination. Hence, providing privacy in the setting of multi-agent control should protect sensitive data from the recipient of a transmission while still ensuring that transmitted data remains useful to that recipient.

Recently, privacy of this form has been achieved using differential privacy. Differential privacy originates in the database literature, and was originally designed to protect sensitive data of individuals when databases are queried [6, 7, 8]. The overall goal of differential privacy is to allow accurate statistical analyses of a population while providing strong, provable privacy guarantees to individuals. Differential privacy is an attractive choice of privacy framework because it is immune to post-processing [9], in the sense that further computations can be performed on private data without affecting the privacy guarantees afforded to an individual. For example, filtering private data can be done without threatening single users’ privacy [10, 11]. Another motivation for using differential privacy is its robustness to side information [12], which means that its privacy guarantees are not defeated by an adversary who has gained access to additional information about data-producing entities.

Recently, the notion of differential privacy has been extended to dynamical systems [10] in which trajectory-valued data must be protected, and it is this notion of differential privacy that we use in the multi-agent control setting. Differential privacy for dynamical systems is implemented at the trajectory level, which guarantees that an output data stream does not expose the state trajectory of a system. The existing literature provides other methods such as -anonymity [13] and homomorphic encryption [14] to protect sensitive data. Neither of these techniques readily accomplishes one of the objectives of this paper, which is to conceal sensitive information from the cloud while enabling the cloud to compute optimal control values for agents, as we detail below. In general, -anonymity is not robust to side information and we expect homomorphic encryption to scale poorly with the size of a network, mainly because of its significant computational burden.

In this paper, we use differential privacy to develop a private multi-agent LQ control framework. Adding noise makes this problem equivalent to a multi-agent linear quadratic Gaussian (LQG) problem, and the optimal controller will be linear in the expected value of agents’ states. Computing this expected value is a centralized operation, and we therefore augment the network with a cloud computer [15]. In contrast to some existing approaches, the cloud is not a trusted third party and does not receive sensitive information from any agent [16]

. The cloud instead gathers private information from the agents, estimates their current states, and generates optimal control inputs. These inputs are transmitted back to the agents which apply them in their local state updates, and then this process of exchanging information and updating states repeats.

We consider a discrete-time LQG tracking control problem in which each agent’s state evolves according to linear dynamics and where the cloud computes optimal control inputs that minimize the expected quadratic state-tracking error and input energy over time. The LQG control problem formulation is well-studied and widely used in optimal control [17, 18, 19, 20], and has broad applications across network systems. For example, the authors in [21] investigate an implementation of an LQG problem formulation to control power flows among microgrids. Our formulation uses differential privacy to keep both each agent’s state trajectory and its reference trajectory’s limit private. Adding the noise required to do so will of course affect the functioning of the system, and we bound these effects to give a rigorous understanding of their influence. In particular, we quantify the effects of privacy by bounding the entropy seen by the cloud as a means of bounding how difficult it is for the cloud to generate control values for the agents. After that, we bound the error in an adversary’s predictions of the agents’ states. This bound is in terms of problem data and agents’ privacy parameters, and it provides a quantitative demonstration of how differential privacy protects the agents’ state trajectories by making an adversary’s predictions inaccurate.

A preliminary version of this work appeared in [22]. The privacy framework proposed in this paper differs from that in [22] because it does not rely on a trusted aggregator and keeps all data private from the cloud. Work in [22] also gave an entropy upper bound and this paper adds a complementary lower bound, while also bounding an adversary’s ability to predict agents’ states. This paper further allows for each agent to track a reference and protects its reference trajectory with differential privacy, while [22] did not accommodate reference trajectories. Finally, this paper provides additional simulation results for the private LQG problem.

The rest of the paper is organized as follows. Section II provides the privacy background needed for the rest of the paper. Section III defines the cloud-enabled differentially private LQG problem. Section IV then gives a closed-form solution to this problem and provides an algorithm for implementing it, as well as bounds on the entropy induced by privacy and bounds on error when predicting agents’ states using private information. Next, we provide numerical simulations in Section V, and then Section VI concludes the paper.

