Sequential Auditing for f-Differential Privacy

TL;DR

This work introduces sequential auditing for $f$-Differential Privacy ($f$-DP) to empirically verify DP guarantees from output samples. It develops Advanced Privacy Testing (APT), a sequential framework that adaptively determines the number of required samples while controlling the false rejection rate at a user-specified level $\\gamma$, achieving near-optimal sample complexity up to a logarithmic factor. The authors design both blackbox and whitebox classifier suites based on Likelihood Ratio principles, with a novel LR tuning that maximizes the square under the $f$-DP curve to improve detection of privacy violations. The framework is validated on Gaussian, Laplace, and DP-SGD mechanisms, including real-world DP-SGD in a one-run setting, showing substantial sampling reductions and practical applicability, and they provide open-source code.

Abstract

We present new auditors to assess Differential Privacy (DP) of an algorithm based on output samples. Such empirical auditors are common to check for algorithmic correctness and implementation bugs. Most existing auditors are batch-based or targeted toward the traditional notion of $(\varepsilon,δ)$-DP; typically both. In this work, we shift the focus to the highly expressive privacy concept of $f$-DP, in which the entire privacy behavior is captured by a single tradeoff curve. Our auditors detect violations across the full privacy spectrum with statistical significance guarantees, which are supported by theory and simulations. Most importantly, and in contrast to prior work, our auditors do not require a user-specified sample size as an input. Rather, they adaptively determine a near-optimal number of samples needed to reach a decision, thereby avoiding the excessively large sample sizes common in many auditing studies. This reduction in sampling cost becomes especially beneficial for expensive training procedures such as DP-SGD. Our method supports both whitebox and blackbox settings and can also be executed in single-run frameworks.

Figures (8)

• Figure 1: Power, sample size, and effect size form a triad in which any two quantities determine the third. Thus, an optimal sample size can only be computed once both the desired power and effect size are specified.
• Figure 2: False rejection rates in sequential testing without proper adjustment.
• Figure 3: Realizations of the standard Brownian motion on the interval $[1,200]$ compared to a boundary function $g(x) = \sqrt{(x/4)\log(20+x)}$ shown in solid black. Blue paths stay below the boundary function and red paths cross the boundary at some point.
• Figure 4: The blue line corresponds to $f_{ }$, while the red line represents the estimated tradeoff curve $\hat{T}$. The vertical green line and diagonal yellow line correspond to the rules of selecting $\eta$ in \ref{['eq:old_eta_max']} and \ref{['eq:new_eta_max']}, respectively. The rule \ref{['eq:new_eta_max']} maximizes the size of the square that can be fit below $f_{ }$ -- the central quantity for detecting DP-violations.
• Figure 6: Empirical rejection rate (blue curve) and average runtime (red curve) for different claimed $\mu$. Variation in runtimes is represented by orange boxplots. Notice that smaller values for $\mu$ correspond to larger privacy violation.

Theorems & Definitions (7)

• Definition 2.1: Tradeoff function
• Definition 2.2: $f$-DP
• Example 2.3
• Theorem 3.1
• Remark 3.2
• Remark 3.3
• Theorem A.1