cwida
diff --git a/‎.claude/skills/explain-dp/SKILL.md‎
Lines changed: 19 additions & 0 deletions b/‎.claude/skills/explain-dp/SKILL.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.claude/skills/explain-pac/SKILL.md‎
Lines changed: 36 additions & 0 deletions b/‎.claude/skills/explain-pac/SKILL.md‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎attacks/clip_composition_results.txt‎
Lines changed: 118 additions & 0 deletions b/‎attacks/clip_composition_results.txt‎
Lines changed: 118 additions & 0 deletions
diff --git a/‎attacks/clip_composition_test.sh‎
Lines changed: 106 additions & 0 deletions b/‎attacks/clip_composition_test.sh‎
Lines changed: 106 additions & 0 deletions
@@ -80,3 +80,22 @@ models. E.g., stronger regularization in ridge regression.
 For databases: this suggests that queries producing high-variance outputs (due to
 outliers, small groups, etc.) are inherently harder to privatize. Clipping reduces
 variance and thus the noise needed, improving the privacy-utility tradeoff.
+
+### DP vs PAC: Worst-Case vs Instance-Based Sensitivity
+
+DP calibrates noise to **global sensitivity**: max over ALL possible datasets of
+how much the output changes when one row is added/removed. This is a worst-case
+quantity independent of the actual data.
+
+PAC calibrates noise to the **actual data geometry**: the variance of the query
+output across subsamples of the real table. Stable queries on stable data get
+less noise automatically.
+
+The calibration transfer conjecture (Blueprint, April 2026) bridges the two:
+PAC's instance-based noise from one subsampling distribution D₀, augmented by
+a small compensation Δ for the spectral gap, transfers to a nearby D₁ (e.g.,
+a different query or different population). Δ is instance-based (proportional
+to the actual distributional distance d(D₀,D₁)), much smaller than DP's global
+sensitivity. Clipping bounds per-PU influence on the variance, keeping d small.
+This gives PAC "universal MIA resistance" that degrades gracefully with the
+effective distributional distance, rather than DP's uniform worst-case bound.
@@ -89,6 +89,42 @@ sampling per query** (each query uses a fresh random subset).
 - `pac_clip_support`: Minimum distinct contributors per magnitude level (NULL = disabled)
 - `pac_hash_repair`: Ensure pac_hash outputs exactly 32 bits set
 
+### Calibration Transfer (Blueprint, April 2026)
+
+PAC calibrates noise per query from the 64 counters' variance. The data is
+fixed; the "distribution" D is over random 50%-subsamples (the 64 worlds).
+The calibration transfer conjecture asks: when noise calibrated under one
+subsampling distribution D₀ also protects under a different distribution D₁.
+
+**What D₀ and D₁ represent** (NOT two table versions — the data is fixed):
+- Different effective subsampling distributions arising from different queries
+  or different populations. E.g., D₀ = variance profile of a broad query,
+  D₁ = variance profile of a narrow-filter query targeting one PU.
+- Or: D₀ = subsampling with Alice present, D₁ = without Alice. The
+  covariance Σ changes because Alice's contribution affects the 64 counters.
+
+**Why narrow-filter attacks succeed**: The noise was calibrated from the full
+query's variance (D₀). But the attacker's distinguishing task operates on a
+narrow slice (D₁) where one PU dominates. If d(D₀, D₁) is large, calibration
+doesn't transfer → the noise is insufficient → attack succeeds.
+
+**Conjecture**: If d(D₀, D₁) ≤ t, noise Q₀ from D₀ augmented by
+Δ = N(0, spectral_gap) is valid for D₁. The compensation Δ is instance-based
+(proportional to actual distributional distance, not worst-case like DP).
+
+**Connection to clipping**: pac_clip_support bounds per-PU influence on Σ.
+This keeps d(D₀, D₁) small regardless of filter → calibration transfers →
+attacks fail. Clipping is the mechanism that makes the transfer bound tight.
+
+**Open questions**: optimal distance metric (Wasserstein vs Fisher-Rao),
+sharp transfer constants, extending from continuous (SGD) to discrete
+(PAC DB's 64-out-of-128 subsampling) setting.
+
+Reference: "Calibration Transfer Between Close Distributions — Blueprint for
+Universal Membership Inference Resistance" (working document, 05 April 2026).
+Thesis: Sridhar, "Toward Provable Privacy for Black-Box Algorithms via
+Algorithmic Stability" (MIT PhD, February 2026), Chapter 3.