Ii Review of Differential Privacy

In this section, we review the notion of differential privacy and its implementation. Differential privacy is a rigorous notion of privacy which allows accurate analyses of aggregate data while preserving the privacy of individuals [23, 9]. Differential privacy is an attractive means of protecting sensitive data because post-processing on private data does not reduce its privacy guarantees. In particular, filtering private data is permitted without affecting the privacy of an individual. Moreover, once differential privacy is implemented, an adversary with complete knowledge of the mechanism used to privatize data has no advantage over an adversary without this knowledge, meaning that differential privacy is robust to mechanism knowledge [8, 9].

For all of these reasons, we will implement differential privacy in a multi-agent LQ setting. Two types of privacy are considered below. First the notion of differential privacy is reviewed for static databases. Second, privacy for trajectories of dynamical systems is discussed, and both forms of privacy will be applied in Section IV. We present both because this paper uses two instantiations of differential privacy for different data types, and we present this background to highlight the intricacies of jointly using these two privacy formulations. We first review the basic definitions required for formally defining differential privacy and then describe the privacy mechanisms we use in the remainder of the paper. Below, we use the notation for .

Ii-a Differential Privacy for Static Databases

We begin with differential privacy for static data [9, 12]. Consider a collection of agents, where agent has sensitive data for some . Differential privacy for databases seeks to protect sensitive data of individuals while allowing for accurate aggregate queries of groups of users. It does so by making adjacent databases produce responses to queries which are similar in a precise sense, making the databases approximately indistinguishable to the recipient of the queries’ outputs. In this work, we provide differential privacy on an individual basis and the forthcoming background is tailored to this approach. A query is a map , where

is the collection of all datasets of interest which we treat as vectors in

. can represent the set of possible salaries, ages, or essentially any other collection of sensitive numerical data. A more extended discussion of all possible types of databases is given in [9], though treating databases as vectors is one common approach and it is sufficient for our purposes. An adversary or eavesdropper only has access to these privatized outputs and does not have access to the underlying data which produced them. Therefore, the definition of adjacency is a key component of any privacy implementation as it specifies which pieces of sensitive data must be made approximately indistinguishable to any adversary or eavesdropper in order to protect their exact values. The adjacency relation used for database-style privacy in this setting is defined next.

Definition 1.A.

(Adjacency for Databases) Fix an adjacency parameter . The adjacency relation is defined for all as

In words, two databases are adjacent if and only if they differ at most by . Using this definition of adjacency, we next define the sensitivity of a query which will be used below in defining a privacy mechanism.

Definition 2.A.

(Sensitivity for Databases) The -norm sensitivity of a query is defined as the greatest distance between two query responses which correspond to adjacent databases. Formally,

The sensitivity of a query is used to determine how much noise must be added to enforce differential privacy. Noise is added by a mechanism,

which is a randomized map used to implement differential privacy. It is the role of a mechanism to approximate queries’ outputs with private responses. Below, we give a formal definition of differential privacy for static databases which specifies the probabilistic guarantees that a mechanism must provide. To do so, we first fix a probability space

. This definition considers outputs in the space and uses the Borel over , denoted [24].

Definition 3.A.

(Differential Privacy for Databases) Let and be given. A mechanism is -differentially private if and only if, for all adjacent databases ,

In words, for two adjacent databases the outputs of the mechanism should be statistically close in the sense defined above. The constants and tune the level of privacy afforded to the agents, and typical values of range from to , while values of are usually kept below . In general, smaller values of each provide stronger privacy guarantees.

We will now formally state the Gaussian mechanism which ensures -differential privacy

for the database setting. The Gaussian mechanism perturbs query outputs with independent and identically distributed (i.i.d) zero mean noise drawn from a Gaussian distribution, and it is defined in terms of the

, which is given by


The following lemma formally states that the Gaussian mechanism indeed guarantees -differentially privacy.

Lemma 1.

