1 of 21

Enabling Trustworthy AI: Differential Privacy and Secure Computation with PETINA and PRESTO�

Embedding privacy without sacrificing performance

September 8, 2025 | DRAI Workshop at ICPP

Ole Kotevska, PhD

ORNL IS MANAGED BY UT-BATTELLE LLC �FOR THE US DEPARTMENT OF ENERGY

Title: Enabling Trustworthy AI: Differential Privacy and Secure Computation with PETINA and PRESTO

Abstract: The ability to analyze data responsibly while preserving privacy is a foundational requirement for trustworthy AI. This talk explores PETINA and PRESTO, two ORNL-developed tools designed to make differential privacy practical and adaptive. PETINA provides the core capabilities for performing private data analysis, while PRESTO serves as an intelligent recommendation engine, guiding users toward optimal privacy-preserving configurations based on dataset features and privacy-utility trade-offs. By integrating automated optimization into privacy workflows. Together, these tools provide a practical pathway for embedding differential privacy into AI systems without compromising on usability or performance.

2 of 21

The Challenge: Trustworthy AI

AI in science relies on sensitive data.

Industry and academia often reluctant to share due to IP/privacy concerns.
Without privacy-preserving methods, collaborations are limited, and trust erodes.

3 of 21

Privacy as a Foundation for Trustworthy AI

4 of 21

Why Trustworthy AI Matters for DOE?

DOE facilities generate petabytes of sensitive scientific data (materials, energy, biology).

Scientists want accurate, useful results.

Industry partners cannot always share data due to intellectual property (IP) and privacy risks.

Industry wants guarantees that data/IP won’t leak.

Policy makers demand accountability and trust.

Without privacy guarantees, collaborations stall and scientific progress slows down.

Differential Privacy provides guarantees but is hard to apply correctly.

PETINA + PRESTO enable privacy-preserving data analysis at scale, bridging utility and trust.

5 of 21

Differential Privacy

Adds carefully calibrated noise to protect individuals.

Provides formal guarantees.
Preserves aggregate patterns while protecting sensitive details.

Definition of Differential Privacy

Why Differential Privacy?

A formal definition of ε-differential privacy. is a dataset without the private data and is one with it. This is "pure ε-differential privacy", meaning δ=0.

6 of 21

From Theory to Practice

Differential Privacy is powerful, but it is challenging to adopt.

Complex parameter tuning and trade-offs (ε, δ).
Domain scientists need usable tools.
This is where PETINA and PRESTO come in.

7 of 21

ORNL Solutions for Adaptive Differential Privacy

PETINA

PRESTO

These tools provide a practical pathway for embedding differential privacy into AI systems workflows without compromising on usability or performance.

Two ORNL-developed tools designed to make differential privacy practical and adaptive.

An intelligent recommendation engine, guiding users toward optimal privacy-preserving configurations based on dataset features and privacy-utility trade-offs

Provides the core capabilities for performing private data analysis

8 of 21

PETINA: Privacy prEservaTIoN Algorithms

PETINA is a general-purpose Python library for Differential Privacy, designed for flexibility, modularity, and extensibility across a wide range of ML and data processing pipelines. It supports both numerical and categorical data, with tools for supervised and unsupervised tasks.

Link: https://github.com/ORNL/PETINA

9 of 21

PETINA Design Solution

DP Algorithms

Datasets

- Numerical

- Categorical

Privacy Accounting

Moments
RDP
zCDP

- Distribution

- Sketching

- Encoding

- Adaptive

Private Outputs

- Statistics

- ML results

10 of 21

PETINA and Other Similar Tools

11 of 21

PETINA: Data Example

OUTPUT:

Original 'sepal length (cm)' (first 10 values):

[5.1, 4.9, 4.7, 4.6, 5.0, 5.4, 4.6, 5.0, 4.4, 4.9]

DP Laplace mechanism on 'sepal length (cm)' (first 10 values):

[3.87, 3.49, 5.79, 8.35, 4.84, 5.54, 4.33, 7.59, 5.74, 1.96]

Original 'sepal width (cm)' (first 10 values):

