$f$-Differential Privacy Filters: Validity and Approximate Solutions

TL;DR

This work investigates privacy accounting under fully adaptive differential privacy using $f$-DP, proving that the natural filter based on composing trade-off functions and stopping at a budget is not valid in general. It identifies a structural condition—Blackwell chains—under which such a filter becomes valid and shows this holds for Gaussian (GDP) trade-offs but not universally for subsampled Gaussian mechanisms. The authors then develop a fully adaptive central limit theorem for privacy-loss processes and construct an approximate GDP filter tailored to DP-SGD, yielding tighter guarantees than fully adaptive RDP in regimes where the sampling rate is very small or very large. The results illuminate when tensor-product based accounting can be effective and provide a practical, provably tighter privacy filter for adaptive machine-learning workflows, with implications for mechanism-specific privacy accounting.

Abstract

Accounting for privacy loss under fully adaptive composition -- where both the choice of mechanisms and their privacy parameters may depend on the entire history of prior outputs -- is a central challenge in differential privacy (DP). In this setting, privacy filters are stopping rules for compositions that ensure a prescribed global privacy budget is not exceeded. It remains unclear whether optimal trade-off-function-based notions, such as $f$-DP, admit valid privacy filters under fully adaptive interaction. We show that the natural approach to defining an $f$-DP filter -- composing individual trade-off curves and stopping when the prescribed $f$-DP curve is crossed -- is fundamentally invalid. We characterise when and why this failure occurs, and establish necessary and sufficient conditions under which the natural filter is valid. Furthermore, we prove a fully adaptive central limit theorem for $f$-DP and construct an approximate Gaussian DP filter for subsampled Gaussian mechanisms at small sampling rates $q<0.2$ and large sampling rates $q>0.8$, yielding tighter privacy guarantees than filters based on Rényi DP in the same setting.

Figures (9)

• Figure 1: A counterexample to the validity of the $f$-DP filter, constructed using subsampled Gaussian mechanisms. The first row a), b) showcases the calibration point phenomenon between tensor products of future trade-off functions. The second row c), d) reveals the failure of $f_{B,\textup{tight}}$-DP, indicating filter invalidity. The left column a), c) considers remove adjacency, while the right column b), d) symmetrises into an appropriate $f$-DP guarantee.
• Figure 2: Comparison of fully adaptive RDP accounting and approximate fully adaptive GDP accounting for the Poisson subsampled Gaussian mechanism with adaptive $\sigma$-parameter values when the subsampling ratio $q=0.01$. The resulting filtering algorithm is approximately $\mu$-GDP for $\mu=\sqrt{2B} \approx 0.314$.
• Figure 3: Tensor products of future privacy profiles of a single pair $\left(\left(X\right)\!,\emptyset\right)$, with a calibration point at $\gamma_0\approx1.363$. These privacy profiles are equivalent to the trade-off functions in Figure \ref{['fig:SG_counterexample']}.
• Figure 4: Left: $H_{\textup{adapt}}$ exceeds $H_{B,\textup{tight}}$ in the region surrounding $\gamma_0\approx1.363$. Right: Symmetrising these privacy profiles does not erase the phenomenon. These privacy profiles are equivalent to the trade-off functions in Figures \ref{['fig:SG_counterexample']} and \ref{['fig:SG_counterexample']}.
• Figure 5: Comparing $H_1\otimes H_{2\times3}^{\uparrow}$ to $H_{\textup{adapt}}$ and $H_{B,\textup{tight}}$, as described in Corollary \ref{['cor:counterexample-2step']}.

Theorems & Definitions (96)

• Definition 2.1: 10.1007/11761679_29
• Definition 2.2: dong_gaussian_2022
• Theorem 2.3: dong_gaussian_2022
• Definition 2.4: dong_gaussian_2022
• Proposition 2.5: dong_gaussian_2022
• Definition 2.6: dong_gaussian_2022
• Definition 2.7
• Theorem 2.8: dong_gaussian_2022
• Definition 2.9
• Definition 2.10: rogers_privacy_2016