Inferensys

Glossary

Amplification by Sampling

Amplification by sampling is a differential privacy technique where applying a mechanism to a randomly chosen subset of data, such as a mini-batch, results in a stronger privacy guarantee than if applied to the full dataset.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
DIFFERENTIAL PRIVACY

What is Amplification by Sampling?

A core technique in privacy-preserving machine learning that strengthens a differential privacy guarantee by applying a mechanism to a random subset of data.

Amplification by sampling is a formal privacy enhancement where the privacy guarantee of a mechanism is strengthened because it is applied only to a randomly chosen subset of the data. This principle, formalized by theorems like privacy amplification by subsampling, proves that analyzing a random sample provides stronger protection (a smaller effective epsilon (ε)) than analyzing the entire dataset. In practice, this makes standard randomized operations like selecting a mini-batch in Stochastic Gradient Descent (SGD) a built-in privacy booster.

The technique is foundational to Differentially Private Stochastic Gradient Descent (DP-SGD) and federated learning, where training on a random subset of clients or data points each round inherently amplifies privacy. Correctly accounting for this amplification via privacy accounting methods like Rényi Differential Privacy (RDP) allows engineers to achieve a target privacy guarantee with less added noise, improving the utility of the final private model while maintaining rigorous client-level differential privacy guarantees.

PRIVACY AMPLIFICATION

Key Characteristics of Amplification by Sampling

Amplification by sampling is a cornerstone technique in privacy-preserving machine learning where the fundamental privacy guarantee of a mechanism is strengthened because it is applied only to a randomly selected subset of the data.

01

Core Mechanism: Subsampling

The technique's power originates from random subsampling. When a differentially private mechanism with parameters (ε, δ) is applied to a random sample of the dataset (e.g., a mini-batch in SGD), the effective privacy guarantee for the entire dataset is stronger than if the mechanism were applied to the full dataset. This is because an adversary's ability to infer the presence of any single data point is diluted by the randomness of the selection process.

  • Formal Foundation: Governed by privacy amplification theorems.
  • Typical Sampler: Poisson sampling, where each data point is included independently with probability p, is commonly analyzed for clean theoretical bounds.
02

Quantitative Privacy Gain

The amplification effect is quantifiable. For a mechanism M satisfying (ε, δ)-DP applied to a Poisson sample with rate p, the subsampled mechanism often satisfies approximately (O(pε), pδ)-DP for small ε. This represents a linear reduction in the effective privacy parameter.

  • Key Implication: Allows the use of a larger epsilon (ε) in the base mechanism while achieving a smaller effective epsilon overall, improving the utility-privacy trade-off.
  • Example: A base DP-SGD step with ε=1.0 applied to a 5% sample (p=0.05) can yield an effective ε closer to 0.05 for that step, significantly strengthening the guarantee.
03

Integration with DP-SGD

Amplification by sampling is intrinsically linked to Differentially Private Stochastic Gradient Descent (DP-SGD), where it provides the primary source of privacy amplification.

  • Standard Practice: In DP-SGD, each training step processes a randomly sampled mini-batch. The Gaussian mechanism is applied to the clipped gradients of this batch.
  • Accounting: Advanced privacy accountants like the Moment Accountant or Rényi DP (RDP) framework are specifically designed to tightly track the amplified privacy cost across thousands of such subsampled steps.
  • Result: Enables the training of deep neural networks with non-trivial privacy guarantees that would be infeasible if analyzing the full dataset every iteration.
04

Dependency on Sampling Rate

The degree of amplification is a direct function of the sampling probability p. A smaller p (a smaller batch size relative to the dataset) yields a stronger amplification effect.

