Optimal conversion from Rényi Differential Privacy to $f$-Differential Privacy

TL;DR

The paper tackles the problem of converting Rényi Differential Privacy (RDP) guarantees into $f$-Differential Privacy bounds in a black-box setting. It proves that the optimal conversion is the intersection (pointwise maximum) of all single-order RDP privacy regions, yielding $f_{\rho(\cdot)}(\alpha) = \sup_{\tau\ge 0.5} f_{\tau,\rho(\tau)}(\alpha)$, valid for all $\alpha$ and all RDP profiles. The authors establish this by (i) constructing Bernoulli mechanisms that saturate the single-order boundaries, (ii) proving the convexity and monotonicity properties of the $\tau$-order privacy regions, and (iii) showing that any tighter black-box bound would contradict the attainability of these witness mechanisms. They further prove that the intersection bound is universal: no other conversion rule based solely on the RDP profile can uniformly improve on it, effectively closing the gap between RDP constraints and $f$-DP envelopes. The work also highlights that the Randomized Response family exactly recovers the joint RDP region, reinforcing the fundamental role of binary reductions in privacy-utility trade-offs and providing a practical, mechanism-agnostic route to optimal accounting in RDP-to-$f$-DP conversions.

Abstract

We prove the conjecture stated in Appendix F.3 of [Zhu et al. (2022)]: among all conversion rules that map a Rényi Differential Privacy (RDP) profile $τ\mapsto ρ(τ)$ to a valid hypothesis-testing trade-off $f$, the rule based on the intersection of single-order RDP privacy regions is optimal. This optimality holds simultaneously for all valid RDP profiles and for all Type I error levels $α$. Concretely, we show that in the space of trade-off functions, the tightest possible bound is $f_{ρ(\cdot)}(α) = \sup_{τ\geq 0.5} f_{τ,ρ(τ)}(α)$: the pointwise maximum of the single-order bounds for each RDP privacy region. Our proof unifies and sharpens the insights of [Balle et al. (2019)], [Asoodeh et al. (2021)], and [Zhu et al. (2022)]. Our analysis relies on a precise geometric characterization of the RDP privacy region, leveraging its convexity and the fact that its boundary is determined exclusively by Bernoulli mechanisms. Our results establish that the "intersection-of-RDP-privacy-regions" rule is not only valid, but optimal: no other black-box conversion can uniformly dominate it in the Blackwell sense, marking the fundamental limit of what can be inferred about a mechanism's privacy solely from its RDP guarantees.

Figures (3)

• Figure 1: The fundamental limit of RDP-to-$f$-DP conversion. The blue curve is our optimal conversion bound derived for the RDP profile of a Gaussian mechanism with unit sensitivity and noise scale $\sigma=1$, defined by $\rho(\tau) = \frac{\tau}{2\sigma^2}$, $\tau \in [0.5, \infty)$. The black curve indicates the true trade-off for the Gaussian mechanism $f(\alpha) = \Phi(\Phi^{-1}(1-\alpha) - 1/\sigma)$. The other piecewise linear functions represent witness mechanisms (Randomized Response) that saturate the RDP conversion at various orders. The shaded gray region illustrates the "optimality gap": the inevitable loss of tightness when converting a mechanism solely via its RDP profile. Our bound (blue) is the tightest possible envelope for the class of all mechanisms sharing this RDP profile, as evidenced by the witness mechanisms touching the converted trade-off.
• Figure 2: Visualization of the $\tau$-order RDP privacy region $R_{D_\tau}(\rho)$ for $\tau=1.5$ and $\rho=0.75$. The bold blue curve depicts the lower boundary $f_{\tau, \rho}(\alpha)$. The straight lines represent the piecewise linear trade-off functions of specific RR mechanisms that satisfy the $(1.5, 0.75)$-RDP constraint. The red line corresponds to the symmetric RR mechanism, while the other lines correspond to asymmetric RR mechanisms. Note that the envelope of these valid mechanisms exactly reconstructs the RDP boundary, illustrating the optimality result in Proposition \ref{['prop::OptimalitysingleRDPBoundary']}.
• Figure 3: Exemplary construction of the joint RDP privacy region $\mathcal{R}_{\text{joint}}$ using a subset of orders $\tau \in \{0.5, 0.8, 1.0, 2.0\}$ for the profile of the Gaussian mechanism with unit sensitivity and noise scale $\sigma$, $\rho(\tau) = \frac{\tau}{2\sigma^2}$. The colored lines depict the lower boundaries of the single-order regions $R_{D_\tau}$. The solid black curve represents the boundary of the intersection, which corresponds to the pointwise maximum (supremum) of the individual single-order boundaries. The inset zooms in on the "tangent" behavior, showing how different orders become active (provide the tightest bound) at different error regimes.

Theorems & Definitions (19)

• Definition 2.1: $(\varepsilon,\delta)$-Differential Privacy
• Definition 2.2: Rényi Differential Privacy Mironov_2017
• Definition 2.3: Admissible Conversion Rule
• Proposition 2.4: Convexity and Symmetry of the RDP Privacy Region
• proof
• Proposition 3.1: Optimality of the RDP Boundary
• proof
• Lemma 4.1: Projection of an Intersection
• proof
• Lemma 4.2: Intersection Bound