(Gaussian Mechanism for Databases) Let privacy parameters and be given. Let be a query and denote its -norm sensitivity by . The Gaussian mechanism which is defined by , where and is bounded according to


is -differentially private.

Proof: See [10, Theorem 3].

Ii-B Differential Privacy for Dynamic Systems

Having defined privacy for databases, we now review the notion of differential privacy for dynamic systems to keep the trajectories of individuals differentially private. Below, we will consider vector-valued trajectories of the form


where for all . We also define the norm


where is the ordinary on . We further define the set


As above, we consider a collection of agents, and we denote agent ’s state trajectory by . The element of the trajectory is denoted by for some . The state trajectory is contained in the set , which is the set of sequences of vectors in whose finite truncations are all in . Formally, we define the truncation operator over trajectories according to


and we say that if and only if for all .

As with database privacy, the choice of adjacency relation is a critical part of any differential privacy implementation for trajectories. We define our adjacency relation now over the space defined above.

Definition 1.B.

(Adjacency For Dynamic Systems) Fix an adjacency parameter . The adjacency relation is defined for all as

In words, two trajectories are adjacent if and only if the distance between them is less than or equal to . This adjacency relation therefore requires that every agent’s state trajectory be made approximately indistinguishable from all other state trajectories not more than distance away when differential privacy is implemented. The choice of adjacency relation gives rise to the notion of sensitivity of a dynamical system, which we define now.

Definition 2.B.

(Sensitivity for Dynamic Systems) The sensitivity of a dynamical system is defined as the greatest distance between two output trajectories which correspond to adjacent state trajectories. Formally, for

Next, we give a formal definition of differential privacy for dynamic systems which specifies the probabilistic guarantees that a mechanism must provide. To do so, we will use the probability space that was defined above. This definition considers outputs in the space and uses a over , denoted . We omit a formal construction of this -algebra as the technical details are not particularly important in this work, though this construction can be bound in [24].

Definition 3.B.

(Differential Privacy for Dynamic Systems) Let and be given. A mechanism is -differentially private if and only if, for all adjacent , we have

In some cases, it is possible to set , and -differential privacy is referred to simply as -differential privacy. In this paper, we consider only cases in which because enforcing -differential privacy can be done with the Gaussian mechanism, which adds Gaussian noise for privacy, and using this mechanism allows us to draw from a substantial existing literature on LQG control. Toward doing so, we present the following lemma specifying that the Gaussian mechanism for trajectories indeed guarantees -differential privacy.

Lemma 2.

(Gaussian Mechanism for Dynamic Systems) Let privacy parameters and be given. Let denote a system with state trajectories in and outputs in , and denote its -norm sensitivity by . Then the Gaussian mechanism for -differential privacy takes the form


where is a stochastic process with , is the identity matrix, and


This Gaussian mechanism provides -differential privacy.

Proof: See [10, Corollary 1].

In words, the Gaussian mechanism adds i.i.d Gaussian noise point-wise in time to the output of the system to keep its state trajectory private. For convenience, we define the function


and we will use the Gaussian mechanism to enforce differential privacy for the remainder of the paper.

Ii-C Comparison Between Differential Privacy for Dynamic Systems and Static Databases

In this section, we highlight the differences and similarities between privacy for static databases and privacy for dynamical systems. A precise mathematical definition of differential privacy for static databases is given in [8], while differential privacy for dynamic systems was introduced in [10]. These are two distinct, standard methods of implementing differential privacy for two different data types, and the privacy needs and guarantees of each setting are different.

Both static databases and dynamical systems consist of numerical data. ”Masking” sensitive numerical data with differential privacy is accomplished by adding noise to the data or some function of it. For a scalar-valued query of a database, differential privacy is achieved by adding a random element of comparable dimension, i.e., scalar-valued noise is added to a scalar-valued query. In the same fashion, trajectories are made private by adding noise in the form of a stochastic process, which is the analogous means of adding ”noise” of the appropriate dimension. Trajectories are shared so that the recipients receive the outputs pointwise in time. These shared pieces of data are not repeated queries and should be understood as an agent sharing a single piece of trajectory-valued data which happens to be received piece-by-piece in time. Sharing these outputs does not constitute many queries, and, instead, over time these outputs combine to form a single trajectory-valued data release.

