The $k$-anonymity Problem is Hard

The problem of publishing personal data without giving up privacy is becoming increasingly important. An interesting formalization recently proposed is the k-anonymity. This approach requires that the rows in a table are clustered in sets of size at least k and that all the rows in a cluster become the same tuple, after the suppression of some records. The natural optimization problem, where the goal is to minimize the number of suppressed entries, is known to be NP-hard when the values are over a ternary alphabet, k = 3 and the rows length is unbounded. In this paper we give a lower bound on the approximation factor that any polynomial-time algorithm can achive on two restrictions of the problem,namely (i) when the records values are over a binary alphabet and k = 3, and (ii) when the records have length at most 8 and k = 4, showing that these restrictions of the problem are APX-hard.

💡 Research Summary

The paper investigates the computational hardness of the k‑anonymity problem, a fundamental model for publishing personal data while preserving privacy. In k‑anonymity, a database must be transformed so that each record is identical to at least k‑1 other records; the transformation is achieved by suppressing (or generalizing) entries, and the objective is to minimize the total number of suppressed entries. While it was already known that the problem is NP‑hard for a ternary alphabet, k = 3, and unbounded row length, no strong inapproximability results were known for more realistic settings.

The authors focus on two practically relevant restrictions and prove that both are APX‑hard, i.e., they admit no polynomial‑time approximation scheme (PTAS) and any polynomial‑time algorithm cannot achieve an approximation factor better than some constant.

1. Binary alphabet, k = 3 (3‑ABP).
   The reduction starts from Minimum Vertex Cover on cubic graphs (MVCC), a classic APX‑hard problem. For a given cubic graph G = (V,E), the authors construct a “gadget graph” VG consisting of vertex gadgets and edge gadgets. Each vertex gadget VGi contains seven “core” vertices and three “jolly” vertices; core vertices are linked by nine internal edges, while each core vertex also has four parallel “jolly” edges to its associated jolly vertex. Each original edge (vi,vj) is represented by a single edge gadget connecting a core vertex of VGi to a core vertex of VGj.

   Rows of the k‑anonymity instance are derived from the edges of VG using three encoding operations:

   • v‑enc(i,j): sets three bits in the i‑th block of a row (positions 3j‑2, 3j‑1, 3j) to 1.
   • g‑enc(i): sets three bits in the “edge block” (positions 3i‑2, 3i‑1, 3i) to 1.
   • j‑enc(i,x): sets two bits in the “jolly block” (positions 6(i‑1)+x, 6(i‑1)+x+1) to 1.

   Core‑edge rows combine one g‑enc and two v‑enc; jolly‑edge rows combine one j‑enc, one g‑enc, and four v‑enc; edge‑gadget rows combine two g‑enc and two v‑enc. By carefully analyzing Hamming distances between rows of different types, the authors establish tight lower bounds (e.g., distance 6 for two edges incident to the same vertex, distance 12 for non‑incident edges within the same gadget, distance ≥18 for edges from different gadgets).

   The crucial observation is that any feasible clustering of the rows can be transformed into a canonical clustering where each vertex gadget is handled in exactly one of two ways:

   • Type A (non‑cover): the three core‑edge rows and two jolly‑edge rows of a gadget are placed together, incurring a suppression cost of 6.
   • Type B (cover): the same rows are partitioned differently, incurring a cost of 12.

   The total cost of a clustering is therefore 6·|V| + 6·|C|, where C is the set of vertices placed in a Type B configuration. Conversely, given any clustering of cost C’, one can extract a vertex cover C’’ of size at most (C’ − 6|V|)/6. This establishes an L‑reduction with constants α = 6 and β = 1, proving that 3‑ABP is APX‑hard.

2. Row length ≤ 8, k = 4 (4‑AP(8)).
   For the second restriction the authors use a much simpler gadget. Each vertex vi is represented by four rows: two “selected” rows (used when vi belongs to the cover) and two “unselected” rows (used otherwise). Selected rows have a 1 in column 4; unselected rows have 1’s in columns 1‑3. Edge rows are constructed by pairing the appropriate rows of the two incident vertices; they always have cost 0 because they can be clustered together without any suppression.

   Since k = 4, the four rows belonging to a vertex must form a single cluster. If the vertex is placed in the cover, the cluster uses the two selected rows, incurring a suppression cost of 1 per row (total = 2). If the vertex is not in the cover, the cluster uses the two unselected rows, incurring a cost of 3 per row (total = 6). Thus the total suppression cost of any feasible solution equals 2·|C| + 6·(|V| − |C|) = 6|V| − 4|C|, which is a linear function of the size of the vertex cover C. From a solution of cost C’ one can recover a cover of size (6|V| − C’)/4, establishing an L‑reduction with constant factors (α = 4, β = 1). Consequently, 4‑AP(8) is also APX‑hard.

3. Implications.
   By proving APX‑hardness for these two natural restrictions, the paper shows that even when data are binary (e.g., gender, yes/no attributes) or when the number of attributes is very small (≤ 8), the k‑anonymity optimization problem remains resistant to arbitrarily good polynomial‑time approximations. This complements earlier results that gave O(k) and O(log k) approximation algorithms for unrestricted instances, indicating that such guarantees cannot be improved to constant factors for the restricted cases studied here.

4. Structure of the paper.

   • Section 2 introduces formal definitions (rows, Hamming distance, clustering cost) and the L‑reduction framework.
   • Section 3 presents the APX‑hardness proof for 3‑ABP, detailing gadget construction, encoding operations, distance lemmas, canonical clustering, and the L‑reduction parameters.
   • Section 4 gives the analogous proof for 4‑AP(8) with a streamlined gadget and cost analysis.
   • Section 5 concludes, discusses the significance of the results, and suggests directions for future work (e.g., tighter approximation bounds, extensions to generalized suppression models).

Overall, the work provides a rigorous and technically sophisticated demonstration that k‑anonymity, even under highly constrained and practically relevant settings, is computationally intractable to approximate within any constant factor, thereby setting a clear boundary for what can be hoped to achieve with efficient anonymization algorithms.