Metric Differential Privacy on the Special Orthogonal Group SO(3)

Abstract

Differential privacy (DP) is an important framework to provide strong theoretical guarantees on the privacy and utility of released data. Since its introduction in 2006, DP has been applied to various data types and domains. More recently, the introduction of metric differential privacy has improved the applicability and interpretability of DP in cases where the data resides in more general metric spaces. In metric DP, indistinguishability of data points is modulated by their distance. In this work, we demonstrate how to extend metric differential privacy to datasets representing three-dimensional rotations in SO(3) through two mechanisms: a Laplace mechanism on SO(3), and a novel privacy mechanism based on the Bingham distribution. In contrast to other applications of metric DP to directional data, we demonstrate how to handle the antipodal symmetry inherent in SO(3) while transferring privacy from $S^3$ to SO(3). We show that the Laplace mechanism fulfills $ϵ\varphi$-privacy, where $\varphi$ is the geodesic metric on SO(3), and that the Bingham mechanism fulfills $\widetilde{ϵ}\varphi$-privacy with $\widetilde{ϵ}={\displaystyle \frac{\pi }{4}}ϵ$. Through a simulation study, we compare the distribution of samples from both mechanisms and argue about their respective privacy–utility tradeoffs.

1. Introduction

In today’s connected world, privacy concerns are becoming an increasingly important aspect of systems design; this is particularly evident in applications involving machine learning or artificial intelligence. In such contexts, sophisticated and careful balancing of privacy against usability and utility of data has been the focus of considerable research efforts. Much of the current work on privacy protection relies on the concept of differential privacy (DP) [1], which allows for the quantification of the maximal privacy loss an individual could experience upon data release through a parameter $ϵ$. Bounding this parameter then allows the maximal privacy loss to be bounded. In practice, these bounds are usually achieved through noise injection, either modifying the data deposited in the central repository or the response to each query of the data.

The notion of privacy in DP hinges upon the notion of indistinguishability: assume that we have two copies $D,D^{\prime }$ of a database that only differ by the fact that D contains individual d while $D^{\prime }$ does not. If all possible queries have a high probability of agreement in their results on D and $D^{\prime }$, user d has plausible deniability: they can argue convincingly that their data was not contained in the database, and thus, their privacy should not be affected. The parameter $ϵ$ controls the probability with which all queries have to agree, and hence, the level of afforded privacy. However, it is difficult to interpret, so that setting reasonable $ϵ$-thresholds is challenging [2]. Differential privacy techniques have been proposed for many settings of interest, such as image data [3,4]; textual data [5,6]; and location and trajectory data, e.g., [7].

In practice, however, data is often sampled from a domain that corresponds to some metric space with a meaningful distance between data points. This metric structure is neglected in classical DP, but can greatly improve both the applicability and interpretability of DP applications if the indistinguishability demands depend on the distance between data points. For temporal data, for instance, an attacker might be able to infer the year or month of a particular event with reasonable confidence, but not the day, hour, minute, or second, depending on the threshold $ϵ$. Computationally, this is achieved through the ideas of metric differential privacy.  Metric DP mechanisms have been proposed for many metric spaces in the literature, e.g., for location data [2] and directional data [8].

In this work, we consider the problem of protecting three-dimensional rotation data through metric DP. Such rotations occur in many settings of interest. In protein docking, for instance, actors might be interested in allowing access to broad representations of the docking mode, but not the detailed three-dimensional structure. In computer-aided ergonomics, workers might have an interest in obtaining recommendations on how to improve posture and reduce strain, while simultaneously preventing others identifying that they have a high probability of strain-induced medical problems. In all practical applications, it is crucial to balance privacy with utility [9], which requires the use of a suitable metric.

2. Background

In this section, we recapitulate the mathematical structure of rotations in $3D$-space and important results from the theory of directional differential privacy.

2.1. Rotations in ${\mathbb{R}}^3$

Rotations in three-dimensional space can be modeled in a number of different ways, each with its own advantages and drawbacks. Possibly the most familiar representation of rotations in ${\mathbb{R}}^3$ is special orthogonal $3\times 3$ matrices, i.e., those matrices $R\in {\mathbb{R}}^{3\times 3}$ with $R{R}^T=\mathbb{1}$ and $det\left(R\right)=1$ (intuitively, this corresponds to the observation that a rotation only changes the orientation, not the length, of vectors).   These matrices form the special orthogonal group SO(3).  From the matrix representation, it might appear that rotations in $3D$-space are 9-dimensional objects, while in reality, the constraints on these matrices reduce them to a 3-dimensional submanifold of ${\mathbb{R}}^4$. This can be seen from the axis–angle representation: according to Euler’s rotation theorem (also known as the football theorem), each rotation in three dimensions can be represented by a single rotation axis r and an angle $\alpha$. The normalization constraint on r effectively reduces the four dimensions (three entries of r and one angle $\alpha$) to three. Due to normalization, the rotation axis lies on the unit sphere in three dimensions: $r\in S^2$. Since the rotation angle $\alpha$ is constrained to the unit circle, $\alpha \in S^1$, we can represent each rotation as an element of $(S^2\times S^1)$. Please note that this does not imply that SO(3) is diffeomorphic to $(S^2\times S^1)$, and in fact, it is not. The reason for this possibly surprising fact is the antipodal symmetry encoded in SO(3): rotations by $\pi$ and $-\pi$ are identical.

Yet another alternative to represent rotations in ${\mathbb{R}}^3$ uses Hamilton’s quaternions $q\in \mathbb{H}$. Quaternions generalize the complex numbers, which have one real and one imaginary axis, to a four-dimensional structure with one real and three imaginary axes, the basic quaternions $\mathbf{i},\mathbf{j},\mathbf{k}.$ Each quaternion can thus be represented by four real numbers $(a,b,c,d)$, with $q=a+b\mathbf{i}+c\mathbf{j}+d\mathbf{k}$. Multiplication of two quaternions $p=(p_1,p_2,p_3,p_4)$ and $q=(q_1,q_2,q_3,q_4)$ is performed using the Hamilton product:

$$p\odot q=\left(\begin{array}{c}{p}_1{q}_1-p_2{q}_2-p_3{q}_3-p_4{q}_4\\ p_1{q}_2+p_2{q}_1+p_3{q}_4-p_4{q}_3\\ p_1{q}_3-p_2{q}_4+p_3{q}_1+p_4{q}_2\\ p_1{q}_4+p_2{q}_3-p_3{q}_2+p_4{q}_1\end{array}\right)=\underset{=:\tilde{\mathbf{P}}}{\underbrace{\left(\begin{array}{cccc}{p}_1& -p_2& -p_3& -p_4\\ p_2& p_1& -p_4& p_3\\ p_3& p_4& p_1& -p_2\\ p_4& -p_3& p_2& p_1\end{array}\right)}}·\left(\begin{array}{c}{q}_1\\ q_2\\ q_3\\ q_4\end{array}\right)=\tilde{\mathbf{P}}·q$$

with ${\tilde{\mathbf{P}}}^T\tilde{\mathbf{P}}={\mathbb{1}}_{4\times 4}$. Equivalently,

$$p\odot q=\underset{=:\mathbf{Q}}{\underbrace{\left(\begin{array}{cccc}{q}_1& -q_2& -q_3& -q_4\\ q_2& q_1& q_4& -q_3\\ q_3& -q_4& q_1& q_2\\ q_4& q_3& -q_2& q_1\end{array}\right)}}·\left(\begin{array}{c}{p}_1\\ p_2\\ p_3\\ p_4\end{array}\right)=\mathbf{Q}·p$$

with ${\mathbf{Q}}^T\mathbf{Q}={\mathbb{1}}_{4\times 4}$. Conjugation yields the quaternion $\tilde{q}=(q_1,-q_2,-q_3,-q_4)$, and the norm is defined through $\left|\right|q\left|\right|=\sqrt{q\odot \tilde{q}}=\sqrt{q_1^2+q_2^2+q_3^2+q_4^2}$. Quaternions with unit norm $\left|\right|q\left|\right|=1$ are known as versors. Versors are isomorphic to the special unitary group $SU\left(2\right)$, the group of complex $2\times 2$ matrices $M\in {\mathbb{C}}^2$. It can be shown that $SU\left(2\right)$ provides a double cover of SO(3), i.e., every element of SO(3) is represented by two different elements of $SU\left(2\right)$, and hence by two unit quaternions—a result of antipodal symmetry.