[3.5, 3.0, 3.2, 3.1, 3.6, 3.9, 3.4, 3.4, 2.9, 3.1]

DP Laplace mechanism on 'sepal width (cm)' (first 10 values):

[4.18, 2.10, 2.50, 3.00, 4.25, 3.18, 3.01, 1.86, 5.32, 3.71]

12 of 21

PETINA: ML Example

OUTPUT:

# Train Epoch: 20

Loss: 0.066276

ε_accountant = 1.00, δ = 1e-05

Test Accuracy = 97.75%

# Time run: 92.97 seconds

13 of 21

PRESTO: Privacy REcommendation and SecuriTy Optimization

PRESTO is a Python toolkit that automates differential-privacy selection. It uses multi-objective optimization to recommend DP mechanism and privacy budget that balance privacy risk and model utility, with uncertainty estimates.

Link: https://github.com/ORNL/PRESTO/

14 of 21

PRESTO Modular Framework

PRESTO’s novelty is in recommendation and providing the needed analysis to the users.
Defining reliability, confidence, and similarity scores for privacy mechanisms

Reliability: Measures consistency in algorithm results across repeated trials.
Confidence: Quantifies uncertainty via confidence intervals.
Similarity: Assesses how well privatized data matches original data distribution.

Gives transparent, auditable settings aligned to user risk/utility goals instead of guesswork.

Figure 1: Overview of PRESTO’s modular framework.

PRESTO

Privacy algo.

Data analysis

User input

Optimization

- Dataset

- Epsilon

- Statistical

- Descriptive

- Predefined

- Library

- Reliability

- Confirence

- Similarity

- Recommendations

Output

- Visualization

- Summary

15 of 21

PRESTO vs Other DP Libraries

Table 1: PRESTO complements and enhances existing differential privacy libraries.

Current Challenges:

Expertise Barrier: Selecting appropriate privacy mechanisms requires deep theoretical knowledge.
Parameter Tuning: Manual trial-and-error to find optimal privacy-utility trade-offs.
No Guidance: Limited automated recommendations for algorithm selection.
Uncertainty: Lack of confidence intervals and reliability metrics.

PRESTO Solution: Automated Selection, Data-Driven, Quantified Uncertainty, Accessible, and Extensible.

16 of 21

PRESTO Evaluation – No Privacy Expert

Figure 2: Privacy preservation analysis for genomic data for given privacy policy (e.g., GDPR).

Determining the best similarity, reliability and , privacy algorithm for a given privacy policy and dataset

Percentile = better utility but weaker privacy.

RAPPOR = weaker utility but stronger privacy.

17 of 21

PRESTO Evaluation – Privacy Expect

Figure 3: Privacy preservation recommendation for energy data.

Comparison of Privacy Mechanisms for Energy Data

Exponential:

Most stable, lowest error, best all-around

Laplace:

Preserves distribution shape best

Gaussian:

Best for correlation preservation, but less stable.

18 of 21

PRESTO Evaluation – Privacy Expect

Figure 4: Privacy preservation analysis for energy consumption data.

Comparison of DP Mechanisms for Energy Data)

19 of 21

From Privacy Mechanisms to Practical Recommendations

Input Raw Data

PETINA

Privacy Mechanisms

PRESTO

Recommendation Engine

User / Scientist

Chooses Best Mechanism

Privatized Data

Scores & Rankings

User Decision

20 of 21

Conclusion

Trustworthy AI requires privacy at its core — not an afterthought.
Differential Privacy (via PETINA) provides rigorous guarantees with flexible mechanisms.
Secure Computation is strengthened by PRESTO’s adaptive recommendations and evaluations.
PETINA + PRESTO together transform abstract privacy trade-offs into actionable, usable solutions.
DOE and scientific communities can now adopt practical, trustworthy AI workflows without compromising privacy or utility.

PETINA and PRESTO together make differential privacy practical, adaptive, and trustworthy for DOE science, industry and academic collaborations.

21 of 21

Thank you!

Acknowledgment

Collaborators

Dr. Prasanna Balaprakash, Dr. Robert Patton,

Jackie Nguyen (intern)

Dr. Gilad Kusne