Amplification by sampling is a formal privacy enhancement where the privacy guarantee of a mechanism is strengthened because it is applied only to a randomly chosen subset of the data. This principle, formalized by theorems like privacy amplification by subsampling, proves that analyzing a random sample provides stronger protection (a smaller effective epsilon (ε)) than analyzing the entire dataset. In practice, this makes standard randomized operations like selecting a mini-batch in Stochastic Gradient Descent (SGD) a built-in privacy booster.
Glossary
Amplification by Sampling

What is Amplification by Sampling?
A core technique in privacy-preserving machine learning that strengthens a differential privacy guarantee by applying a mechanism to a random subset of data.
The technique is foundational to Differentially Private Stochastic Gradient Descent (DP-SGD) and federated learning, where training on a random subset of clients or data points each round inherently amplifies privacy. Correctly accounting for this amplification via privacy accounting methods like Rényi Differential Privacy (RDP) allows engineers to achieve a target privacy guarantee with less added noise, improving the utility of the final private model while maintaining rigorous client-level differential privacy guarantees.
Key Characteristics of Amplification by Sampling
Amplification by sampling is a cornerstone technique in privacy-preserving machine learning where the fundamental privacy guarantee of a mechanism is strengthened because it is applied only to a randomly selected subset of the data.
Core Mechanism: Subsampling
The technique's power originates from random subsampling. When a differentially private mechanism with parameters (ε, δ) is applied to a random sample of the dataset (e.g., a mini-batch in SGD), the effective privacy guarantee for the entire dataset is stronger than if the mechanism were applied to the full dataset. This is because an adversary's ability to infer the presence of any single data point is diluted by the randomness of the selection process.
- Formal Foundation: Governed by privacy amplification theorems.
- Typical Sampler: Poisson sampling, where each data point is included independently with probability
p, is commonly analyzed for clean theoretical bounds.
Quantitative Privacy Gain
The amplification effect is quantifiable. For a mechanism M satisfying (ε, δ)-DP applied to a Poisson sample with rate p, the subsampled mechanism often satisfies approximately (O(pε), pδ)-DP for small ε. This represents a linear reduction in the effective privacy parameter.
- Key Implication: Allows the use of a larger epsilon (ε) in the base mechanism while achieving a smaller effective epsilon overall, improving the utility-privacy trade-off.
- Example: A base DP-SGD step with ε=1.0 applied to a 5% sample (p=0.05) can yield an effective ε closer to 0.05 for that step, significantly strengthening the guarantee.
Integration with DP-SGD
Amplification by sampling is intrinsically linked to Differentially Private Stochastic Gradient Descent (DP-SGD), where it provides the primary source of privacy amplification.
- Standard Practice: In DP-SGD, each training step processes a randomly sampled mini-batch. The Gaussian mechanism is applied to the clipped gradients of this batch.
- Accounting: Advanced privacy accountants like the Moment Accountant or Rényi DP (RDP) framework are specifically designed to tightly track the amplified privacy cost across thousands of such subsampled steps.
- Result: Enables the training of deep neural networks with non-trivial privacy guarantees that would be infeasible if analyzing the full dataset every iteration.
Dependency on Sampling Rate
The degree of amplification is a direct function of the sampling probability p. A smaller p (a smaller batch size relative to the dataset) yields a stronger amplification effect.
- Trade-off: While a smaller
pimproves privacy, it can increase variance in the stochastic gradients, potentially slowing convergence or harming final model utility. - Hyperparameter Tuning: The batch size (which determines
p) becomes a critical hyperparameter balancing privacy, utility, and computational efficiency.
Distinction from Shuffling
While related, amplification by sampling is distinct from privacy amplification by shuffling. Both are powerful techniques, but they operate in different models:
- Sampling: Focuses on randomly selecting a subset of data before applying a private mechanism. Central to the central DP model (e.g., DP-SGD on a centralized dataset).
- Shuffling: Assumes local DP reports from many users are collected and then randomly permuted (shuffled) by a trusted shuffler before analysis. This shuffling can amplify weak local DP guarantees into stronger central DP-like guarantees.
- Federated Context: In cross-device federated learning, client sampling (selecting a random subset of devices each round) provides a form of client-level amplification.
Critical Role in Federated Learning
In Federated Learning (FL), amplification by sampling is operationalized through client sampling. Each training round selects a random subset of available devices/clients.
- Client-Level DP: This provides client-level differential privacy guarantees. The privacy assurance is that the participation (or data) of any single client is protected.
- DP-FedAvg: In algorithms like DP-FedAvg, client sampling is combined with local gradient/model update clipping and noisy aggregation on the server. The sampling amplification allows for less noise to be added per client while achieving the same overall privacy budget.
- System Constraint: Client sampling is often a necessity due to device availability and network constraints, making its privacy benefits a key advantage of the FL architecture.