Let $q=(w,x,y,z)$ denote a versor. Then, for all pure quaternions v, i.e., quaternions with real part 0, the map $v\mapsto q\odot v\odot \tilde{q}$ is a rotation of v. Here, pure quaternions correspond to vectors in ${\mathbb{R}}^3$. Explicitly computing the Hamilton products in this map yields the rotation matrix:

$$Q=\left[\begin{array}{ccc}1-2y^2-2z^2& 2xy-2zw& 2xz+2yw\\ 2xy+2zw& 1-2x^2-2z^2& 2yz-2xw\\ 2xz-2yw& 2yz+2xw& 1-2x^2-2y^2\end{array}\right]$$

which is equivalent to a rotation around the vector $(x,y,z)$ with angle $2arccos\left(w\right)$. Note that replacing q by $-q$ in the map yields the same rotation, which shows the two-to-one mapping due to antipodal symmetry. Interestingly, locally, in a sufficiently small neighborhood around the identity, SO(3) and $SU\left(2\right)$, and hence the unit quaternions, are indeed isomorphic.

2.2. Distances Between 3D Rotations

Arguing about privacy and indistinguishability hinges upon a suitable notion of distance between two instances. To state, e.g., that the orientations of the skeleton of individual A are hard to distinguish from those of individual B requires us to quantify how close they are. Since rotations in three dimensions, i.e., members of the special orthogonal group SO(3), can be represented as matrices (c.f. Section 2.1), it might seem reasonable to measure distances in terms of established matrix norms (e.g., the p-norms, the max-norm, or the Frobenius-norm); however, these approaches would not respect the topology of SO(3). Topologically, SO(3) is a ball with antipodal symmetry. The effect of the first aspect on distance measurement can be roughly described as follows: imagine a unit ball in three dimensions, and two points on its surface. Measuring distances with a metric taken from ${\mathbb{R}}^n$ ignores that the points live on a sphere and instead connects them using the shortest line in ${\mathbb{R}}^n$, which cuts through the sphere. If we would, e.g., try to describe an equivalent to a Gaussian distribution of 3D rotations in this way, the resulting function would decay exponentially in the length of this straight line, neglecting that the two points can only be connected through paths on the surface. To give an even simpler example: the cities of Madrid, Spain, and Wellington, New Zealand, are near antipodes on the surface of the Earth. Measuring in ${\mathbb{R}}^3$, they are connected by a straight line of roughly 12,740 km in length. To reach Wellington from Madrid, though, will require a much longer distance to be traveled, and the shortest flight path between the cities—a geodesic on the surface of the Earth—has a length of roughly 20,000 km. A metric used for privacy should clearly respect the topology to be of use in practice, and Ref. [8] describes suitable distance metrics and privacy mechanisms for this case. These metrics, however, ignore the second aspect of the topology of SO(3), i.e., the antipodal symmetry. In a simplified picture (ignoring for a moment that Earth is $S\left(2\right)$), Madrid and Wellington would denote the same point. Designing metrics that capture those aspects is not trivial, and several alternative approaches have been described in the literature. In [10], Huynh defines and analyzes a variety of such metrics, each highlighting a different aspect of the topology. Importantly, a subset of the metrics defined there—namely, ${\varphi }_2,{\varphi }_3,{\varphi }_5,$ and ${\varphi }_6$—are shown to be boundedly equivalent and functionally equivalent, where functional equivalence of a metric $\varphi$ and $\psi$ implies that there is a positive continuous strictly increasing function h such that

$$h\circ \varphi =\psi$$

and bounded equivalence implies that there are positive real numbers $a,b\in {\mathbb{R}}^{+}$ such that

$$a\varphi ({\mathbf{R}}_1,{\mathbf{R}}_2)\le \psi ({\mathbf{R}}_1,{\mathbf{R}}_2)\le b\varphi ({\mathbf{R}}_1,{\mathbf{R}}_2)$$

$\forall {\mathbf{R}}_1,{\mathbf{R}}_2\in SO\left(3\right)$. For metric differential privacy, this implies that if a mechanism can be shown to fulfill metric differential privacy on one of these metrics, it is private on all of them. We now briefly define the metrics of interest:

$$\begin{array}{cc}\hfill {\varphi }_2(q_1,q_2)& =min\left\{\left|\right|q_1-q_2\left|\right|,\left|\right|q_1+q_2\left|\right|\right\}\hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill {\varphi }_4(q_1,q_2)& =1-|q_1^T{q}_2|\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill {\varphi }_5({\mathbf{R}}_1,{\mathbf{R}}_2)& =\left|\right|\mathbf{I}-{\mathbf{R}}_1{\mathbf{R}}_2^T{\left|\right|}_F\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill {\varphi }_6({\mathbf{R}}_1,{\mathbf{R}}_2)& =\left|\right|log\left({\mathbf{R}}_1{\mathbf{R}}_2^T\right)\left|\right|\hfill \end{array}$$

(4)

${\varphi }_5$ has an alternative definition in terms of versors:

$${\varphi }_5^{\prime }(q_1,q_2)=2\sqrt{2(1-|q_1^T{q}_2{|}^2)}$$

In the following, we call this metric $\Phi$ and use it in our proofs. In practice, the most natural norm is ${\varphi }_6$, as this corresponds to geodesic distance on SO(3). Since ${\varphi }_6$ is boundedly equivalent to $\Phi$, our proof will also show metric differential privacy on ${\varphi }_6$, and hence, on geodesic distance.

2.3. Preservation of Privacy

In line with current state-of-the-art research, the kind of privacy afforded by our technique is one of plausible deniability. Hence, the goal of the mechanisms described in this work is to allow an individual to deny that a rotation was generated by them, as every ‘similar’ individual (subsequently we precisely define the meaning of similar) could just as plausibly have generated the same.

2.4. Random Mechanisms

The concept of a random mechanism is central to our discussion of privacy-preserving data analysis. Let $\mathcal{X}$ and $\mathcal{Y}$ be two sets, and let $\mathbb{D}\mathcal{Y}$ be the set of probability distributions on $\mathcal{Y}$. A random mechanism   $\mathcal{M}$ from $\mathcal{X}$ to $\mathcal{Y}$ is a probabilistic mapping from $\mathcal{X}$ (the set of inputs) to $\mathcal{Y}$ (the set of outputs), i.e., $\mathcal{M}$ is a function $\mathcal{M}:\mathcal{X}\to \mathbb{D}\mathcal{Y}$. For every $x\in \mathcal{X}$, $\mathcal{M}\left(x\right)$ is a probability distribution and $\mathcal{M}\left(x\right)\left(y\right)$ is the probability that the mechanism assigns output $y\in \mathcal{Y}$ to input $x\in \mathcal{X}$. Random mechanisms are often generated by families of parameterized probability distributions $\mathrm{M}\left(x\right)$, where we call the mechanism that assigns $\mathrm{M}\left(x\right)$ to x the mechanism induced by $\mathrm{M}\left(x\right)$. Applying or running a mechanism on an input x corresponds to sampling a realization z from $\mathrm{M}\left(x\right)$, i.e., $z\sim \mathrm{M}\left(x\right)$.

