pith. sign in

arxiv: 1905.02383 · v3 · pith:MP4MHE5Vnew · submitted 2019-05-07 · 💻 cs.LG · cs.CR· cs.DS· stat.ML

Gaussian Differential Privacy

Jinshuo Dong , Aaron Roth , Weijie J. Su This is my paper
classification 💻 cs.LG cs.CRcs.DSstat.ML
keywords privacycompositiondifferentialtestinghypothesisprivateadditionalgorithms
0
0 comments X
read the original abstract

Differential privacy has seen remarkable success as a rigorous and practical formalization of data privacy in the past decade. This privacy definition and its divergence based relaxations, however, have several acknowledged weaknesses, either in handling composition of private algorithms or in analyzing important primitives like privacy amplification by subsampling. Inspired by the hypothesis testing formulation of privacy, this paper proposes a new relaxation, which we term `$f$-differential privacy' ($f$-DP). This notion of privacy has a number of appealing properties and, in particular, avoids difficulties associated with divergence based relaxations. First, $f$-DP preserves the hypothesis testing interpretation. In addition, $f$-DP allows for lossless reasoning about composition in an algebraic fashion. Moreover, we provide a powerful technique to import existing results proven for original DP to $f$-DP and, as an application, obtain a simple subsampling theorem for $f$-DP. In addition to the above findings, we introduce a canonical single-parameter family of privacy notions within the $f$-DP class that is referred to as `Gaussian differential privacy' (GDP), defined based on testing two shifted Gaussians. GDP is focal among the $f$-DP class because of a central limit theorem we prove. More precisely, the privacy guarantees of \emph{any} hypothesis testing based definition of privacy (including original DP) converges to GDP in the limit under composition. The CLT also yields a computationally inexpensive tool for analyzing the exact composition of private algorithms. Taken together, this collection of attractive properties render $f$-DP a mathematically coherent, analytically tractable, and versatile framework for private data analysis. Finally, we demonstrate the use of the tools we develop by giving an improved privacy analysis of noisy stochastic gradient descent.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 7 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Auditing Apple's DifferentialPrivacy.framework: Implementation Bugs, Misconfigurations, and Practical Risks

    cs.CR 2026-05 accept novelty 8.0

    Audit finds DP violations in 5 of 9 mechanisms in Apple's framework due to insecure floating-point samplers and disabled local DP in secure aggregation, impacting 87% of macOS Sonoma and 68% of Sequoia data collection.

  2. Optimal Guarantees for Auditing R\'enyi Differentially Private Machine Learning

    cs.LG 2026-05 unverdicted novelty 7.0

    A hypothesis-testing framework with class-restricted Donsker-Varadhan estimators provides optimal non-asymptotic confidence intervals and minimax lower bounds for black-box auditing of Rényi DP guarantees.

  3. Provable Robustness against Backdoor Attacks via the Primal-Dual Perspective on Differential Privacy

    cs.LG 2026-05 unverdicted novelty 7.0

    A new framework is introduced for end-to-end provable robustness against backdoor attacks by composing randomized smoothing with differentially private training via privacy profiles.

  4. Auditing Apple's DifferentialPrivacy.framework: Implementation Bugs, Misconfigurations, and Practical Risks

    cs.CR 2026-05 conditional novelty 7.0

    Client-side audit of Apple's closed-source DP framework finds floating-point sampler bugs and misconfigurations that violate DP guarantees in 5 of 9 mechanisms, affecting 87% of data collection on Sonoma and 68% on Sequoia.

  5. Rethinking the Security of DP-SGD: A Corrected Analysis of Differentially Private Machine Learning

    cs.CR 2026-05 conditional novelty 6.0

    DP-SGD with expected or batch averaging (EASGM or ASGM) has weaker privacy guarantees than the standard subsampled Gaussian mechanism analysis, confirmed by theoretical re-analysis and audits of libraries including Opacus.

  6. Fundamental Limitations of Favorable Privacy-Utility Guarantees for DP-SGD

    cs.LG 2026-01 unverdicted novelty 6.0

    Shuffled DP-SGD requires σ ≥ 1/√(2 ln M) or κ ≥ (1/√8)(1 - 1/√(4π ln M)) to limit adversarial advantage, preventing strong privacy and high utility simultaneously.

  7. Beyond Membership: Limitations of Add/Remove Adjacency in Differential Privacy

    cs.CR 2025-11 unverdicted novelty 6.0

    Add/remove adjacency in DP overstates attribute privacy relative to substitute adjacency; new auditing attacks confirm inconsistency with add/remove reports but consistency with substitute accounting.