The privacy guarantees of these two settings are of course different. These differences are encapsulated in the adjacency relations appropriate to the spaces in which the sensitive data is contained. Ultimately, we are applying the standard form of differential privacy for each of the data types considered. In fact, our contribution is not to the theory of differential privacy itself necessarily. Our contribution mainly rests in taking one of the most widely-used problems in the control literature and making it differentially private in a general way, which we introduce formally in the next section.

Iii Problem Formulation

In this section we introduce the multi-agent LQG tracking control problem to be solved privately. First, we give the agents’ individual dynamics and equivalent network-level dynamics. Then, we introduce a cloud computer and formally state the private control problem to be solved. Below, we use the notation and to indicate that a matrix is positive semi-definite or positive definite, respectively. Similarly, we write and to indicate that and , respectively. We use the notation to denote the matrix direct sum of through ; if these matrices are square, the notation denotes a block diagonal matrix with blocks through .

Iii-a Multi-Agent LQ Formulation

Consider a collection of agents, indexed over . At time , agent has state vector for some , which evolves according to


where , , is agent input at time , is process noise, and where and

are time-invariant matrices. The probability distribution of the process noise is given as

, where

, and all such terms have finite variance. Furthermore,

and are uncorrelated for all agents and and all times . In addition, does not depend on prior disturbances for any , but it may be explicitly dependent upon and .

To analyze the agents’ behavior in aggregate, we define the network-level state and control vectors as


where and . By defining , , and , we have the network-level state dynamics


We consider infinite-horizon problems in which the agents jointly incur the cost


where and are symmetric and positive definite. The vector is agent ’s desired state at time , and we define the network-level desired state at time as . The full aggregate reference trajectory is denoted , and we assume


is finite, i.e., has a limiting value. The linear dynamics in Equation (12) and quadratic cost in Equation (13) together define a linear-quadratic (LQ) optimal control problem, a canonical class of optimal control problems [25, 26, 27]. The structure of this cost function allows us to penalize deviation from the reference trajectory so that agents’ controllers push it towards .

The quadratic cost structure in Equation (13) along with the linear state dynamics in Equation (12) are widely used in optimal control and have broad applications across network systems. For example, the authors in [28] propose an LQG control scheme for robotic teleoperation. In another application, the authors in [29] implemented an LQG controller over a communication network to compensate for delays. In addition, linear dynamics together with LQG control have been incorporated in many smart grid applications such as [30, 31, 32, 33] and traffic congestion problems such as [34, 35]. All of these works consider linear dynamical systems with quadratic costs, and these applications and many others represent potential real-world use cases for private LQG.

The problem considered below is distinct from the existing literature because it incorporates the exchange of differentially privatized data in order to protect agents’ state trajectories, which, to the best of our knowledge, has not been done before in an LQ tracking control problem. More formally, Problem 1 provides a basic private control problem statement, given next.

Problem 1.

Given an initial random measurement of the network state,


subject to the network dynamics


while keeping agent ’s state trajectory and desired trajectory differentially private with agent-provided privacy parameters .

Iii-B Cloud-Based Aggregation

In Problem 1, the cost is generally non-separable due to its quadratic form. This non-separability means that cannot be minimized by each agent using only knowledge of its own state. Instead, each agent’s optimal control vector will, in general, depend upon all states in the network. To compute the required optimal control vectors, one may be tempted to have an agent aggregate all agents’ states and then perform the required computations, though this inequitably distributes the computational load across agents, and, in some settings, the aggregate cost may only be known by a central network operator. We therefore introduce a cloud computer to aggregate and process information and distribute it to the agents. The technology of cloud computing provides the ability to communicate with many agents, rapidly perform demanding computations, and broadcast the results. Moreover, these capabilities can be seamlessly and remotely added into networks of agents, making the cloud a natural choice of central aggregator for this work [15].