The idea behind using a random mechanism for privacy purposes is to only release data perturbed by the mechanism to protect the sensitive inputs. In local privacy workflows, each owner of a sensitive data point x (e.g., end users that want to protect the data they share with a cloud service) runs the mechanism on x and only releases the perturbed sample z drawn from $\mathcal{M}\left(x\right)$. In a central privacy workflow, on the other hand, the data is instead collected without perturbation, but the provider of the database or service runs the mechanism on the result $Q\left(x\right)$ of each query Q posed to the data and only releases the perturbed sample $Q_z$ drawn from $\mathcal{M}\left(Q\right(x\left)\right)$. In this model, $\mathcal{M}$ is also called an oblivious mechanism.

2.5. Differential Privacy

Differential privacy is a property of certain random mechanisms that allows the degree by which the mechanism affords plausible deniability to be quantified. Originally, differential privacy was formulated for oblivious mechanisms in a central model. Let $\mathcal{D}$ denote the set of all datasets, and let $\mathcal{Y}$ be the set of possible query results on datasets from $\mathcal{D}$. Two datasets $d,d^{\prime }$ are called adjacent if they differ in at most one record. A mechanism $\mathcal{M}:\mathcal{D}\to \mathbb{D}\mathcal{Y}$ is said to satisfy ϵ-differential privacy (ϵ-DP), if for all adjacent datasets $d,d^{\prime }$, and for all sets of possible outputs $Y\in \mathcal{Y}$,

$$\mathcal{M}\left(d\right)\left(Y\right)\le e^{ϵ}·\mathcal{M}\left(d^{\prime }\right)\left(Y\right)$$

(5)

If the privacy budget $ϵ$ is sufficiently small, this relation implies that the probability of each possible query result is so similar when running the mechanism on d and $d^{\prime }$ that an attacker cannot reasonably deduce whether the input dataset was d or $d^{\prime }$. Since this holds for each pair of adjacent datasets, and all query results, each user can plausibly deny that their data was contained in the dataset (or that the value of their data was x; or a number of similar statements), since the query result could just as likely have been produced from a dataset that differed from d by only removing (or changing) the data of this individual.

2.6. Differential Privacy on Metric Spaces

While differential privacy is a powerful technique for central privacy workflows, it also has a number of drawbacks. Most importantly, it does not easily translate to local privacy workflows, where each user wants to perturb their data before releasing them into the central database. In addition, the interpretation of the privacy budget is rather unintuitive in the sense that it is often hard for the user to relate the value of $ϵ$ to the privacy of their data points. To overcome these challenges, Chatzikokolakis et al. [11] generalized differential privacy to metric spaces $(\mathcal{X},d)$, where d is a metric on the set $\mathcal{X}$. The idea is as follows: given a metric space (note: setting $\mathcal{X}=\mathcal{D}$ and $d=d_H$ to the Hamming distance on $\mathcal{D},$ we recover the classical $ϵ$-DP) $(\mathcal{X},d)$, a set $\mathcal{Y}$, and a privacy budget $ϵ\ge 0$, a random mechanism $\mathcal{M}:\mathcal{X}\to \mathbb{D}Y$ satisfies $ϵd$-differential privacy if and only if for all pairs of inputs $x,x^{\prime }\in \mathcal{X}$, and for all sets of possible outcomes $Y\in \mathcal{Y}$,

$$\mathcal{M}\left(x\right)\left(Y\right)\le e^{ϵ·d(x,x^{\prime })}·\mathcal{M}\left(x^{\prime }\right)\left(Y\right)$$

(6)

Intuitively, if $ϵ$ is sufficiently small, similar inputs—i.e., inputs with sufficiently small distance d—cannot reasonably be distinguished from each other. In a local privacy model, where each user randomly perturbs their data through $\mathcal{M}$ before releasing it into the dataset, the privacy protection afforded by $\mathcal{M}$ can be imagined as a sphere in the metric space $(\mathcal{X},d)$ within which the user can claim plausible deniability: all points inside a sphere with radius r around x, i.e., all points in $x^{\prime }\in \mathcal{X}$ with $d(x,x^{\prime })\le r$, have a level of distinguishability of $ϵd(x,x^{\prime })\le ϵr$. We call $ϵr$ the privacy level ℓ within the protection radius r.

Consider, e.g., that the user wants to protect their location data before releasing them to a cloud service. The degree to which their true location x can then be reasonably distinguished from all other locations $x^{\prime }$ then depends on the privacy parameter $ϵ$ of the protection mechanism, and on the distance $d(x,x^{\prime })$. Keeping a fixed privacy level l, shrinking the value of the privacy parameter $ϵ$ increases the protection radius and hence reduces the spatial resolution at which their location can be reasonably inferred.

2.7. Privacy–Utility Tradeoff

Obviously, perturbing the raw data influences the quality or utility of downstream algorithms and analyses. Balancing the privacy requirements of the data owners with the utility demands of the application is difficult in practice. It can be shown (c.f. [2]) that, in general, both properties cannot be simultaneously optimized, leading to a difficult privacy–utility tradeoff. Here, one advantage of metric DP compared to classic DP is the simplified interpretability of privacy budgets in terms of spheres of a certain radius in $\mathcal{M}$.

2.8. Metric Differential Privacy of Directional Data

In this work, we consider datasets sampled from SO(3), i.e., measurements of three-dimensional rotations. This kind of data falls into the realm of directional statistics, where only the orientation of data points, but not their magnitude, is of interest. Recently, Weggenmann and Kerschbaum discussed several metric differential privacy mechanisms for directional datasets in the context of measurements on the $n-1$-dimensional unit sphere $S^{n-1}$ [8]. As discussed there, commonly used approaches are based on extending the classical real-line Laplace or the planar Laplace mechanism to directional data by performing a post-processing to ensure the correct periodicity, but they can perform even worse than simple uniform noise generation. These results, which are demonstrated by simulations in [8], show that while the general Laplace mechanisms as defined in [11] can be used for directional statistics, they often lead to sub-optimal results in terms of the privacy–utility tradeoff. Instead, they propose two privacy mechanisms that are directly defined on the unit $n-1$-sphere: the VMF mechanism and the Purkayastha mechanism.

