Sequential Auditing for f-Differential Privacy

2026-06-18 · Source: stat.ML updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

New sequential auditors for f-Differential Privacy (f-DP) are introduced, addressing limitations of traditional (ε,δ)-DP auditing. These auditors adaptively determine a near-optimal number of samples, avoiding the excessively large sample sizes common in prior work. This significantly reduces sampling costs, which is particularly beneficial for expensive training procedures such as DP-SGD. The method supports both whitebox and blackbox settings, detecting privacy violations across the full privacy spectrum with statistical significance guarantees, supported by theory and simulations. Experiments demonstrate that this approach detects privacy violations much faster and with significantly smaller sample sizes than prior fixed-batch and existing sequential (ε,δ)-DP methods, while maintaining the prescribed significance level.

Key takeaway

For MLOps engineers deploying differentially private models, this sequential f-DP auditing method offers a critical advantage. You can now verify privacy guarantees more efficiently, drastically reducing the computational cost and sample sizes needed, especially for DP-SGD. This allows for faster detection of privacy violations and more practical integration into continuous integration/continuous deployment pipelines, ensuring robust privacy assurance without excessive resource expenditure.

Key insights

Sequential f-DP auditors adaptively determine sample sizes, significantly reducing auditing costs and improving privacy violation detection.

Principles

• f-DP offers a more expressive privacy notion than (ε,δ)-DP, charting the entire (ε,δ) spectrum.
• Adaptive sequential auditing avoids fixed-sample size issues, which often lead to oversampling.
• Optimal classifiers for f-DP can be derived from the Neyman-Pearson Lemma.

Method

The sequential auditing procedure (APT) adaptively determines sample size by continuously evaluating statistical hypothesis tests. It uses optimal classifiers, instantiated via kernel density estimation for blackbox settings or parametric models (e.g., Gaussian) for whitebox, with a 45°-based Likelihood Ratio tuning for optimal threshold selection.

In practice

• Apply sequential f-DP auditing to mechanisms like Gaussian, Laplace, and DP-SGD.
• Use kernel density estimation for blackbox scenarios or parametric models for whitebox.
• Integrate into one-run DP-SGD auditing paradigms using canary methodology.

Topics

• f-Differential Privacy
• Privacy Auditing
• Sequential Hypothesis Testing
• DP-SGD
• Blackbox Auditing
• Whitebox Auditing

Best for: Research Scientist, AI Scientist, MLOps Engineer, AI Security Engineer

Related on AIssential

• Let's Ask Gauss: Improved One-Run Privacy Auditing — A Gaussian distribution perspective on canary signals yields tighter privacy bounds in one-run DP auditing.
• DP-CDA: An Algorithm for Enhanced Privacy Preservation in Dataset Synthesis Through Randomized Mixing — DP-CDA generates privacy-preserving synthetic datasets by class-specific random mixing and Gaussian noise, optimizing utility and privacy.
• Differentially Private Model Merging — Merge existing differentially private models to meet dynamic privacy requirements without retraining.
• Phantoms and Disclosures: a Causal Framework for Auditing Synthetic Data — The framework distinguishes true from phantom data disclosures in synthetic data using statistical testing, requiring no model access.
• Benchmarking Empirical Privacy Protection for Adaptations of Large Language Models — Distribution shifts critically impact practical privacy in differentially private LLM adaptations, often undermining theoretical guarantees.
• Revisiting Privacy Amplification by Subsampling in Selective Release DPSGD — DPSR-CG rigorously re-evaluates privacy accounting for selective release in DPSGD to achieve high utility with strict guarantees.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by stat.ML updates on arXiv.org.