Inferensys

Glossary

Differential Privacy (DP)

A rigorous mathematical framework providing formal privacy guarantees by ensuring any single individual's data has negligible effect on a model's output.
Governance lead reviewing model governance framework on laptop, policy documents visible, executive office setup.
PRIVACY-PRESERVING MACHINE LEARNING

What is Differential Privacy (DP)?

Differential privacy (DP) is a rigorous mathematical framework that provides formal, quantifiable privacy guarantees for data analysis and machine learning.

Differential privacy (DP) is a formal mathematical definition of privacy that ensures the output of a computation (e.g., a statistical query or a trained machine learning model) is statistically indistinguishable whether any single individual's data is included or excluded from the input dataset. This is achieved by carefully injecting calibrated random noise into the computation process, which masks the contribution of any one record. The strength of the guarantee is controlled by a privacy budget (ε, delta), where smaller values indicate stronger privacy but often at the cost of reduced data utility or model accuracy.

In federated learning, DP is applied to the model updates (gradients) sent from client devices to the aggregation server. This provides a defense-in-depth layer against privacy attacks, such as membership inference or model inversion, even if the secure aggregation protocol is compromised. The core challenge is managing the utility-privacy trade-off: adding sufficient noise to guarantee privacy while preserving enough signal for the global model to converge effectively. Common mechanisms include the Gaussian and Laplace noise mechanisms, often applied with privacy amplification techniques like subsampling to tighten the bound.

FEDERATED MODEL EVALUATION METRICS

Core Mechanisms of Differential Privacy

Differential Privacy (DP) is a mathematical framework that provides formal guarantees by ensuring the output of an algorithm is statistically indistinguishable regardless of any single individual's data being included or excluded from the input dataset.

01

The Privacy Budget (ε)

The epsilon (ε) parameter is the core privacy budget that quantifies the maximum allowable privacy loss. It defines the strength of the guarantee: a smaller ε provides stronger privacy but typically reduces the utility (accuracy) of the model's output. The formal definition ensures that for any two adjacent datasets (differing by one record), the probability of any output is within a multiplicative factor of e^ε.

  • Example: A common ε value for research is 1.0 or 8.0. Deployments in highly sensitive domains like healthcare may use ε < 1.0.
  • Trade-off: This creates the fundamental utility-privacy trade-off. Tuning ε is critical for balancing acceptable accuracy with rigorous privacy protection.
02

The Laplace Mechanism

The Laplace Mechanism is a fundamental algorithm for achieving differential privacy for numerical queries (e.g., calculating an average or sum). It works by adding carefully calibrated noise drawn from a Laplace distribution to the true query result. The scale of the noise is proportional to the sensitivity of the query (the maximum change the query can have when one record changes) divided by ε.

  • Key Formula: Noisy Output = True Query Result + Laplace(Δf / ε)
  • Sensitivity (Δf): For a counting query, Δf = 1. For an average, sensitivity depends on the data bounds.
  • Use Case: Adding private noise to aggregated model update statistics (e.g., gradients or weights) in federated learning.
03

The Gaussian Mechanism

The Gaussian Mechanism is an alternative to the Laplace mechanism that adds noise drawn from a Gaussian (normal) distribution. It is often preferred in machine learning contexts, particularly for high-dimensional data like gradients, because the noise characteristics can be more favorable for optimization. It requires defining an additional parameter, delta (δ), which represents a small probability of privacy guarantee failure.

  • Key Difference: Provides (ε, δ)-differential privacy, a slightly relaxed guarantee compared to pure ε-DP.
  • Use Case: The standard mechanism for implementing Differentially Private Stochastic Gradient Descent (DP-SGD), where Gaussian noise is added to clipped gradients during model training.
04

Local vs. Central Differential Privacy

This distinction defines where the privacy mechanism is applied in a data pipeline.

  • Local Differential Privacy (LDP): Each data owner perturbs their own data before sending it to the aggregator. This provides a strong trust model—the aggregator never sees raw data—but requires more noise per individual, reducing aggregate utility. Used in scenarios like Google's RAPPOR for browser data collection.
  • Central Differential Privacy (CDP): A trusted curator holds the raw dataset and applies the privacy mechanism before releasing query results or a model. This allows for less noise overall (better utility) but requires trusting the central entity. Federated learning with secure aggregation can be viewed as a pathway to emulate a trusted curator.
05

Composition Theorems

Composition rules are essential for analyzing the total privacy cost of a complex algorithm that makes multiple queries to the data. They dictate how the privacy budgets (ε) accumulate.