2.9. The VMF Mechanism

The VMF mechanism, introduced in [8], samples from the well-known von Mises–Fisher distribution on $S^{n-1}$, which is defined as follows:

$$VMF(\mu ,\kappa )\left[x\right]=C_{VMF}(n,\kappa )·e^{\kappa ·{\mu }^{T}x}$$

(7)

where, with $\nu \left(n\right):={\displaystyle \frac{n}{2}}-1$, and with the modified Bessel function of the first kind $I_{\alpha }$,

$$C_{VMF}(n,\kappa )={\displaystyle \frac{{\kappa }^{\nu \left(n\right)}}{{\left(2\pi \right)}^{\nu \left(n\right)+1}{I}_{\nu \left(n\right)}\left(\kappa \right)}}$$

(8)

Weggemann and Kerschbaum show that the VMF mechanism on $S^{n-1}$, i.e., the mechanism induced by the $VMF$ distribution, fulfills $ϵd_2$-privacy, where $d_2$ is the Euclidean 2-norm. This norm, however, ‘uses’ the shortest distance in the n-dimensional Euclidean space, in the sense that the privacy guarantee is exponential in this metric. In this norm, the distance of two points $x,y\in S^{n-1},x\ne y$, is measured from the straight line between x and y, not from the geodesic on $S^{n-1}$. The geodesic distance between two points on any $n-1$-sphere with radius r can be computed from

$$d_{\angle }(x,y)=rarccos\left({\displaystyle \frac{x^{T}y}{r^2}}\right)$$

(9)

Obviously, the Euclidean distance cannot exceed the geodesic distance, i.e., $d_2(x,y)\le d_{\angle }(x,y)$, and hence, the VMF mechanism also fulfills $ϵd_{\angle }$-privacy, where the privacy parameter $ϵ$ equals the concentration parameter $\kappa$.

2.10. The Purkayastha Mechanism

An alternative mechanism, also proposed in [8], is based on the Purkayastha distribution on $S^{n-1}$, defined as

$$Pur(\mu ,\kappa )\left[x\right]=C_{\mathrm{Pur}}(n,\kappa )·e^{-\kappa ·arccos\left({\mu }^{T}x\right)}$$

(10)

where $C_{\mathrm{Pur}}(n,\kappa )=S_{n-2}^{-1}{F}_{n-1,-\kappa }^{-1}\left(\pi \right)$ with the Riccati–Bessel function of the first kind $S_n$, and with

$$F_{n-2,-\kappa }^{-1}\left(\pi \right)=\left\{\begin{array}{cc}{\displaystyle \frac{\kappa ({\kappa }^2+2^2)({\kappa }^2+4^2)\cdots ({\kappa }^2+{(n-2)}^2)}{(n-2)!(1-e^{-\kappa \pi })}}\hfill & n\mathrm{even}\hfill \\ {\displaystyle \frac{({\kappa }^2+1^2)({\kappa }^2+3^2)\cdots ({\kappa }^2+{(n-2)}^2)}{(n-2)!(1+e^{-\kappa \pi })}}\hfill & n\mathrm{odd}\hfill \end{array}\right.$$

(11)

The Purkayastha mechanism on $S^{n-1}$ is then defined as the mechanism induced by the Purkayastha distribution.

Weggemann and Kerschbaum also show that the Purkayastha mechanism fulfills $ϵd_{\angle }$-privacy, where again the privacy parameter $ϵ$ equals the concentration parameter $\kappa$.

The discussion in [8] does not seem to show a clear advantage for either the VMF or Purkayastha mechanisms. However, for equal privacy parameters, the Purkayastha samples seem to be concentrated closer to the mean, at least for larger $\kappa$-values, which would indicate a better privacy–utility tradeoff.

3. Results

3.1. Privacy Mechanisms on SO(3)

As the SO(3) is locally isomorphic to SU(2), it might be tempting to use the privacy mechanisms defined in [8] on $S^3$, which is diffeomorphic to SU(2) and hence locally isomorphic to SO(3) [12]. It thus seems reasonable that, for sufficiently small concentration parameters or, equivalently, privacy parameters, the differential privacy guarantees of the mechanisms on $S^3$ should carry over to SO(3). But globally, the morphism from $S^3$ to SO(3) yields a double cover, where each rotation in SO(3) is generated from exactly two points on $S^3$. The main challenge in transferring the differential privacy guarantee from $S^3$ to SO(3) thus lies in the different metrics. While for directional data on $S^n$ we are mostly interested in the geodesic distance $d_{\angle }$, the double covering of SO(3) by $S^3$ would make a direct application of $d_{\angle }$ misleading when representing rotations. Let $q_1,q_2\in \mathbb{H},\left|\right|q_1\left|\right|=\left|\right|q_2\left|\right|=1$ be two unit quaternions representing rotations $\in SO\left(3\right)$. Taking antipodal symmetry into account leads to the definition of a typical metric on SO(3):

$$d_{\angle }^{SO\left(3\right)}(q_1,q_2)=min\left\{arccos(q_1·q_2),\pi -arccos(q_1·q_2)\right\}=arccos\left(\right|q_1·q_2\left|\right)$$

(12)

which corresponds to the metrics ${\varphi }_3(q_1,q_2)$ and ${\varphi }_3^{\prime }(q_1,q_2)$ in [10]. The flipping of the sign when sampling quaternions from different hemispheres is difficult to incorporate into the VMF or Purkayastha mechanisms.

3.2. The Bingham Mechanism

Instead of pulling mechanisms from $S^3$ to SO(3), we thus focus on the design of a mechanism specifically adapted to the metric structure of SO(3). The simplest way of constructing such a mechanism is to identify suitable probability distributions on SO(3) that intrinsically respect antipodal symmetry. The obvious candidate for such a distribution is the Bingham distribution, which arises when an n-dimensional Gaussian distribution is conditioned to lie on $S^{n-1}$. It is defined as

$$\mathrm{BD}(\mathbf{M},\mathbf{Z})\left[x\right]=C_{\mathrm{BD}}{e}^{x^T\mathbf{M}\mathbf{Z}{\mathbf{M}}^{T}x}$$

(13)

where $\mathbf{M}$ is an orthogonal $n\times n$ matrix, $\mathbf{Z}$ a diagonal matrix with increasing entries ($\mathbf{M}$ and $\mathbf{Z}$ arise from diagonalizing the Gaussian distribution that underlies BD) $z_1\le z_2\le \dots \le z_n$, and the normalization factor $C_{\mathrm{BD}}$ can be computed from

$$C_{\mathrm{BD}}={\int }_{S^{n-1}}{e}^{x^T\mathbf{Z}x}dx$$

(14)

which can be evaluated to

$$C_{\mathrm{BD}}=\left|S^{n-1}\right|{}_1\mathbf{F}_1\left({\displaystyle \frac{1}{2}},{\displaystyle \frac{n}{2}},\mathbf{Z}\right)$$

(15)

where ${}_1\mathbf{F}_1$ is a hypergeometric function of a matrix argument (c.f. [13]). It is straightforward to see that the Bingham distribution on SO(3) has built-in antipodal symmetry, as, obviously, $\mathrm{BD}(\mathbf{M},\mathbf{Z})\left[x\right]=\mathrm{BD}(\mathbf{M},\mathbf{Z})[-x]$. Representing quaternions as 4-vectors, we can thus draw versors from a Bingham distribution: the results are constrained to live on $S^3$ (like versors) and have antipodal symmetry (so we can use them to represent rotations $\in SO\left(3\right)$). To see why this latter part is important, imagine drawing versors from a probability distribution that does not account for antipodal symmetry. If these samples were used to ensure privacy through adding noise, the mechanism would consider a quaternion from the other hemisphere to be very different and hence assume a high level of privacy, while the rotation represented by the quaternion might actually be arbitrarily close or even identical to the original rotation due to symmetry.

The orthonormal matrix $\mathbf{M}$ can be used to set the mean of the distribution. This can be seen from the fact that BD has its maxima at the points $\pm \mathbf{M}{(0,0,0,1)}^T$ [13]. Setting the last column of $\mathbf{M}$ to a versor $\widehat{q}$, we can fill the first $n-1$ columns by orthonormalization, e.g., by computing the null space of the matrix $\widehat{q}{\widehat{q}}^T$, and find that

$$\arg \max \left[\mathrm{BD}(\mathbf{M},\mathbf{Z})\right]=\pm \widehat{q}$$

This setting of the mean is important for our application in a differential privacy mechanism: if we want to add noise to a given rotation represented by the versor $\widehat{q}$, we only need to sample from the Bingham distribution centered around this rotation.

