(ε, δ)-Differential Privacy is an approximate relaxation of pure ε-differential privacy that guarantees a randomized mechanism M satisfies Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S] + δ for all neighboring datasets D, D' and output sets S. The parameter δ represents a small, typically cryptographically negligible, failure probability that allows the privacy guarantee to be violated with probability at most δ, trading a minor relaxation of the strict ε bound for significantly improved utility and enabling mechanisms like the Gaussian mechanism.
Glossary
(ε, δ)-Differential Privacy

What is (ε, δ)-Differential Privacy?
A relaxation of pure ε-differential privacy that introduces a small failure probability δ, enabling more efficient mechanisms like the Gaussian mechanism.
This formulation addresses the limitations of pure ε-DP by permitting advanced composition theorems and tighter privacy accounting, such as the Moments Accountant, which tracks higher-order moments of the privacy loss random variable. The δ parameter is typically chosen to be much smaller than 1/N, where N is the dataset size, ensuring that the probability of catastrophic privacy failure remains negligible. This framework underpins the DP-SGD training algorithm and is the de facto standard for deep learning with differential privacy.
Core Properties of (ε, δ)-DP
The fundamental mathematical properties that define how (ε, δ)-differential privacy relaxes pure ε-DP to enable more efficient mechanisms while maintaining strong, quantifiable privacy guarantees.
The Failure Probability δ
The parameter δ represents a small probability that the pure ε-DP guarantee is violated. Formally, for neighboring datasets D and D', a mechanism M satisfies (ε, δ)-DP if: Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S] + δ for all output sets S.
- δ is typically chosen to be cryptographically small (e.g., 10^-5 or smaller)
- δ should be much smaller than 1/N, where N is the dataset size
- This relaxation enables the Gaussian mechanism, which is impossible under pure ε-DP
- The failure event is not a catastrophic privacy breach but a bounded relaxation of the multiplicative bound
Group Privacy
A fundamental property extending the guarantee to groups of k records. If a mechanism is (ε, δ)-DP for single-record changes, it provides (kε, k·e^{(k-1)ε}·δ)-DP for groups of size k.
- Privacy degrades linearly in ε but exponentially in δ for group size
- Critical for understanding protection when an individual contributes multiple records
- Contrasts with pure ε-DP where group privacy is simply kε-DP
- The exponential blowup in δ motivates keeping δ extremely small in practice
Advanced Composition
The Advanced Composition Theorem provides a tighter bound on cumulative privacy loss when applying k mechanisms sequentially. For k-fold adaptive composition of (ε, δ)-DP mechanisms, the total guarantee is approximately (ε_total, δ_total)-DP where:
- ε_total ≈ √(2k ln(1/δ')) · ε + kε(e^ε - 1)
- δ_total = kδ + δ' (for any chosen δ' > 0)
- The √k dependence on ε is a dramatic improvement over the naive kε bound
- This is the theoretical foundation enabling DP-SGD to train over thousands of iterations
Post-Processing Immunity
Any arbitrary computation applied to the output of an (ε, δ)-DP mechanism cannot weaken the privacy guarantee. This property is inherited directly from pure ε-DP.
- An adversary with unlimited auxiliary information gains no advantage from post-processing
- Enables safe publishing of DP-protected statistics for arbitrary downstream analysis
- Critical for differentially private synthetic data: once generated, the data can be used freely
- Contrasts with anonymization techniques like k-anonymity, which are vulnerable to linkage attacks
Privacy Loss Random Variable
The privacy loss incurred by observing output y from mechanism M on neighboring datasets D and D' is defined as: L = ln(Pr[M(D)=y] / Pr[M(D')=y]).
- (ε, δ)-DP guarantees that |L| ≤ ε holds with probability at least 1 - δ
- The privacy loss distribution can have heavy tails, which δ accounts for
- This formulation connects to concentrated DP and Rényi DP
- Understanding the loss distribution is essential for privacy accounting and moments accountant techniques
Gaussian Mechanism Calibration
The Gaussian mechanism achieves (ε, δ)-DP by adding noise with standard deviation σ = (Δ₂f · √(2 ln(1.25/δ))) / ε, where Δ₂f is the L2 sensitivity of query f.