+
 ### DDL
 
 ```sql
 
@@ -0,0 +1,118 @@
+===================================================
+  COMPOSITION ATTACK: clip=off, filt<=3
+  15 trials x 100 queries each
+===================================================
+
+--- NQ=1 ---
+| truth |  mean   |   std   | n  |
+|-------|---------|---------|---:|
+| in    | 1739821 | 6678043 | 13 |
+| out   | 6835    | 117410  | 14 |
+| best_accuracy |
+|---------------|
+| 74.1%         |
+
+--- NQ=5 ---
+| truth |  mean  |   std   | n  |
+|-------|--------|---------|---:|
+| in    | -38831 | 2791251 | 15 |
+| out   | 6918   | 39297   | 15 |
+| best_accuracy |
+|---------------|
+| 73.3%         |
+
+--- NQ=10 ---
+| truth |  mean   |   std   | n  |
+|-------|---------|---------|---:|
+| in    | -182683 | 1878886 | 15 |
+| out   | 7183    | 35196   | 15 |
+| best_accuracy |
+|---------------|
+| 70.0%         |
+
+--- NQ=25 ---
+| truth |  mean  |   std   | n  |
+|-------|--------|---------|---:|
+| in    | 833152 | 1515532 | 15 |
+| out   | 16222  | 18137   | 15 |
+| best_accuracy |
+|---------------|
+| 83.3%         |
+
+--- NQ=50 ---
+| truth |  mean  |  std   | n  |
+|-------|--------|--------|---:|
+| in    | 434678 | 894849 | 15 |
+| out   | 18224  | 16098  | 15 |
+| best_accuracy |
+|---------------|
+| 73.3%         |
+
+--- NQ=100 ---
+| truth |  mean  |  std   | n  |
+|-------|--------|--------|---:|
+| in    | 709941 | 987083 | 15 |
+| out   | 17313  | 13044  | 15 |
+| best_accuracy |
+|---------------|
+| 86.7%         |
+
+===================================================
+  COMPOSITION ATTACK: clip=2, filt<=3
+  15 trials x 100 queries each
+===================================================
+
+--- NQ=1 ---
+| truth | mean  |  std   | n  |
+|-------|-------|--------|---:|
+| in    | 31260 | 108105 | 11 |
+| out   | 4746  | 64576  | 10 |
+| best_accuracy |
+|---------------|
+| 66.7%         |
+
+--- NQ=5 ---
+| truth | mean  |  std  | n  |
+|-------|-------|-------|---:|
+| in    | 33914 | 60252 | 15 |
+| out   | 7056  | 27635 | 15 |
+| best_accuracy |
+|---------------|
+| 70.0%         |
+
+--- NQ=10 ---
+| truth | mean  |  std  | n  |
+|-------|-------|-------|---:|
+| in    | 20631 | 38586 | 15 |
+| out   | 5626  | 19507 | 15 |
+| best_accuracy |
+|---------------|
+| 66.7%         |
+
+--- NQ=25 ---
+| truth | mean  |  std  | n  |
+|-------|-------|-------|---:|
+| in    | 18989 | 20841 | 15 |
+| out   | 15556 | 14957 | 15 |
+| best_accuracy |
+|---------------|
+| 63.3%         |
+
+--- NQ=50 ---
+| truth | mean  |  std  | n  |
+|-------|-------|-------|---:|
+| in    | 16671 | 14026 | 15 |
+| out   | 12200 | 11412 | 15 |
+| best_accuracy |
+|---------------|
+| 66.7%         |
+
+--- NQ=100 ---
+| truth | mean  |  std  | n  |
+|-------|-------|-------|---:|
+| in    | 17200 | 9530  | 15 |
+| out   | 15816 | 11039 | 15 |
+| best_accuracy |
+|---------------|
+| 60.0%         |
+
@@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+# Composition attack: does averaging many queries break clipping?
+#
+# METHODOLOGY:
+# Run N independent queries (each with a different pac_seed) on the same data.
+# The attacker averages the N results. Noise decreases at 1/sqrt(N) but the
+# outlier signal stays constant. With enough queries, noise → 0 and the signal
+# should be detectable.
+#
+# For each NQ (number of queries), we compute the average over those queries
+# per trial, then find the best classification threshold across trials.
+# 50% = random, 100% = perfect attack.