At time , the cloud requests from agent the value , where is a constant matrix. We refer to as either agent output or as agent state measurement. To protect its state trajectory, agent sends a differentially private form of to the cloud. Using these values from each agent, the cloud computes the optimal controller for each agent at time . The cloud sends these control values to the agents, the agents use them in their local state updates, and then this process of exchanging information repeats. Next we specify the exact manner in which each agent makes its transmissions to the cloud differentially private.

Iii-C Differentially Private Communications

At time , agent transmission of to the cloud can potentially reveal its state trajectory, thereby compromising agent privacy. Accordingly, agent adds noise to the state measurement before sending it to the cloud in order to keep its state trajectory differentially private according to the rules of trajectory-level differential privacy in Section II-B. In this work, the system introduced in Definition 2.B, is a memory-less dynamical system which is a map that maps to at each point in time, and this is what we will privatize. Agent first selects its own privacy parameters and . Supposing that agent uses the adjacency relation for some (cf. Definition 1.B), we have the following elementary lemma concerning the -norm sensitivity of , which we denote .

Lemma 3.

The -norm sensitivity of satisfies , where

denotes the maximum singular value of a matrix.

Proof: Consider two trajectories such that , and set and . Then we find

With the bound in Lemma 3, agent sends the cloud


where the privacy noise

is a Gaussian random variable, and where

in accordance with Lemma 2. Defining the matrix , the aggregate privacy vector in the system at time is and we have for all .

In the output Equation (17), measurement noise can be included and all of the forthcoming analyses in this paper readily accommodate this change. However, as this paper is focused on bounding the effects of privacy, we exclude the measurement noise from the subsequent developments in order to isolate the effects of privacy in particular.

In addition to state measurements, the agents’ reference trajectories are a significant source of “side information,” which, if disclosed, can reveal the agents’ intentions and weaken the privacy of their trajectories. Only the limiting value of agent ’s reference trajectory, denoted , will be needed by the cloud and agent will add noise to it before sending it to the cloud. The value of is static in time and we therefore use the database notion of differential privacy for keeping it private and this follows the rules for database style privacy in Section II-A. To protect , agent selects privacy parameters and . Then privacy noise is added according to


where agent chooses the privacy noise for its reference via according to Lemma 1, with and agent using the adjacency relation as in Definition 1.A.

In this privacy implementation, we assume that all matrices and are public information. In addition, we impose the following assumption on the dynamics and cost that are considered.

Assumption 1.

In the cost , and . In addition, the pair is controllable, and there exists a matrix such that and such that the pair is observable.

Assumption 1 guarantees the existence of a solution to a certain algebraic Riccati equation that we will encounter below [26, Chapter 4]. In addition, we assume that , the expected value of the agent initial state, is publicly known, along with agent privacy parameters , , and . We also assume that the matrices and are known only to the cloud and that the cloud does not share these matrices with any agents or eavesdroppers. With this privacy implementation in hand, we next give a private reformulation of Problem 1.

Iii-D Reformulation of Problem 1 with Privacy

Reformulating Problem 1 to account for privacy must explicitly account for the cloud’s knowledge. Agents’ requirement that be kept private means that the cloud cannot use and must instead use in its computations. In addition, because we consider average cost per stage problems (as is common in infinite-horizon LQG), the time-varying nature of agents’ reference trajectories does not affect the final form of the agents’ optimal controllers, and we may substitute the time-varying references for their limit points. Here because the agents privatize , only the privatized limit points can be used for such a purpose, and Problem 2 must take this into account in the cost . Of course, this changes the cost that agents minimize and, in general, will increase it in Problem 2 relative to Problem 1. We first state and solve Problem 2 and then quantify this increase in terms of known parameters in Theorem 2 below as a means of quantifying the impact of privacy. Problem 2 itself is formally stated next.

Problem 2.



over all control signals with , and subject to the dynamics and output equations

where and where is public and agent has specified its privacy parameters and .