As also noted in [13], working with such Bingham distributions to sample rotations can be further simplified by a change in convention: permuting the order of the vector representing the quaternion such that the real part is stored in the last instead of the first position. I.e., by storing the quaternion in the order $(q_2,q_3,q_4,q_1)$, we find that setting $\mathbf{M}$ to the identity $\mathbf{M}=\mathbf{I}$ leads to a Bingham distribution with mean zero: $(0,0,0,1)$. For the rest of this section, we follow this convention.

While the matrix $\mathbf{M}$ defines the mean of the Bingham distribution, the diagonal matrix $\mathbf{Z}$ captures its spread. The entries $z_1,\dots ,z_n$ are consequently known as the concentration parameters of the Bingham distribution. It can be shown [13] that for all $c\in \mathbb{R}$,

$$\mathrm{BD}(\mathbf{M},\mathbf{Z})=\mathrm{BD}(\mathbf{M},\mathbf{Z}+c\mathbf{I})$$

(16)

This fact is usually used to fix the value of $z_n$ to zero, and hence constrain all concentration parameters to be negative ($z_1\le z_2\le \dots \le z_n=0$). We also follow this convention.

Definition 1. 

Let q be a versor, represented as a 4-dimensional vector in the order $(q_2,q_3,q_4,q_1)$. Compute the null space K of the matrix $q{q}^T$ and define the orthogonal matrix $\mathbf{M}\left(q\right)$ as the column-wise concatenation of the three vectors in K and q. For $ϵ>0$, let $\mathbf{Z}\left(ϵ\right)=-\mathrm{Diag}\left(\right[ϵ,\dots ,ϵ,0\left]\right)=:-\mathbf{D}\left(ϵ\right)$. Then, the Bingham mechanism on SO(3) is the induced mechanism of $\mathrm{BD}\left(\mathbf{M}\right(q),\mathbf{Z}(ϵ\left)\right)$.

As a metric on SO(3), we choose (with $q^T·p$ representing the dot-product of the quaternions q and p, taken as regular 4-vectors)

$$\Phi (q,p):=\sqrt{2\left(1-|q^T·p|\right)}$$

which corresponds to the metric ${\varphi }_5^{\prime }$ in [10].

Theorem 1. 

The Bingham mechanism on SO(3) fulfills $\sqrt{2}ϵ\Phi$-privacy.

Proof of Theorem. 

To simplify the proof, we fix $\mathbf{M}=\mathbf{I}$ by first sampling $p\sim \mathrm{BD}(\mathbf{I},\mathbf{Z}(ϵ\left)\right)$ and then rotating p by q to yield $r:=q\odot p$. Then, $p=\tilde{q}\odot r$. We thus find

$$\mathcal{M}(q,ϵ)\left[r\right]={\displaystyle \frac{1}{N\left(\mathbf{Z}\right(ϵ\left)\right)}}{e}^{{(\tilde{q}\odot r)}^T\mathbf{Z}\left(ϵ\right)(\tilde{q}\odot r)}$$

and thus, for two versors, $q_1,q_2\in \mathbb{H},\left|\right|q_1\left|\right|=\left|\right|q_2\left|\right|=1$,

$$\begin{array}{cc}\hfill ln\left[{\displaystyle \frac{\mathcal{M}(q_1,ϵ)\left[r\right]}{\mathcal{M}(q_2,ϵ)\left[r\right]}}\right]& ={({\tilde{q}}_1\odot r)}^T\mathbf{Z}\left(ϵ\right)({\tilde{q}}_1\odot r)-{({\tilde{q}}_2\odot r)}^T\mathbf{Z}\left(ϵ\right)({\tilde{q}}_2\odot r)\hfill \\ & ={({\tilde{q}}_1\odot r-{\tilde{q}}_2\odot r)}^T\mathbf{Z}\left(ϵ\right)({\tilde{q}}_1\odot r+{\tilde{q}}_2\odot r)\hfill & \hfill \left[\mathrm{P}1\right]\\ & ={\left\{({\tilde{q}}_1-{\tilde{q}}_2)\odot r\right\}}^T\mathbf{Z}\left(ϵ\right)\left\{({\tilde{q}}_1+{\tilde{q}}_2)\odot r\right\}\hfill & \hfill [\odot \mathrm{distributive}\mathrm{over}+,-]\\ & =-{\left\{({\tilde{q}}_1-{\tilde{q}}_2)\odot r\right\}}^T\mathbf{D}\left(ϵ\right)\left\{({\tilde{q}}_1+{\tilde{q}}_2)\odot r\right\}\hfill & \hfill \left[\mathrm{Definition}\mathrm{of}\mathbf{D}\right]\\ & \le \left|{\left\{({\tilde{q}}_1-{\tilde{q}}_2)\odot r\right\}}^T\mathbf{D}\left(ϵ\right)\left\{({\tilde{q}}_1+{\tilde{q}}_2)\odot r\right\}\right|\hfill & \\ & \le \left|\right|({\tilde{q}}_1-{\tilde{q}}_2)\odot r\left|\right|·\left|\right|\mathbf{D}\left(ϵ\right)({\tilde{q}}_1+{\tilde{q}}_2)\odot r\left|\right|\hfill & \hfill \left[\mathrm{Cauchy-Schwarz}\right]\\ & \le \left|\right|({\tilde{q}}_1-{\tilde{q}}_2)\odot r\left|\right|·\left|\right|({\tilde{q}}_1+{\tilde{q}}_2)\odot r\left|\right|·\left|\right|\mathbf{D}\left(ϵ\right){\left|\right|}_2\hfill & \hfill \left[\mathrm{Cauchy-Schwarz}\right]\\ & =\left|\right|{\tilde{q}}_1-{\tilde{q}}_2\left|\right|·\left|\right|{\tilde{q}}_1+{\tilde{q}}_2\left|\right|·{\left|\right|\mathbf{D}\left(ϵ\right)\left|\right|}_2\hfill & \hfill \left[\mathrm{P}2\right]\\ & =2\sqrt{\left(1-|{\tilde{q}}_1^T{\tilde{q}}_2{|}^2\right)}·{\left|\right|\mathbf{D}\left(ϵ\right)\left|\right|}_2\hfill & \hfill \left[\mathrm{P}3\right]\\ & =2\sqrt{\left(1-|{\tilde{q}}_1^T{\tilde{q}}_2{|}^2\right)}·\sqrt{{ϵ}^2}\hfill & \hfill \left[\mathrm{Definition}\mathrm{of}\mathbf{D}\right]\\ & ={\displaystyle \frac{2ϵ}{\sqrt{2}}}\sqrt{2\left(1-|{\tilde{q}}_1^T{\tilde{q}}_2{|}^2\right)}\hfill \\ \hfill \Rightarrow {\displaystyle \frac{\mathcal{M}(q_1,ϵ)\left[r\right]}{\mathcal{M}(q_2,ϵ)\left[r\right]}}& \le exp{\left[\sqrt{2}ϵ\Phi (q_1,q_2)\right]}_{\square }\hfill & \hfill [\mathrm{Definition}\mathrm{of}\Phi ,\mathrm{P}2]\end{array}$$

where ${\left|\right|\mathbf{A}\left|\right|}_2$ is the spectral norm of the matrix $\mathbf{A}$, i.e., ${\left|\right|\mathbf{A}\left|\right|}_2:=\sqrt{{\mu }_{\max }}$, where ${\mu }_{\max }$ is the largest eigenvalue of ${\mathbf{A}}^t\mathbf{A}$.    □

Corollary 1. 

