Privacy amplification by random allocation

TL;DR

It is demonstrated that the privacy guarantees of random k-out-of-t allocation can be upper bounded by the privacy guarantees of the well-studied independent subsampling in which each step uses the user's data with probability $(1+o(1)k/t).

Abstract

We consider the privacy amplification properties of a sampling scheme in which a user's data is used in k steps chosen randomly and uniformly from a sequence (or set) of t steps. This sampling scheme has been recently applied in the context of differentially private optimization [Chua et al., 2024a, Choquette-Choo et al., 2025] and is also motivated by communication-efficient high-dimensional private aggregation [Asi et al., 2025]. Existing analyses of this scheme either rely on privacy amplification by shuffling which leads to overly conservative bounds or require Monte Carlo simulations that are computationally prohibitive in most practical scenarios. We give the first theoretical guarantees and numerical estimation algorithms for this sampling scheme. In particular, we demonstrate that the privacy guarantees of random k-out-of-t allocation can be upper bounded by the privacy guarantees of the well-studied independent (or Poisson) subsampling in which each step uses the user's data with probability $(1+o(1))k/t$. Further, we provide two additional analysis techniques that lead to numerical improvements in several parameter regimes. Altogether, our bounds give efficiently-computable and nearly tight numerical results for random allocation applied to Gaussian noise addition.

Figures (11)

• Figure 1: Upper bounds on privacy parameter $\varepsilon$ as a function of the noise parameter $\sigma$ for various schemes and the local algorithm (no amplification), all using the Gaussian mechanism with fixed parameters $\delta = 10^{-10}$, $t = 10^{6}$. In the Poisson scheme $\lambda = 1/t$. The "flat" part of the RDP based calculation is due to computational limitations, which was computed for the range $\alpha \in[2, 60]$.
• Figure 2: Bounds on privacy parameter $\varepsilon$ as a function of the noise parameter $\sigma$ for various values of $t$, all using the Gaussian mechanism with $\delta = 10^{-10}$. We compare the minimum over all our methods to the independent results in DCO25, lower bound by CGHLKKMSZ24, and to the Poisson scheme with $\lambda = 1/t$.
• Figure 3: Analytical and empirical square error for the Poisson and random allocation scheme for the setting discussed in Appendix \ref{['apd:util']}, for various values of $\varepsilon$ and $d$ (which corresponds to an increase in sensitivity). We set $p=0.9$, $t=10^{3}$, $\delta = 10^{-10}$. The experiment was carried $10^{4}$ times, so the $3$-std confidence intervals are barely visible.
• Figure 4: Upper bounds on privacy parameter $\varepsilon$ or the add and remove directions as a function of the noise parameter $\sigma$ for various schemes, all using the Gaussian mechanism with fixed parameters $\delta = 10^{-10}$, $t = 10^{6}$, the same setting as Figure \ref{['fig:main']}
• Figure 5: Upper bounds on privacy parameter $\varepsilon$ or the add and remove directions as a function of the noise parameter $\sigma$ for various schemes, all using the Gaussian mechanism with fixed parameters $\delta = 10^{-10}$, $t = 10^{6}$, $k = 10$, the same setting as Figure \ref{['fig:main']}

Theorems & Definitions (73)

• Definition 2.1: Hockey-stick divergence BKOZB12
• Definition 2.2: Privacy profile BBG18
• Definition 2.3: Rényi divergence
• Lemma 2.4: Rényi bounds Hockey-stick, Prop. 12 in CKS20
• Definition 2.5: Differential privacy DKMMN06
• Definition 2.6: Rényi differential privacy Mironov17
• Lemma 2.7: Gaussian mechanism DP guarantees, BW18Mironov17
• Definition 2.8: Dominating pair ZDW22
• Definition 2.9: Dominating randomizer
• Lemma 2.10: Post processing, Thm. II.5 KOV15