Common Subsampling Methods for Privacy Amplification
Comparison of techniques that leverage random data selection to strengthen differential privacy guarantees in federated learning and centralized training.
| Mechanism | Poisson Subsampling | Uniform Subsampling (Shuffle) | Amplification via Shuffling |
|---|---|---|---|
Formal Name | Bernoulli/ Poisson Sampling | Uniform Sampling Without Replacement | Uniform Sampling with Secure Shuffler |
Core Principle | Each data point is independently included with probability γ (the sampling rate). | A fixed-size subset (batch) of m data points is selected uniformly at random from the total n. | Client reports are collected, randomly permuted by a trusted shuffler, then analyzed. |
Typical Application Context | DP-SGD in centralized training; client participation in federated rounds. | Mini-batch construction in centralized DP-SGD. | Federated analytics; local differential privacy (LDP) amplification. |
Privacy Amplification Factor (Approx.) | Effective ε ≈ γε (for pure DP). Provides O(γ) reduction. | Effective ε ≈ (m/n)ε (for pure DP). Provides O(m/n) reduction. | Can reduce ε from local-DP levels (e.g., ε_loc=10) to central-DP levels (e.g., ε_cent<1). |
Key Assumption for Amplification | Sampling must be independent and data-agnostic (public coin). | Batch size m is fixed and chosen independently of the data. | Requires a trusted shuffler that breaks the link between report and sender. |
Composition with DP-SGD | Native to DP-SGD; amplification is automatically accounted for via the moments accountant. | Applied per training step; accounted for in privacy budget composition. | Not directly part of SGD; used as a pre-processing step for LDP reports. |
Impact on Utility (Bias/Variance) | Introduces stochasticity but no systematic bias relative to full-batch. Standard in SGD. | No inherent bias. Variance depends on batch size m. | No direct impact on model utility; enables use of less noisy LDP mechanisms. |
Primary Reference / Theorem | Privacy amplification by subsampling (e.g., Theorem 4 in Abadi et al., 2016). | Amplification via uniform sampling (similar analysis to Poisson). | Amplification by shuffling (e.g., Bittau et al., 2017; Erlingsson et al., 2019). |
Frequently Asked Questions
Amplification by sampling is a privacy-enhancing technique where applying a mechanism to a random subset of data strengthens the formal privacy guarantee. This is a cornerstone of private federated learning and stochastic optimization.
Amplification by sampling is a phenomenon in differential privacy where the privacy guarantee of a mechanism is strengthened (or 'amplified') because it is applied only to a randomly chosen subset of the data, rather than the entire dataset. The core principle is that an adversary's ability to infer information about any single individual is reduced because that individual's data has only a probability of being included in the analyzed sample. This allows for the same overall privacy guarantee (ε, δ) to be achieved with less noise added per computation, improving the utility-privacy trade-off. It is formally described by privacy amplification theorems for subsampling.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
These foundational concepts define the mathematical and algorithmic context for privacy amplification by sampling within federated learning.
Differential Privacy (DP)
The formal mathematical framework for quantifying and bounding the privacy loss incurred when an individual's data is used in a computation. It provides a rigorous, worst-case guarantee that is immune to post-processing and robust against auxiliary information.
- Core Promise: The output distribution of an algorithm should be nearly indistinguishable whether any single individual's data is included or excluded.
- Parameters: Defined by (ε, δ), where ε (epsilon) bounds the multiplicative privacy loss and δ is a small probability of the guarantee failing.
Privacy Amplification
A general phenomenon where applying a differentially private mechanism to a randomly subsampled portion of a dataset yields a stronger privacy guarantee than if it were applied to the full dataset. The randomness of the sampling process itself provides an additional layer of uncertainty.
- Key Insight: Analyzing a 10% random sample with a given (ε, δ) can result in an effective privacy guarantee of (~ε/10, ~δ) for the full population.
- Formal Proofs: Established via privacy amplification by subsampling theorems, which are central to the analysis of DP-SGD and private federated averaging.
DP-SGD (Differentially Private SGD)
The canonical algorithm that operationalizes amplification by sampling for centralized model training. It modifies standard stochastic gradient descent to provide differential privacy.
- Mechanism: For each training step:
- Sample a random mini-batch.
- Clip the L2 norm of each per-example gradient.
- Add calibrated Gaussian noise to the averaged batch gradient.
- Amplification Link: The privacy cost is analyzed at the lot level (the sampled batch), not the example level, leveraging the subsampling probability for amplification.
Client-Level Differential Privacy
The specific granularity of protection in federated learning, where the privacy guarantee ensures the participation of any single client (device or user) cannot be reliably inferred from the final model or aggregated updates.
- Distinction: Protects the entire local dataset of a client as a single unit, rather than individual data points within it.
- Amplification by Sampling: In federated learning, client sampling (selecting a random subset of devices per round) provides client-level privacy amplification, analogous to example-level subsampling in DP-SGD.
Rényi Differential Privacy (RDP)
A variant of differential privacy defined using Rényi divergence. It often provides tighter, more composable privacy loss accounting for iterative algorithms like DP-SGD and DP-FedAvg, making it the preferred analytical tool for amplification analyses.
- Advantage: RDP parameters compose linearly and cleanly, allowing for precise tracking of privacy loss across many training rounds.
- Workflow: Mechanisms are often first analyzed and composed in the RDP framework, then converted to a final (ε, δ)-DP guarantee for interpretation.
Moment Accountant
An advanced privacy accounting method used to compute tight overall (ε, δ) bounds for compositions of Gaussian-based mechanisms, such as those in DP-SGD. It tracks a bound on the moments (log moments) of the privacy loss random variable.
- Role in Amplification: The moment accountant is specifically designed to tightly bound the privacy cost of subsampled Gaussian mechanisms, making it the standard tool for quantifying the amplification-by-sampling benefit in iterative training.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us