The Bingham mechanism fulfills $ϵd$-privacy for $d\in \left\{{\varphi }_2,{\varphi }_3,{\varphi }_5,{\varphi }_6\right\}$ as defined in [10].

Proof of Corollary. 

As shown in [10], the norms ${\varphi }_2,{\varphi }_3,{\varphi }_5,$ and ${\varphi }_6$ defined there are boundedly equivalent. The norm $\Phi$ used in this manuscript corresponds to the norm ${\varphi }_5^{\prime }$ defined in [10], which is merely a reformulation of ${\varphi }_5$ in terms of versors.    □

To sample from the Bingham distribution, we follow the rejection scheme described in [14], which we reproduce in Appendix D. Figure 1 demonstrates the effect of the privacy parameter $ϵ$. In each subfigure, the action of the unmodified quaternion on the standard coordinate system is depicted in bold, while the actions of the samples from the corresponding Bingham distribution are shown as thinner arrows. Colors label corresponding axes. As expected, smaller values of the privacy parameter correspond to higher levels of noise, and hence to increased privacy.

3.3. A Laplace Mechanism on SO(3)

Instead of designing a mechanism specifically adapted to the intricacies of the special orthogonal group SO(3), we can also attempt to design a Laplace mechanism for our purposes. In classic differential privacy, one of the most popular mechanisms to ensure a privacy budget of $ϵ$ works by adding noise drawn from a suitable Laplace distribution with zero mean and scale parameter b: $Lap\left(x\right|b)={\displaystyle \frac{1}{2b}}exp\left({\displaystyle \frac{-\left|x\right|}{b}}\right)$. If we denote the query as f, setting $b={\displaystyle \frac{\Delta f}{ϵ}}$, where $\Delta f$ is the $L_1$-sensitivity of f, achieves the desired $ϵ$-privacy. In the case of metric differential privacy, we typically want to argue about the intrinsic properties of the mechanism, not about properties of the query or of any associated sensitivities. In [11], Chatzikolakis et al. generalize the Laplace mechanism to arbitrary metric spaces. Here, the key construction is a metric-dependent scaling function λ. The idea given in [11] is as follows:

Definition 2. 

Let $\mathcal{Y},\mathcal{Z}$ be two sets and $d_{\mathcal{Y}}$ be a metric on $\mathcal{Y}\times \mathcal{Z}$. Let $\lambda :\mathcal{Z}\to [0,\infty )$ be a scaling function that normalizes the exponential distribution with respect to $d_{\mathcal{Y}}$, i.e., ${\int }_{\mathcal{Z}}\lambda \left(z\right)exp\left[-d_{\mathcal{Y}}(y,z)\right]\nu \left(dz\right)=1\forall y\in \mathcal{Y}$, where $\nu \left(z\right)$ is a suitable base measure for integration on $\mathcal{Z}$. Obviously, $D\left(y\right)\left(z\right):=\lambda \left(z\right)exp\left[-d_{\mathcal{Y}}(y,z)\right]\nu \left(z\right)$ is a probability density function, and the mechanism $\mathcal{L}:\mathcal{Y}\to \mathcal{P}\left(\mathcal{Z}\right)$ induced by D is called a Laplace mechanism from $(\mathcal{Y},d_{\mathcal{Y}})$ to $\mathcal{Z}$.

Crucially, Ref. [11] shows that all such mechanisms $\mathcal{L}$ fulfill $d_{\mathcal{Y}}$-differential privacy. Accordingly, designing a differentially private mechanism for an arbitrary metric might seem a simple task—we merely need to determine the scaling and the normalization, and directly obtain the corresponding Laplace mechanism. In the Euclidean case, this simplicity arguably holds. In our case, though, we have $\mathcal{Y}=\mathcal{Z}=SO\left(3\right)$, which is a non-Euclidean manifold with non-trivial topology, and we need to carefully consider how to choose the base measure $\nu$, how to sample from D, and which metric $d_{\mathcal{Y}}$ to choose. If we pick an unsuitable metric, the privacy guarantee has no immediate meaning in terms of the data. Choosing the wrong base measure will locally undercount or overcount the amount of rotations per volume element and—just like an unsuitable sampling mechanism—lead to noisy samples that cannot guarantee the claimed privacy protection.

Trivially, one can attempt to embed the data in a fitting Euclidean space and use some kind of post-processing to ensure that the resulting noisy samples lie on the manifold of interest. In that case, Euclidean distance between the vectors representing the parameters of the rotation—say, Euler angles—could be used as a metric. This would lead to a trivial Laplace mechanism, but as described above and demonstrated in [8], the resulting mechanisms would be unsuitable, as they measure distance “through” the manifold, not “on” the manifold. The obvious choice is thus to use the geodesic distance on the manifold—the length of the shortest path on the manifold connecting the two rotations. The geodesic can be derived from the natural Riemannian metric of SO(3), i.e., from an inner product on the tangent bundle. It is straightforward to show [10] that for SO(3), the resulting geodesic distance of two rotations ${\mathbf{R}}_1$ and ${\mathbf{R}}_2$ is the magnitude of the angle of the rotation turning ${\mathbf{R}}_1$ onto ${\mathbf{R}}_2$, and that this magnitude is given by

$${\varphi }_6({\mathbf{R}}_1,{\mathbf{R}}_2)=\left|\right|log\left({\mathbf{R}}_1{\mathbf{R}}_2^T\right)\left|\right|$$

as used in our previous derivations. This motivates the representation of the rotations in SO(3) in axis–angle form.

A suitable base measure should allow us to sample uniformly from SO(3). In the Euclidean case, the concept of uniformity is immediately apparent. Even in the case of 2D rotations, it seems logical that a uniform rotation can be found by sampling the rotation angle uniformly from $[0,2\pi )$. For higher-dimensional rotations, however, this intuition breaks down. On the SO(3), in particular, if we write the rotation in axis–angle form, choosing the angle uniformly from $[0,2\pi )$ does not lead to uniformly distributed rotations. As SO(3) forms a connected and locally compact Lie group, the usual way to generalize uniformity is to demand that the volume element defined by the measure is invariant with respect to actions of members of the group, i.e., the distribution should not change after performing an arbitrary rotation. The corresponding measure is called the Haar measure of the Lie group [15].

As derived in [16], the Haar measure on SO(3) in axis–angle form with axis $\mathbf{n}$ and angle $\theta$ is given by

$$d{\mu }_{\mathrm{Haar}}:=4{sin}^2\left({\displaystyle \frac{\theta }{2}}\right)d\theta d\Omega \left(\mathbf{n}\right)$$

which yields a total volume of SO(3) of $8{\pi }^2$. For our probability density function, we need to normalize this to 1 and thus arrive at the normalized Haar measure:

$$d\mu :={\displaystyle \frac{1}{2{\pi }^2}}{sin}^2\left({\displaystyle \frac{\theta }{2}}\right)d\theta d\Omega \left(\mathbf{n}\right)$$

To sample uniformly on SO(3) using the Haar measure in axis–angle form, we can consider the axis and angle separately. Obviously, we need to generate the axis of the noise rotation uniformly to ensure isotropy of our sampling [16]—otherwise, we would prefer certain directions over others. This corresponds to drawing a random unit vector uniformly on $S^2$ and can be achieved in several different ways, e.g., by using spherical coordinates with $r=1$ and $z\sim \mathcal{U}[-1,1]$ and $\psi \sim \mathcal{U}[0,2\pi )$, or by drawing three independent normal random variables and normalizing the resulting vector.