  • Sequential Composition: If you perform k DP mechanisms, each with privacy parameters (ε_i), the total privacy cost is the sum of the ε_i. This is a conservative bound.
  • Advanced Composition: Provides a tighter (more favorable) bound for the composition of many mechanisms, especially the Gaussian mechanism, often scaling with the square root of the number of steps.
  • Importance: These theorems enable the privacy accounting for iterative algorithms like DP-SGD, where gradients are queried in thousands of training steps. Tools like Google's TensorFlow Privacy and Opacus perform automatic composition accounting.
06

Differentially Private SGD (DP-SGD)

DP-SGD is the canonical algorithm for training deep learning models with differential privacy. It modifies standard SGD with three key steps:

  1. Per-Sample Gradient Clipping: The gradient for each individual training example is clipped to a maximum L2 norm. This bounds the sensitivity (Δf).
  2. Noise Addition: Gaussian noise is added to the average of the clipped gradients for the batch.
  3. Privacy Accounting: The privacy cost (ε, δ) is meticulously tracked across all training steps using composition theorems.
  • Impact: This ensures the final model parameters do not reveal specifics about any individual training example.
  • Federated Learning Link: In federated learning, DP-SGD can be applied locally on client devices before updates are sent, or centrally to the aggregated update on the server.
MECHANISM

How DP Works in Federated Learning

Differential Privacy (DP) is integrated into federated learning to provide formal, mathematical guarantees that individual client data cannot be inferred from the shared model updates.

In federated learning, Differential Privacy (DP) is typically applied by adding calibrated noise to the local model updates (gradients) before they are sent to the aggregation server. This process, known as the Client-DP or Local-DP approach, ensures that the contribution of any single user's data point is statistically obscured within the aggregate. The amount of noise is controlled by a privacy budget (ε, delta), which quantifies the maximum allowable privacy loss. A smaller ε provides stronger privacy but reduces model utility, creating the core privacy-utility trade-off.

The server performs secure aggregation on these noised updates, summing them to compute a new global model. Because the noise is added locally before any data leaves the device, the central server never sees clean updates, providing a strong privacy boundary. This mechanism formally guarantees that an adversary with access to the aggregated model cannot determine with high confidence whether any specific individual's data was used in training. The DP-SGD algorithm is a common foundation, adapted for the federated setting to clip gradient norms and add Gaussian or Laplacian noise.

DIFFERENTIAL PRIVACY CORE CONCEPTS

Key DP Parameters: Epsilon (ε) vs. Delta (δ)

A comparison of the two fundamental parameters that define the formal privacy guarantees in a differential privacy mechanism.

ParameterEpsilon (ε)Delta (δ)

Primary Role

Privacy Loss Bound

Probability of Failure

Mathematical Definition

Bounds the multiplicative change in the probability of any output.

Bounds the additive probability of a complete privacy failure.

Interpretation

Quantifies the maximum allowable privacy leakage. A smaller ε means stronger privacy.

Quantifies the probability the ε guarantee is broken. Often interpreted as the risk of catastrophic failure.

Typical Values

ε < 10 for strong privacy; ε < 1 for very strong privacy.

δ should be cryptographically small, e.g., δ << 1/n, where n is the dataset size. Often set to 1e-5 or 1e-6.

Impact on Utility

Inversely proportional. Lower ε (stronger privacy) requires more noise, reducing model accuracy/utility.

Minimal direct impact on utility for cryptographically small δ. Larger δ can allow for less noise but is unsafe.

Mechanism Type

Defines (ε,0)-Differential Privacy (Pure DP).

Required for (ε,δ)-Differential Privacy (Approximate DP). A non-zero δ relaxes the pure guarantee.

Common Use Case

Required for strong, composable privacy guarantees where any failure is unacceptable.

Essential for enabling key mechanisms like the Gaussian mechanism, which is more analytically tractable than the Laplace mechanism for high-dimensional queries.

Risk Analogy

Controls how much an observer can learn about an individual from the output.

Controls the probability of a "catastrophic" leak where the observer learns everything about an individual.

DIFFERENTIAL PRIVACY (DP)

Frequently Asked Questions

Differential privacy (DP) is a rigorous mathematical framework that provides formal privacy guarantees by ensuring the inclusion or exclusion of any single individual's data in the training set has a negligible effect on the model's output. This section addresses common questions about its mechanisms, applications, and trade-offs.

Differential privacy (DP) is a mathematical framework that provides a formal, quantifiable guarantee of privacy by ensuring the output of a computation (like a model update or query) is statistically indistinguishable regardless of whether any single individual's data is included in the input dataset. It works by injecting carefully calibrated random noise into the computation process. The core mechanism involves a randomized algorithm M that, for any two adjacent datasets D and D' differing by at most one record, satisfies Pr[M(D) ∈ S] ≤ e^ε * Pr[M(D') ∈ S] + δ. This ensures the probability of any output is nearly the same, making it infeasible to infer the presence or absence of any specific individual. In federated learning, DP is typically applied by clients adding noise to their local model updates before sending them to the server for secure aggregation.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.