Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Understanding Disclosure Risk in Differential Privacy with Applications to Noise Calibration and Auditing (Extended Version)

Patricia Guerra-Balboa, Annika Sauer, Héber H. Arcolezi, Thorsten Strufe

Abstract

Differential Privacy (DP) is widely adopted in data management systems to enable data sharing with formal disclosure guarantees. A central systems challenge is understanding how DP noise translates into effective protection against inference attacks, since this directly determines achievable utility. Most existing analyses focus only on membership inference -- capturing only a threat -- or rely on reconstruction robustness (ReRo). However, under realistic assumptions, we show that ReRo can yield misleading risk estimates and violate claimed bounds, limiting their usefulness for principled DP calibration and auditing. This paper introduces reconstruction advantage, a unified risk metric that consistently captures risk across membership inference, attribute inference, and data reconstruction. We derive tight bounds that relate DP noise to adversarial advantage and characterize optimal adversarial strategies for arbitrary DP mechanisms and attacker knowledge. These results enable risk-driven noise calibration and provide a foundation for systematic DP auditing. We show that reconstruction advantage improves the accuracy and scope of DP auditing and enables more effective utility-privacy trade-offs in DP-enabled data management systems.

Understanding Disclosure Risk in Differential Privacy with Applications to Noise Calibration and Auditing (Extended Version)

Abstract

Differential Privacy (DP) is widely adopted in data management systems to enable data sharing with formal disclosure guarantees. A central systems challenge is understanding how DP noise translates into effective protection against inference attacks, since this directly determines achievable utility. Most existing analyses focus only on membership inference -- capturing only a threat -- or rely on reconstruction robustness (ReRo). However, under realistic assumptions, we show that ReRo can yield misleading risk estimates and violate claimed bounds, limiting their usefulness for principled DP calibration and auditing. This paper introduces reconstruction advantage, a unified risk metric that consistently captures risk across membership inference, attribute inference, and data reconstruction. We derive tight bounds that relate DP noise to adversarial advantage and characterize optimal adversarial strategies for arbitrary DP mechanisms and attacker knowledge. These results enable risk-driven noise calibration and provide a foundation for systematic DP auditing. We show that reconstruction advantage improves the accuracy and scope of DP auditing and enables more effective utility-privacy trade-offs in DP-enabled data management systems.
Paper Structure (21 sections, 9 theorems, 170 equations, 11 figures, 3 tables, 2 algorithms)

This paper contains 21 sections, 9 theorems, 170 equations, 11 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Differential Privacy
  4. Differential Privacy and Attack Resilience
  5. Measure Theory Results
  6. Review of the Related Work
  7. Reconstruction Advantage
  8. eta-RAD Upper Bounds under no target-specific auxiliary knowledge
  9. RAD for DP Auditing
  10. Experiments
  11. Database Description
  12. Experiment Design
  13. Results
  14. RAD covers, but ReRo breaks for auxiliary knowledge
  15. Leakage vs. Imputation
  16. ...and 6 more sections

Key Result

theorem 1

Let $(\Z,\mathcal{B}(\Z))$ and $(\X,\mathcal{B}(\X))$ be standard Borel spaces and $(\Z,\mathcal{B}(\Z),\mu)$ be a probability space. Let $a: \Z \to \X$ be a measurable map. Denote by $\nu = \mu \circ a^{-1}$ the push-forward measure of $\mu$ through $a$. Then there exists a $\nu$-almost everywhere

Figures (11)

  • Figure 1: \ref{['th:optimal_bound']} bound for different DP mechanisms with $|\Z| = 11$, $aux=\{\varnothing\}$ and a uniform prior. Importantly, for the same $\varepsilon$, each mechanism offers different levels of attack mitigation, highlighting the need for RAD analysis as a complementary tool to traditional privacy parameters. Moreover, in all cases, we observe that the bound in \ref{['th:optimal_bound']} improves upon \ref{['th:dp_implies_aux-urero']}.
  • Figure 2: Upper bound on the Laplace mechanism query error (utility) at $95\%$ confidence when the noise is calibrated using ReRo vs. RAD. We see that for the same risk estimation, calibrating with using RAD improves utility.
  • Figure 3: Comparison of black-box bounds for $0$-RAD without auxiliary knowledge, $\pi = U[10]$ and $\delta = 10^{-5}$. The bound given in \ref{['prop:dp_implies_urero']} is more general and applies in any setting. In contrast, \ref{['th:perfect_reco_bb']} is specific to categorical data but provides a tighter risk estimate when applicable. Finally, if the mechanism is known---here, OUE---it is always preferable to use the tighter bound provided by \ref{['th:optimal_bound']}.
  • Figure 4: RAD vs. ReRo results for optimal attacks against DP-SGD on MNIST. Lines show theoretical bounds and markers of empirical risk as estimated by RAD/ReRo. Empirical results exceed the bounds estimated by ReRo, whereas our RAD bounds remain close to the true risk. Moreover, while ReRo sharply increases when auxiliary knowledge is available, RAD effectively discounts imputation.
  • Figure 5: RAD vs. ReRo results for optimal attacks against DP-SGD on Fashion. Lines show theoretical bounds and markers of empirical risk as estimated by RAD/ReRo. Both ReRo and RAD show a consistent behavior with respect to the MINST dataset.
  • ...and 6 more figures

Theorems & Definitions (23)

  • definition 1: dwork2006calibrating
  • definition 2: Adapted from Yeom2017Privacy
  • definition 3: ReRo Balle2022Reconstructing
  • definition 4: Kifer2022Bayesian
  • definition 5
  • theorem 1: Disintegration Theorem baccelli24random
  • definition 6: $\eta$-RAD
  • theorem 2: $(\varepsilon, \delta)$-DP implies $\eta$-RAD
  • proof
  • theorem 3
  • ...and 13 more