Inferensys

Glossary

Central Differential Privacy

Central differential privacy is a privacy model where a trusted curator holds the raw dataset and applies calibrated noise to query outputs before release, providing formal guarantees against individual re-identification.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
DEFINITION

What is Central Differential Privacy?

Central differential privacy is the canonical model of differential privacy where a trusted data curator applies a privacy mechanism to a centralized dataset before releasing any query results or aggregated statistics.

Central differential privacy is a data analysis framework where a single, trusted entity (the curator) holds the complete raw dataset. To answer queries or release statistics, the curator applies a differentially private mechanism—such as the Laplace or Gaussian mechanism—that adds calibrated random noise. This model provides a formal, mathematical guarantee that the presence or absence of any single individual's data in the dataset cannot be significantly inferred from the released output, thereby protecting individual privacy while enabling useful aggregate analysis.

This trusted curator model contrasts with local differential privacy, where individuals perturb their own data before sharing it. Central DP is foundational for scenarios like government census data release or corporate analytics on centralized data warehouses, where the curator can carefully manage a global privacy budget (ε, δ). The strength of the guarantee depends on the sensitivity of the query and the scale of the added noise, with mechanisms enjoying post-processing immunity, meaning further analysis of the private output does not degrade the guarantee.

DIFFERENTIAL PRIVACY

Core Characteristics of the Central Model

Central differential privacy operates under a trusted curator model, where raw data is centralized and privacy is enforced before any aggregated results are released. This contrasts with local models where data is perturbed at the source.

01

Trusted Curator Assumption

The trusted curator (or server) is a central entity that holds the complete, raw dataset. This model assumes the curator will faithfully apply the differentially private mechanism before releasing any query results, statistics, or trained models. The trust is placed in the curator's execution of the algorithm, not in its discretion over the raw data.

  • Key Implication: Data contributors must trust the curator with their sensitive information, as privacy is applied post-collection.
  • Contrast with LDP: In local differential privacy, no entity ever sees the raw data, as perturbation happens on the client device.
02

Post-Collection Privacy

Privacy mechanisms are applied after data has been collected and centralized. The curator computes the true answer to a query (e.g., an average, sum, or model gradient) and then injects calibrated noise to the result before release.

  • Mechanism Workflow: 1) Receive raw data → 2) Compute exact aggregate → 3) Calculate sensitivity → 4) Add noise (e.g., Laplace, Gaussian) → 5) Release noised result.
  • Advantage: This allows for much higher utility (accuracy) for the same privacy budget (ε) compared to local models, as noise is added only once to the aggregate, not to each individual data point.
03

Formal (ε, δ) Guarantee

The model provides a rigorous, mathematical guarantee. For any two adjacent datasets (differing by one individual's data), the probability distribution of the mechanism's output is nearly identical.

  • Pure DP (ε-DP): Uses the Laplace Mechanism. Guarantees that the log-likelihood ratio of any output is bounded by ε.
  • Approximate DP ((ε, δ)-DP): Uses the Gaussian Mechanism. Allows a small probability δ (e.g., 1e-5) of the ε guarantee failing, which enables adding less noise for complex functions like gradient descent.
  • Interpretation: A smaller ε means stronger privacy; δ should be cryptographically small (<< 1/n).
04

Global Sensitivity Bound

The amount of noise added is proportional to the global sensitivity of the query function. Sensitivity measures the maximum possible change in the query's output when a single individual's data is added or removed.

  • L1 Sensitivity (Δf): Used for the Laplace Mechanism. Δf = max ||f(D) - f(D')||₁.
  • L2 Sensitivity (Δ₂f): Used for the Gaussian Mechanism. Δ₂f = max ||f(D) - f(D')||₂.
  • Example: For a counting query ("how many patients have condition X?"), the sensitivity is 1. For an average, sensitivity depends on the data's bounded range.
05

Composition & Budget Management

Multiple queries consume a cumulative privacy budget. The curator must track total privacy loss using composition theorems.

  • Basic Composition: Sequential queries have additive ε (ε_total = ε₁ + ε₂ + ...).
  • Advanced Composition: Provides tighter bounds, allowing for more queries. Rényi DP (RDP) and zCDP are modern accounting methods used for iterative algorithms like DP-SGD.
  • Privacy Accounting: A critical subsystem that tracks consumed (ε, δ) to ensure the total never exceeds a pre-defined budget, after which the data cannot be queried further.
06

Post-Processing Immunity

A foundational property: any analysis performed on the output of a differentially private mechanism cannot weaken its privacy guarantee. If M(D) is (ε, δ)-DP, then for any function g (deterministic or randomized), g(M(D)) is also (ε, δ)-DP.

  • Practical Consequence: Allows safe downstream use of private outputs. A private aggregate can be further analyzed, transformed, or used as input to another process without requiring new privacy calculations.
  • Limitation: Immunity only holds if no additional information about the raw dataset is used. Combining a private output with external non-private data is allowed but doesn't retroactively privatize the external data.
ARCHITECTURAL COMPARISON

Central vs. Local Differential Privacy

A comparison of the two primary trust models for deploying differential privacy, focusing on their application in federated learning and data analysis.

FeatureCentral Differential Privacy (CDP)Local Differential Privacy (LDP)

Trust Model

Trusted central curator (server)

No trusted curator; trust is distributed to clients

Data Perturbation Point

After raw data is collected at the curator

At each individual client device before data leaves

Primary Privacy Guarantee

Protects an individual's record within the central dataset

Protects an individual's data from the curator itself

Typical Noise Addition

Once, to the aggregated query result or model update

Per client, to each individual data point or local update

Aggregate Data Utility

Higher; noise is added once to the aggregate

Lower; noise per client compounds in the aggregate

Communication Overhead

Standard; clients may send raw or clipped updates

Higher; clients must send noised data, often requiring more rounds

Client-Side Computation

Lower; may involve clipping but not necessarily noising

Higher; each client must run the privacy mechanism

Resilience to Server Breach

Low; server holds raw or minimally processed sensitive data

High; server only ever receives pre-noised data

Common Federated Learning Use

DP-FedAvg: Server adds noise after secure aggregation

Direct application: Clients add noise to updates before sending

CENTRAL DIFFERENTIAL PRIVACY

Frequently Asked Questions

Central differential privacy is the canonical model for formal privacy guarantees, where a trusted curator applies noise to query results. These FAQs address its core mechanisms, applications, and distinctions from other privacy paradigms.

Central differential privacy (central DP) is a data privacy model where a trusted curator holds a raw dataset and applies a calibrated noise mechanism to the results of queries or aggregated statistics before releasing them, thereby mathematically limiting the ability to infer any single individual's data. It works by first defining a sensitivity—the maximum change a single data point can cause in a query's output. A privacy mechanism, such as the Laplace mechanism or Gaussian mechanism, then adds random noise scaled to this sensitivity and a chosen privacy budget (ε, δ). For example, to privately compute the average age in a dataset, the curator calculates the true average, determines the sensitivity (how much one person's age can change the average), and adds Laplace noise proportional to that sensitivity divided by ε. This process guarantees that the presence or absence of any individual's record does not significantly change the probability distribution of the released result.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.