Tricking the Hashing Trick: A Tight Lower Bound on the Robustness of CountSketch to Adaptive Inputs

Edith Cohen; Jelani Nelson; Tamás Sarlós; Uri Stemmer

doi:https://doi.org/10.1609/aaai.v37i6.25882

Tricking the Hashing Trick: A Tight Lower Bound on the Robustness of CountSketch to Adaptive Inputs

Edith Cohen, Jelani Nelson, Tamás Sarlós, Uri Stemmer

School of Computer Science

Tel Aviv University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

CountSketch and Feature Hashing (the “hashing trick”) are popular randomized dimensionality reduction methods that support recovery of ℓ2-heavy hitters (keys i where v_i² > ϵ∥v∥²₂) and approximate inner products. When the inputs are not adaptive (do not depend on prior outputs), classic estimators applied to a sketch of size O(ℓ/ϵ) are accurate for a number of queries that is exponential in ℓ. When inputs are adaptive, however, an adversarial input can be constructed after O(ℓ) queries with the classic estimator and the best known robust estimator only supports Õ(ℓ²) queries. In this work we show that this quadratic dependence is in a sense inherent: We design an attack that after O(ℓ²) queries produces an adversarial input vector whose sketch is highly biased. Our attack uses “natural” non-adaptive inputs (only the final adversarial input is chosen adaptively) and universally applies with any correct estimator, including one that is unknown to the attacker. In that, we expose inherent vulnerability of this fundamental method.

Original language	American English
Title of host publication	AAAI-23 Technical Tracks 6
Editors	Brian Williams, Yiling Chen, Jennifer Neville
Pages	7235-7243
Number of pages	9
ISBN (Electronic)	9781577358800
DOIs	https://doi.org/10.1609/aaai.v37i6.25882
State	Published - 27 Jun 2023
Event	37th AAAI Conference on Artificial Intelligence, AAAI 2023 - Washington, United States Duration: 7 Feb 2023 → 14 Feb 2023

Publication series

Name	Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023
Volume	37

Conference

Conference	37th AAAI Conference on Artificial Intelligence, AAAI 2023
Country/Territory	United States
City	Washington
Period	7/02/23 → 14/02/23

All Science Journal Classification (ASJC) codes

Artificial Intelligence

Access to Document

https://doi.org/10.1609/aaai.v37i6.25882

Cite this

Cohen, E., Nelson, J., Sarlós, T., & Stemmer, U. (2023). Tricking the Hashing Trick: A Tight Lower Bound on the Robustness of CountSketch to Adaptive Inputs. In B. Williams, Y. Chen, & J. Neville (Eds.), AAAI-23 Technical Tracks 6 (pp. 7235-7243). (Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023; Vol. 37). https://doi.org/10.1609/aaai.v37i6.25882

@inproceedings{c2fe067c034d46b1aee8ae9f19bde274,

title = "Tricking the Hashing Trick: A Tight Lower Bound on the Robustness of CountSketch to Adaptive Inputs",

abstract = "CountSketch and Feature Hashing (the “hashing trick”) are popular randomized dimensionality reduction methods that support recovery of ℓ2-heavy hitters (keys i where vi2 > ϵ∥v∥22) and approximate inner products. When the inputs are not adaptive (do not depend on prior outputs), classic estimators applied to a sketch of size O(ℓ/ϵ) are accurate for a number of queries that is exponential in ℓ. When inputs are adaptive, however, an adversarial input can be constructed after O(ℓ) queries with the classic estimator and the best known robust estimator only supports {\~O}(ℓ2) queries. In this work we show that this quadratic dependence is in a sense inherent: We design an attack that after O(ℓ2) queries produces an adversarial input vector whose sketch is highly biased. Our attack uses “natural” non-adaptive inputs (only the final adversarial input is chosen adaptively) and universally applies with any correct estimator, including one that is unknown to the attacker. In that, we expose inherent vulnerability of this fundamental method.",

author = "Edith Cohen and Jelani Nelson and Tam{\'a}s Sarl{\'o}s and Uri Stemmer",

note = "Publisher Copyright: Copyright {\textcopyright} 2023, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.; 37th AAAI Conference on Artificial Intelligence, AAAI 2023 ; Conference date: 07-02-2023 Through 14-02-2023",