  • Trade-off: While a smaller p improves privacy, it can increase variance in the stochastic gradients, potentially slowing convergence or harming final model utility.
  • Hyperparameter Tuning: The batch size (which determines p) becomes a critical hyperparameter balancing privacy, utility, and computational efficiency.
05

Distinction from Shuffling

While related, amplification by sampling is distinct from privacy amplification by shuffling. Both are powerful techniques, but they operate in different models:

  • Sampling: Focuses on randomly selecting a subset of data before applying a private mechanism. Central to the central DP model (e.g., DP-SGD on a centralized dataset).
  • Shuffling: Assumes local DP reports from many users are collected and then randomly permuted (shuffled) by a trusted shuffler before analysis. This shuffling can amplify weak local DP guarantees into stronger central DP-like guarantees.
  • Federated Context: In cross-device federated learning, client sampling (selecting a random subset of devices each round) provides a form of client-level amplification.
06

Critical Role in Federated Learning

In Federated Learning (FL), amplification by sampling is operationalized through client sampling. Each training round selects a random subset of available devices/clients.

  • Client-Level DP: This provides client-level differential privacy guarantees. The privacy assurance is that the participation (or data) of any single client is protected.
  • DP-FedAvg: In algorithms like DP-FedAvg, client sampling is combined with local gradient/model update clipping and noisy aggregation on the server. The sampling amplification allows for less noise to be added per client while achieving the same overall privacy budget.
  • System Constraint: Client sampling is often a necessity due to device availability and network constraints, making its privacy benefits a key advantage of the FL architecture.
PRIVACY AMPLIFICATION MECHANISMS

Common Subsampling Methods for Privacy Amplification

Comparison of techniques that leverage random data selection to strengthen differential privacy guarantees in federated learning and centralized training.

MechanismPoisson SubsamplingUniform Subsampling (Shuffle)Amplification via Shuffling

Formal Name

Bernoulli/ Poisson Sampling

Uniform Sampling Without Replacement

Uniform Sampling with Secure Shuffler

Core Principle

Each data point is independently included with probability γ (the sampling rate).

A fixed-size subset (batch) of m data points is selected uniformly at random from the total n.

Client reports are collected, randomly permuted by a trusted shuffler, then analyzed.

Typical Application Context

DP-SGD in centralized training; client participation in federated rounds.

Mini-batch construction in centralized DP-SGD.

Federated analytics; local differential privacy (LDP) amplification.

Privacy Amplification Factor (Approx.)

Effective ε ≈ γε (for pure DP). Provides O(γ) reduction.

Effective ε ≈ (m/n)ε (for pure DP). Provides O(m/n) reduction.

Can reduce ε from local-DP levels (e.g., ε_loc=10) to central-DP levels (e.g., ε_cent<1).

Key Assumption for Amplification

Sampling must be independent and data-agnostic (public coin).

Batch size m is fixed and chosen independently of the data.

Requires a trusted shuffler that breaks the link between report and sender.

Composition with DP-SGD

Native to DP-SGD; amplification is automatically accounted for via the moments accountant.

Applied per training step; accounted for in privacy budget composition.

Not directly part of SGD; used as a pre-processing step for LDP reports.

Impact on Utility (Bias/Variance)

Introduces stochasticity but no systematic bias relative to full-batch. Standard in SGD.

No inherent bias. Variance depends on batch size m.

No direct impact on model utility; enables use of less noisy LDP mechanisms.

Primary Reference / Theorem

Privacy amplification by subsampling (e.g., Theorem 4 in Abadi et al., 2016).

Amplification via uniform sampling (similar analysis to Poisson).

Amplification by shuffling (e.g., Bittau et al., 2017; Erlingsson et al., 2019).

AMPLIFICATION BY SAMPLING

Frequently Asked Questions

Amplification by sampling is a privacy-enhancing technique where applying a mechanism to a random subset of data strengthens the formal privacy guarantee. This is a cornerstone of private federated learning and stochastic optimization.

Amplification by sampling is a phenomenon in differential privacy where the privacy guarantee of a mechanism is strengthened (or 'amplified') because it is applied only to a randomly chosen subset of the data, rather than the entire dataset. The core principle is that an adversary's ability to infer information about any single individual is reduced because that individual's data has only a probability of being included in the analyzed sample. This allows for the same overall privacy guarantee (ε, δ) to be achieved with less noise added per computation, improving the utility-privacy trade-off. It is formally described by privacy amplification theorems for subsampling.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.