Iv Private LQG Tracking Control

In this section we solve Problem 2. Problem 2 takes the form of a linear quadratic Gaussian tracking control problem, which is a well-studied problem in the optimal control literature [36, 17]. We first solve Problem 2 and then quantify the effects of privacy upon this solution. Below, we use the notation to denote the

largest eigenvalue of a matrix and the notation

to denote the largest singular value of a matrix.

Iv-a Solving Problem 2

Due to the stochastic terms in the system, the controllers we develop cannot rely on the exact value of . Instead, the controllers must rely on its expected value conditioned on all past inputs and outputs, denoted in which denotes all information available to the controller at time and is defined as

Problem 2 is an infinite-horizon discrete-time LQG tracking control problem, and it is known [37] that the optimal controller for such problems takes the form






Here, is the unique positive semidefinite solution to the discrete algebraic Riccati equation




Ordinarily, would depend on , though the cloud only has and this is what it must use. Computing the state estimate

can be done for infinite time horizons using a time-invariant Kalman filter

[26, Section 5.2]. This filter has a recursive update law of the form


where the a posteriori error covariance matrix is given by


The a priori error covariance matrix is the unique positive semidefinite solution to the discrete algebraic Riccati equation


Upon substituting Equation (20) into Equation (25), the update law for the Kalman filter takes the form


As discussed in Section III-B, the cloud is responsible for generating control values for each agent at each point in time using Equation (20), and it therefore runs the Kalman filter in Equation (25). Here, we develop an algorithm for the implementation of the controller for each agent at each point in time. The flow of information in the network first has agent send to the cloud at time , then has the cloud form a network level output vector and use it to estimate . Next, the cloud computes , and finally the cloud sends , , to agent . The control signals preserve the differential privacy of all private data, and therefore sharing agent ’s input signal with other agents does not incur any privacy loss.

With respect to implementation, the terms and can be all computed a priori by the cloud a single time and then used repeatedly in generating control values to send to the agents, substantially reducing the cloud’s computational burden at runtime, and allowing it to quickly generate state estimates and control values. With this in mind, we state the full solution to Problem 2 in Algorithm 1, and we formally state the privacy guarantees of Algorithm 1 in the following theorem.

Data: Public information , , , , , , , , ,
1 Initialize the cloud with all public information
2 For all , initialize agent with , , . Agent chooses and knows its exact initial state but does not share it. In addition, agent chooses and computes and sends it to the cloud
3 In the cloud, find using Equation (23), then precompute and using Equation (21) and (22) respectively, according to Equation (26), and using Equation (24)
4 for  do
5       for  do
6             Agent generates
7             Agent sends the cloud the private output
8      In the cloud, compute with Equation (25)
9       In the cloud, compute and send to agent
10       for  do
11             Agent updates its state via
Algorithm 1 Differentially Private LQG (Solution to Problem 2)
Theorem 1.

For all , Algorithm 1 provides -differential privacy for agent ’s state trajectory and -differential privacy for in the multi-agent LQG setting in Problem 2.


Applying Lemma 1, noise added according to privacy parameters provides -differential privacy for the limiting value of each agent’s reference signal, . Using Lemma 2, adding Gaussian noise to the state measurements according to the privacy parameters at each time guarantees -differential privacy for the trajectories of each agent participating in the network. ∎

The information exchanged by the agents and the cloud in Algorithm 1 is summarized in Figure 1.

The following theorem quantifies the the impact of on the total cost incurred by the network. We denote the total cost of the network when using in place of by and we use to denote what the cost would be if itself were used.

Theorem 2.

Suppose that the matrix is invertible. The cost incurred by the network of agents using in place of is


where , , and .


See authors’ technical report in [37]. The last equality is from [38, Equation (318)]. ∎

Fig. 1: Summary of information transmission between the agents and the cloud at initial time , which includes necessary precomputations, and each time .

Iv-B Quantifying the Effects of Privacy

Algorithm 1 solves Problem 2, though it is intuitively clear that adding noise for the sake of privacy will diminish the ability of the cloud to compute optimal control values. Indeed, the purpose of differential privacy in this problem is to protect an agent’s state from the cloud, other agents, and any eavesdroppers. Since the agents’ state values are protected, the cloud is forced to estimate agents’ states in order to generate control values for them. Accordingly, one may wish to quantify the ability of the cloud to accurately estimate the agents’ state values, which is the focus of this subsection.