- Requires ε ≤ 1 for the standard calibration to hold
- The L2 sensitivity is typically much smaller than L1 sensitivity, enabling less noise
- For high-dimensional queries, the Gaussian mechanism is asymptotically optimal
- This mechanism is the workhorse behind DP-SGD and most practical DP deployments
Pure ε-DP vs. Approximate (ε, δ)-DP
A technical comparison of the mathematical properties, mechanisms, and composition behavior of pure ε-differential privacy versus its approximate relaxation.
| Property | Pure ε-DP | Approximate (ε, δ)-DP |
|---|---|---|
Formal Definition | Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S] | Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S] + δ |
Failure Probability (δ) | δ = 0 | δ > 0 (typically 10^-5 to 10^-9) |
Primary Noise Mechanism | Laplace mechanism | Gaussian mechanism |
Sensitivity Metric | L1 sensitivity (Δf₁) | L2 sensitivity (Δf₂) |
Noise Distribution | Laplace(0, Δf₁/ε) | Gaussian(0, σ²) where σ ≥ c·Δf₂/ε |
Composition Guarantee | Basic: kε for k queries | Advanced composition: O(√(k ln(1/δ'))·ε + kε(e^ε-1)) |
Privacy Loss Random Variable | Bounded by ε with probability 1 | Bounded by ε with probability ≥ 1-δ |
Post-Processing Immunity | ||
Group Privacy | kε for groups of size k | kε, δ' = k·e^{(k-1)ε}·δ for groups of size k |
Typical Use Case | Simple counting queries, histograms | Deep learning (DP-SGD), high-dimensional data |
Mechanism Efficiency | Suboptimal for high-dimensional queries | Tighter for L2-bounded high-dimensional queries |
Frequently Asked Questions
Clarifying the mechanics and trade-offs of (ε, δ)-Differential Privacy, the dominant relaxation used in modern machine learning to provide provable guarantees while maintaining utility.
(ε, δ)-Differential Privacy is an approximate relaxation of pure ε-differential privacy that introduces a small failure probability δ to bound the likelihood of a catastrophic privacy breach. While pure ε-DP guarantees that the probability ratio of any output on neighboring datasets is bounded strictly by e^ε, the (ε, δ) formulation allows this bound to be violated with probability δ. This means a mechanism satisfies (ε, δ)-DP if, for all neighboring datasets D and D' and all output sets S, the probability Pr[M(D) ∈ S] ≤ e^ε * Pr[M(D') ∈ S] + δ. The δ parameter is typically chosen to be cryptographically small—much smaller than 1/N where N is the dataset size—ensuring that the mechanism behaves like pure ε-DP with overwhelming probability. This relaxation is critical because it enables the use of the Gaussian mechanism and tighter composition theorems, making it the standard framework for training deep learning models with DP-SGD.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts that define, implement, and analyze the (ε, δ)-differential privacy framework, including its foundational mechanisms and accounting techniques.
Gaussian Mechanism
The primary mechanism for achieving (ε, δ)-differential privacy. It adds noise drawn from a Gaussian (normal) distribution calibrated to the L2 sensitivity of a query.
- Noise scale: Standard deviation σ = (Δ₂f * √(2*ln(1.25/δ))) / ε
- Why Gaussian?: The additive nature of Gaussian noise and its tail bounds naturally introduce the δ failure probability.
- Use case: Essential for DP-SGD, where gradients are high-dimensional and L2 sensitivity is easier to bound than L1.
Privacy Loss Random Variable
A core concept for understanding the δ parameter. For a mechanism M, the privacy loss on an outcome o is ln(Pr[M(D)=o] / Pr[M(D')=o]).
- Pure ε-DP: The absolute value of this loss is bounded by ε with probability 1.
- (ε, δ)-DP: The absolute value is bounded by ε with probability at least 1 - δ.
- δ as failure probability: δ represents the probability that the privacy loss exceeds the ε bound, meaning a catastrophic privacy breach is possible but extremely unlikely.
Advanced Composition Theorem
A formal rule that quantifies how the total privacy budget degrades when multiple (ε, δ)-differentially private mechanisms are applied sequentially.
- k-fold composition: Applying k mechanisms, each (ε, δ)-DP, yields an overall guarantee of approximately (√(2k ln(1/δ'))ε + kε(e^ε - 1), kδ + δ').
- Sublinear growth: The ε term grows with √k, not k, which is a significant improvement over basic composition.
- Foundation: This theorem underpins the entire practice of iterative private training, where a model may undergo thousands of noisy gradient updates.
Privacy Amplification by Subsampling
A phenomenon where randomly sampling a subset of data before applying a differentially private mechanism results in a stronger overall privacy guarantee.
- Amplification effect: If a mechanism is (ε, δ)-DP on the full dataset, applying it to a random q-fraction sample amplifies the guarantee to roughly (O(qε), qδ)-DP.
- Critical for DP-SGD: Minibatch sampling in stochastic gradient descent provides this amplification for free, dramatically reducing the per-step privacy cost.
- Poisson vs. fixed-size: Poisson subsampling (each record included independently) provides the strongest amplification and is the standard in privacy accounting.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us