+set -euo pipefail
+
+DUCKDB="/home/ila/Code/pac/build/release/duckdb"
+PAC_EXT="/home/ila/Code/pac/build/release/extension/pac/pac.duckdb_extension"
+
+N=1000; TV=999999; MI=0.0078125; FILT=3; NT=15
+
+run_sum() {
+    local cond=$1 seed=$2 clip=$3
+    local insert=""
+    [ "$cond" = "in" ] && insert="INSERT INTO users VALUES (0, ${TV});"
+    local clip_sql=""
+    [ "$clip" != "off" ] && clip_sql="SET pac_clip_support = ${clip};"
+    $DUCKDB -noheader -list 2>/dev/null <<SQL
+LOAD '${PAC_EXT}';
+CREATE TABLE users(user_id INTEGER, acctbal INTEGER);
+INSERT INTO users SELECT i, ((hash(i*31+7)%10000)+1)::INTEGER FROM generate_series(1,${N}) t(i);
+${insert}
+ALTER TABLE users ADD PAC_KEY(user_id);
+ALTER TABLE users SET PU;
+SET pac_mi = ${MI};
+SET pac_seed = ${seed};
+${clip_sql}
+SELECT SUM(acctbal) FROM users WHERE user_id <= ${FILT} OR user_id = 0;
+SQL
+}
+
+MAX_NQ=100  # max queries per trial
+
+for CLIP in off 2; do
+    echo "==================================================="
+    echo "  COMPOSITION ATTACK: clip=${CLIP}, filt<=${FILT}"
+    echo "  ${NT} trials x ${MAX_NQ} queries each"
+    echo "==================================================="
+    echo ""
+
+    # Collect all queries upfront
+    IN_F=$(mktemp); OUT_F=$(mktemp)
+    for trial in $(seq 1 $NT); do
+        for q in $(seq 1 $MAX_NQ); do
+            s=$((trial * 10000 + q))
+            echo "in,${trial},${q},$(run_sum in $s $CLIP)" >> "$IN_F"
+            echo "out,${trial},${q},$(run_sum out $s $CLIP)" >> "$OUT_F"
+        done
+        echo "  trial ${trial}/${NT} done" >&2
+    done
+
+    # Analyze at different NQ cutoffs
+    for NQ in 1 5 10 25 50 100; do
+        echo "--- NQ=${NQ} ---"
+        $DUCKDB -markdown <<SQL
+CREATE TABLE raw AS
+SELECT split_part(c,',',1) AS truth,
+       TRY_CAST(split_part(c,',',2) AS INTEGER) AS trial,
+       TRY_CAST(split_part(c,',',3) AS INTEGER) AS qid,
+       TRY_CAST(split_part(c,',',4) AS DOUBLE) AS v
+FROM (
+    SELECT column0 AS c FROM read_csv('${IN_F}',columns={'column0':'VARCHAR'},header=false)
+    UNION ALL
+    SELECT column0 FROM read_csv('${OUT_F}',columns={'column0':'VARCHAR'},header=false)
+) WHERE split_part(c,',',4) != '';
+
+-- Average first NQ queries per trial
+WITH avgs AS (
+    SELECT truth, trial, AVG(v) AS v
+    FROM raw WHERE qid <= ${NQ} AND v IS NOT NULL
+    GROUP BY truth, trial
+)
+SELECT truth, printf('%.0f', AVG(v)) AS mean, printf('%.0f', STDDEV(v)) AS std, COUNT(*) AS n
+FROM avgs GROUP BY truth ORDER BY truth;
+
+-- Best threshold classifier on averaged values
+WITH avgs AS (
+    SELECT truth, trial, AVG(v) AS v
+    FROM raw WHERE qid <= ${NQ} AND v IS NOT NULL
+    GROUP BY truth, trial
+),
+ths AS (SELECT UNNEST(generate_series(
+    (SELECT (MIN(v))::BIGINT FROM avgs),
+    (SELECT (MAX(v))::BIGINT FROM avgs),
+    GREATEST(1, ((SELECT MAX(v)-MIN(v) FROM avgs)/50)::BIGINT)
+)) AS t),
+accs AS (
+    SELECT t, 100.0*SUM(CASE
+        WHEN truth='in' AND v > t THEN 1 WHEN truth='out' AND v <= t THEN 1
+        ELSE 0 END)::DOUBLE / COUNT(*) AS acc
+    FROM avgs, ths GROUP BY t
+)
+SELECT printf('%.1f%%', MAX(acc)) AS best_accuracy FROM accs;
+SQL
+        echo ""
+    done
+    rm -f "$IN_F" "$OUT_F"
+done