year = "2023",

month = jun,

day = "27",

doi = "https://doi.org/10.1609/aaai.v37i6.25882",

language = "American English",

series = "Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023",

pages = "7235--7243",

editor = "Brian Williams and Yiling Chen and Jennifer Neville",

booktitle = "AAAI-23 Technical Tracks 6",

}

Cohen, E, Nelson, J, Sarlós, T & Stemmer, U 2023, Tricking the Hashing Trick: A Tight Lower Bound on the Robustness of CountSketch to Adaptive Inputs. in B Williams, Y Chen & J Neville (eds), AAAI-23 Technical Tracks 6. Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023, vol. 37, pp. 7235-7243, 37th AAAI Conference on Artificial Intelligence, AAAI 2023, Washington, United States, 7/02/23. https://doi.org/10.1609/aaai.v37i6.25882

Tricking the Hashing Trick: A Tight Lower Bound on the Robustness of CountSketch to Adaptive Inputs. / Cohen, Edith; Nelson, Jelani; Sarlós, Tamás et al.
AAAI-23 Technical Tracks 6. ed. / Brian Williams; Yiling Chen; Jennifer Neville. 2023. p. 7235-7243 (Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023; Vol. 37).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Tricking the Hashing Trick

T2 - 37th AAAI Conference on Artificial Intelligence, AAAI 2023

AU - Cohen, Edith

AU - Nelson, Jelani

AU - Sarlós, Tamás

AU - Stemmer, Uri

PY - 2023/6/27

Y1 - 2023/6/27

N2 - CountSketch and Feature Hashing (the “hashing trick”) are popular randomized dimensionality reduction methods that support recovery of ℓ2-heavy hitters (keys i where vi2 > ϵ∥v∥22) and approximate inner products. When the inputs are not adaptive (do not depend on prior outputs), classic estimators applied to a sketch of size O(ℓ/ϵ) are accurate for a number of queries that is exponential in ℓ. When inputs are adaptive, however, an adversarial input can be constructed after O(ℓ) queries with the classic estimator and the best known robust estimator only supports Õ(ℓ2) queries. In this work we show that this quadratic dependence is in a sense inherent: We design an attack that after O(ℓ2) queries produces an adversarial input vector whose sketch is highly biased. Our attack uses “natural” non-adaptive inputs (only the final adversarial input is chosen adaptively) and universally applies with any correct estimator, including one that is unknown to the attacker. In that, we expose inherent vulnerability of this fundamental method.

AB - CountSketch and Feature Hashing (the “hashing trick”) are popular randomized dimensionality reduction methods that support recovery of ℓ2-heavy hitters (keys i where vi2 > ϵ∥v∥22) and approximate inner products. When the inputs are not adaptive (do not depend on prior outputs), classic estimators applied to a sketch of size O(ℓ/ϵ) are accurate for a number of queries that is exponential in ℓ. When inputs are adaptive, however, an adversarial input can be constructed after O(ℓ) queries with the classic estimator and the best known robust estimator only supports Õ(ℓ2) queries. In this work we show that this quadratic dependence is in a sense inherent: We design an attack that after O(ℓ2) queries produces an adversarial input vector whose sketch is highly biased. Our attack uses “natural” non-adaptive inputs (only the final adversarial input is chosen adaptively) and universally applies with any correct estimator, including one that is unknown to the attacker. In that, we expose inherent vulnerability of this fundamental method.

UR - http://www.scopus.com/inward/record.url?scp=85167962774&partnerID=8YFLogxK

U2 - https://doi.org/10.1609/aaai.v37i6.25882

DO - https://doi.org/10.1609/aaai.v37i6.25882

M3 - Conference contribution

T3 - Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023

SP - 7235

EP - 7243

BT - AAAI-23 Technical Tracks 6

A2 - Williams, Brian

A2 - Chen, Yiling

A2 - Neville, Jennifer

Y2 - 7 February 2023 through 14 February 2023

ER -

Tricking the Hashing Trick: A Tight Lower Bound on the Robustness of CountSketch to Adaptive Inputs

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Cite this