The cloud both implements a Kalman filter and computes the controller , though noise added for privacy only affects the Kalman filter. To see this, note that the network-level controller defined in Equation (20) takes the form , while the optimal controller with no privacy noise (i.e., for all ) would take the same form with the expectation carried out only over the process noise. Similarly, in the deterministic case of and for all , the optimal controller is . The only difference between these controllers comes from changes in the estimate of or in using exactly. This is an example of the so-called “certainty equivalence principle” [26], and it demonstrates that the controller in Algorithm 1 is entirely unaware of the presence or absence of noise. Instead, the effects of noise in the system are compensated for only by the Kalman filter defined in Equation (25), and we therefore examine the impact of privacy noise upon the Kalman filter in Algorithm 1. Related work in [10] specifies procedures for designing differentially private Kalman filters, though here we use a Kalman filter to process private data and quantify the effects of privacy upon it. To the best of our knowledge this is the first study to do so.

One natural way to study this trade-off is through bounding the information content in the Kalman filter as a function of the privacy noise, as differential privacy explicitly seeks to mask sensitive information by corrupting it with noise. In our case, we consider the differential entropy in the error in as a proxy for the information content of the signals sent to the cloud [39]. Shannon entropy has been used to quantify the effects of differential privacy in other settings, including in distributed linear control systems where database-type differential privacy is applied [36]. Though differential entropy does not have the same axiomatic foundation as Shannon entropy, it is useful for the Gaussian distribution because it bounds the extent of the sublevel sets of , where , i.e., the volume of covariance ellipsoids. We can therefore quantify the effects of differentially private masking upon the cloud by studying how privacy noise changes , which is within a constant factor of the differential entropy of error in . The analysis we present differs from previous work because we apply trajectory-level differential privacy and quantify the resulting differential entropy in a Kalman filter that processes these trajectories. Toward presenting this result, we have the following lemma concerning the determinants of matrices related by a matrix inequality.

Lemma 4.

Let and satisfy . Then and .


This follows from the monotonicity of and the fact that [40, Theorem 16.F.1] when . ∎

Another preliminary lemma needed is Hadamard’s inequality, which we state now.

Lemma 5.

Let . Then


See [40, Theorem 9.B.5]. ∎

The next lemma concerns relating the product of a collection to the maximum element of that collection.

Lemma 6.

Let be a finite collection of real scalars. Then


See Page 71 of [41]. ∎

Below we will also relate the diagonal elements of symmetric matrices to the largest eigenvalues of such matrices, using the following lemma.

Lemma 7.

Let . Then


This follows from the Courant minimax principle; see, e.g., [42], Page 179. ∎

Next, we have the following lemma which gives a matrix upper bound on solutions to a discrete algebraic Riccati equation.

Lemma 8.

Suppose is the unique positive semi-definite solution to the discrete time algebraic Riccati Equation (27), where is diagonal, and define


along with . Then


Furthermore, if




This follows from Theorem 2 in [43]. ∎

We now present our main results on bounding the log-determinant of the steady state Kalman filter error covariance in the private LQG problem. In particular, we study the log-determinant of the a priori error covariance, , because measures the error in the cloud’s predictions about the state of the system. Bounding the log-determinant of therefore bounds the entropy seen at the cloud when making predictions about the state of the network in the presence of noise added for privacy.

Theorem 3.

Let denote the steady-state a priori error covariance in the cloud’s Kalman filter in Algorithm 1. If all hypotheses of Lemma 8 hold and Assumption holds, then


with defined as in Lemma 8, and where the term


is the only one affected by privacy. The privacy dependent parameter is characterized by .


With the hypothesis that is diagonal, we see that


which gives


Lemma 8 then gives


where applying Lemma 4 gives


The argument of the determinant on the right-hand side is a positive-definite matrix, and applying Lemma 5 therefore gives