To sample a random rotation angle $\theta$ uniformly using the Haar measure, we would then have to draw

$$\theta \sim {\mathcal{P}}_{\mu }\left(\theta \right)\propto sin{\displaystyle \frac{\theta }{2}}$$

Finally, to produce a Laplace mechanism, we need to change the uniform distribution to include a factor that decays exponentially with the distance. Since we use an axis–angle parametrization, and since the geodesic distance reduces to the angle $\theta \in [0,\pi ]$ between the rotations, we can still draw the axis uniformly and need to add the exponential decay to the sampling of noise angles. To include the privacy parameter $ϵ$, we additionally change the metric from the geodesic distance $d_{\mathcal{Y}}({\mathbf{R}}_1,{\mathbf{R}}_2)=\theta$ to the scaled geodesic distance ${\widehat{d}}_{\mathcal{Y}}({\mathbf{R}}_1,{\mathbf{R}}_2):=ϵ\theta$. This finally yields the following form for the Laplace mechanism on SO(3):

$$\mathcal{L}\left(y\right)\left(dz\right)=\lambda \left(z\right)exp\left[-ϵ\theta \right]\mu \left(dz\right)={\displaystyle \frac{\lambda \left(z\right)}{2{\pi }^2}}exp\left[-ϵ\theta \right]{sin}^2\left({\displaystyle \frac{\theta }{2}}\right)d\theta d\Omega \left(\mathbf{n}\right)$$

where $\lambda \left(z\right)$ normalizes the distribution. Note that in full generality, the normalization $\lambda$ could also depend on the input rotation y, which would not fit the definition of Chatzikolakis et al. However, for compact groups with bi-invariant distances—such as SO(3)—one can show that the normalization does not depend on y. In fact, it is straightforward to see that the normalization is also independent of z and resolves to a constant that only depends on $ϵ$, i.e., $\lambda \left(z\right)={\displaystyle \frac{1}{\Gamma \left(ϵ\right)}}$ for some $\Gamma \left(ϵ\right)\in \mathbb{R}$. Thus, choosing the base measure $\mu$ to be the Haar measure $\mu$, we finally arrive at the following sampling procedure for our Laplace mechanism on SO(3): first, we draw a random axis according to

$$\begin{array}{cc}\hfill z& \sim \mathcal{U}[-1,1]\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill \psi & \sim \mathcal{U}[0,2\pi )\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill n& :=\left(\sqrt{1-z^2}cos\psi ,\sqrt{1-z^2}sin\psi ,z\right).\hfill \end{array}$$

(19)

In principle, $\theta |y$ can again be drawn using a simple rejection scheme: we draw a candidate $\theta \sim \mu$ from the Haar measure by sampling $u\sim \mathcal{U}(0,1)$ and setting $\theta :=2\left(\sqrt{1-u}\right)$ (yielding a $\theta$ distributed $\propto {sin}^2\left({\displaystyle \frac{\theta }{2}}\right)$) and accept the proposal with probability $exp\left[-ϵ\theta \right]$. In practice, this simple scheme only works for small values of $ϵ$; with increasing $ϵ$, samples have to be concentrated more tightly around the original rotation. As the acceptance probability decays exponentially in $ϵ$, the sampler will reject almost all proposals and become pathologically inefficient, leading either to extreme computational cost until convergence or highly skewed sampling results. We have thus developed a stabilized and much more efficient sampling procedure, which works as follows.

For values of $ϵ$ smaller than a threshold $t_{ϵ}$ (in our implementation, we use $t_{ϵ}=3.5$), we continue to use the simple rejection scheme described above. For larger values of $ϵ$, we approximate the target distribution ${sin}^2\left({\displaystyle \frac{x}{2}}\right)exp\left[-ϵ\theta \right]$. Since in this region $\theta$ will be small, we expand the target into a Taylor series, where we use the identity ${sin}^2\left({\displaystyle \frac{\theta }{2}}\right)={\displaystyle \frac{1}{2}}\left(1-cos\left(\theta \right)\right)$ to find

$${sin}^2\left({\displaystyle \frac{\theta }{2}}\right)={\displaystyle \frac{1}{2}}\left(1-cos\left(\theta \right)\right)={\displaystyle \frac{1}{2}}\left(1-\left(1-{\displaystyle \frac{{\theta }^2}{2!}}+\mathcal{O}\left({\theta }^4\right)\right)\right)$$

and thus

$$p\left(\theta \right)\propto {\theta }^{2}exp\left[-ϵ\theta \right]$$

Remembering the definition of the Gamma distribution with shape parameter $\alpha$ and rate parameter $\lambda$,

$$Gamma(x;\alpha ,\lambda )={\displaystyle \frac{{\lambda }^{\alpha }}{\Gamma \left(\alpha \right)}}{x}^{\alpha -1}exp\left[-\lambda x\right]$$

we see that for a large $ϵ$, this converges to $Gamma(\theta ;\alpha =3,\lambda =ϵ)$, which we use to approximate the Laplace distribution on SO(3) for $ϵ>t_{ϵ}$. The importance of choosing an efficient sampling scheme is demonstrated in Figure 2, which shows distance histograms for 50,000 noise rotations sampled from the efficient and inefficient sampler implementations for $ϵ=8$. Clearly, the inefficient sampler fails to converge, leading to a drastic over-representation of larger distances.

3.4. Comparing the Mechanisms

Despite the popularity of the Laplace mechanism, it is not a priori clear which of the two mechanisms proposed in this work is better for any given task. Even the question of what constitutes “better” can be challenging, as discussed in detail in [2]. As the data we want to protect is supposedly used for some downstream analysis, it is natural to think about the utility of the released (i.e., noisy) data and to prefer mechanisms that achieve better utility for the same privacy budget. Following [11], we take a utility-focused Bayesian perspective and model the consumer of the data by a prior $\pi$ on the set of secrets, and a loss function ℓ, which is monotone with respect to $d_{\mathbb{R}}$. The utility $\mathcal{U}(\mathcal{M},\pi ,\ell )$ of mechanism $\mathcal{M}$ is then given by the expected loss. We denote the metric under consideration by $d_{\mathcal{X}}$. Let f be an arbitrary query on the released data, and let ${\mathcal{H}}_f\left(d_{\mathcal{X}}\right)$ denote the set of all mechanisms $\mathcal{M}$ such that $\mathcal{M}\circ f$ fulfills $d_{\mathcal{X}}$-privacy.

Definition 3. 

A mechanism $\mathcal{M}\in {\mathcal{H}}_f\left(d_{\mathcal{X}}\right)$ is called $f-d_{\mathcal{X}}$-optimal, if and only if $\mathcal{U}(\mathcal{M},\pi ,\ell )\ge \mathcal{U}({\mathcal{M}}^{\prime },\pi ,\ell )\forall {\mathcal{M}}^{\prime }\in {\mathcal{H}}_f\left(d_{\mathcal{X}}\right)$ for all priors π and all loss functions ℓ.

While there are some theoretical results on the optimality of the Laplace mechanism for selected queries [11] and metrics [2], there is—to the best of our knowledge—no optimality result that covers our use case. In addition, other optimality definitions exist (e.g., risk-averse instead of Bayesian consumers). We thus turn to a simulation-based comparison of both approaches. In order to compare the Bingham and Laplace mechanisms on SO(3), we must first ensure that we evaluate them for an equivalent privacy budget, since both have been defined with respect to different metrics. Let $ϵ$ be the privacy budget of the Laplace mechanism and $\widetilde{ϵ}$ the budget of the Bingham mechanism. In Appendix F, we show that

$$\widetilde{ϵ}={\displaystyle \frac{\pi }{4}}ϵ$$

To compare the suitability of the mechanisms, we set up a simulation study. We draw a random rotation on SO(3) to represent the data (say, the measurement of a sensor registering the orientation of a joint in an ergonomic study). Using both mechanisms, we draw a large number of samples for different privacy budgets and compute histograms for the geodesic distance of each sample to the original rotation. The farther the sampled points are from the original data, the better the privacy, but at the cost of lower utility. For a utility-focused mechanism in a Bayesian perspective, if the samples provided by a mechanism are closer, on average, to the original data point for the same privacy budget, we should prefer this mechanism. To pick a set of suitable privacy budgets for this simulation, we define a radius of indistinguishability for the Laplacian mechanism as follows.

Definition 4. 

Let$p\in [0,1]$. We call ρ the radius of indistinguishability at level p , if and only if for any rotation q and for any noise sample s we have

$$P({\varphi }_6(q,s)\le \rho )=p$$

where again${\varphi }_6$denotes the geodesic distance on SO(3).

In other words, p percent of the noise samples will be contained within a radius of $\rho$ (have an angular displacement less than $\rho$) from q. Remembering that for the Laplace mechanism on SO(3), $p\left(\theta \right)\propto {sin}^2\left(\theta /2\right)exp\left[-ϵ\theta \right]$, we define the cumulative distribution function

$$F\left(\rho \right):=\alpha \underset{0}{\overset{\rho }{\int }}{sin}^2\left(\theta /2\right)exp\left[-ϵ\theta \right]d\theta$$

with normalization

$$\alpha :=\underset{0}{\overset{\pi }{\int }}{sin}^2\left(\theta /2\right)exp\left[-ϵ\theta \right]d\theta$$

Finding $\rho$ for a given p then amounts to solving $F\left(\rho \right)=p$. While the CDF has no elementary closed form, finding $\rho$ is straightforward using numerical integration and a root-finding method.

Since we convert the privacy budget of the Bingham mechanism to the same scale, we can use the same privacy budget for both mechanisms. Figure 3 shows the results, where the values of the indistinguishability radii $\rho$ were computed with respect to the Laplace mechanism at a level of $p=0.683$ (chosen to correspond to one standard deviation of a normal distribution). Both mechanisms were implemented in Julia. In our experiments, the Laplace mechanism was about a factor of 2–3 faster to evaluate than the Bingham mechanism for $ϵ<t_{ϵ}$, and up to two orders of magnitude faster for $ϵ>t_{ϵ}$, owing to the simpler sampling procedure and higher acceptance rates.

The simulation study demonstrates that, for equivalent privacy budgets (after accounting for the difference in metrics), the Laplace mechanism tends to produce noise samples that are more tightly concentrated around the original rotation than those generated by the Bingham mechanism. This greater concentration translates into improved utility in the average case, making the Laplace mechanism an attractive choice for scenarios where downstream tasks benefit from low-distortion data. In particular, the sharper peak of the Laplace distribution around the mean ensures that most samples lie closer to the original rotation, leading to lower expected loss under standard Bayesian utility models with typical monotonic loss functions.

However, the Bingham mechanism, while exhibiting a broader spread in the simulations, has a fundamentally different distributional profile and thus might be advantageous under different utility models or for different types of consumers.

4. Discussion

The privacy of datasets containing three-dimensional rotations, i.e., data sampled from SO(3), has to our knowledge not been previously addressed. In this work, we have derived two privacy mechanisms specifically tailored for this task: a mechanism induced by the Bingham distribution, and a Laplace mechanism adapted to the geodesic metric on SO(3). We have shown that the Laplace mechanism fulfills $ϵ{\varphi }_6$-privacy, where, using the notation from [10], ${\varphi }_6$ corresponds to the geodesic (intrinsic) metric on SO(3), and that the Bingham mechanism fulfills $\sqrt{2}ϵ{\varphi }_5^{\prime }$-privacy. We have further shown that this privacy guarantee corresponds to a ${\displaystyle \frac{\pi }{4}}ϵ{\varphi }_6$-privacy guarantee of the Bingham mechanism with respect to the geodesic metric on SO(3), i.e., it fulfills $\widetilde{ϵ}{\varphi }_6$-privacy where $\widetilde{ϵ}={\displaystyle \frac{\pi }{4}}ϵ$, and $ϵ$ is the privacy guarantee for the Laplace mechanism on SO(3).

Both mechanisms have their own rationale: the Bingham mechanism is particularly appealing, as it inherently incorporates the antipodal symmetry on SO(3) and is by design compatible with the space of interest. The Laplace mechanism is a very generally applicable concept that has been used successfully in many other application scenarios, i.e., on other metric spaces. As demonstrated by our numerical experiments (c. f. Figure 3), both mechanisms behave very similarly in a high privacy setting, i.e., for small values of $ϵ$ and large values of $\rho$. With relaxed privacy, we find that the samples generated by the Laplace mechanism are more concentrated around the original sample—corresponding to the sharper peak of the Laplacian distribution—and hence, should lead to increased utility, albeit at the cost of smaller privacy, but still within the guarantee of the privacy budget.

But both mechanisms are based on different base distributions—the Bingham mechanism arises from a $4D$-Gaussian distribution constrained to reside on $S^3$, while the Laplace mechanism is based on an exponential distribution. These distributions have decidedly different characteristics—the Gaussian features narrow tails and a smooth, broader peak around the mean, while the Laplace decays significantly more slowly, but has a sharp peak at the mean. These different shapes should in turn lead to differently concentrated noise samples at the same privacy level. Thus, both mechanisms have different privacy–utility tradeoffs. In particular, it might be tempting to assume that the Bingham mechanism could be more appealing in settings where large deviations from the original data are particularly undesirable—for instance, in risk-averse applications or under loss functions that heavily penalize outliers. Our experiments, however, show a different picture. In the low-to-medium-privacy regime, the tails of the Bingham distribution are always heavier than those of the corresponding Laplace mechanism. This surprising fact is explained by the fact that the geometry and topology of SO(3) change the behavior of the distributions in unexpected ways: the tails of the Gaussian become thicker, while the tails of the exponential distribution become slimmer when mapping the distributions to SO(3). Furthermore, the proof for the privacy of the Bingham mechanism was tailored to a different metric and then converted to the geodesic distance. The proof itself also uses a number of inequality constraints that might not be tight. It is likely that the Bingham mechanism actually fulfills even higher privacy guarantees than the ones proved in our manuscript. We thus cannot yet prove a general superiority of the Laplace mechanism over the Bingham one for all values of $ϵ$. At this point, however, for utility-focused applications, we can unconditionally recommend the Laplace mechanism over the Bingham one, as it has better utility for mid-to-low-privacy scenarios and has a much more efficient implementation. However, as Figure 2 clearly shows, it is crucial to use a stable Laplace sampler implementation with high sampling efficiency.

To allow even more choices from the design space of privacy mechanisms on SO(3), future work might investigate whether the Purkayastha or VMF mechanisms from [8] can be adopted to the group of three-dimensional rotations, and how they compare with the mechanisms described in this work.