Inferensys

Glossary

Epsilon-Differential Privacy (ε-DP)

A mathematical definition of privacy that bounds the probability of any output differing by more than a factor of e^ε between two neighboring datasets, providing a quantifiable privacy guarantee.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
FORMAL PRIVACY GUARANTEE

What is Epsilon-Differential Privacy (ε-DP)?

Epsilon-differential privacy (ε-DP) is a mathematical framework that provides a quantifiable guarantee of privacy by ensuring the output of an analysis is statistically indistinguishable whether or not any single individual's data is included in the input dataset.

Epsilon-differential privacy (ε-DP) is a formal privacy definition where a randomized algorithm's output distribution changes by at most a factor of e^ε when a single record is added to or removed from a dataset. The parameter ε (epsilon), the privacy budget, quantifies the privacy loss: a smaller ε enforces stronger privacy by making neighboring datasets nearly indistinguishable, while a larger ε permits more utility at the cost of weaker guarantees.

This guarantee is achieved by injecting calibrated noise proportional to a query's sensitivity—the maximum impact a single record can have on the output. Crucially, ε-DP provides post-processing immunity, meaning no adversary can weaken the privacy guarantee by performing additional computations on the released output, and it composes gracefully across multiple queries via the composition theorem.

MATHEMATICAL GUARANTEES

Key Properties of ε-Differential Privacy

The power of ε-Differential Privacy lies in its formal, quantifiable properties. These guarantees provide a robust framework for reasoning about privacy loss, composing mechanisms, and ensuring resilience against adversaries with arbitrary auxiliary information.

01

The Privacy Budget (ε)

The parameter ε (epsilon) quantifies the privacy loss bound. A smaller ε provides stronger privacy. It bounds the multiplicative difference in the probability of any output between neighboring datasets. For example, with ε = 0.1, the output probabilities differ by at most a factor of e^0.1 ≈ 1.105, making outcomes nearly indistinguishable. This provides a concrete, tunable knob for the privacy-utility trade-off.

ε → 0
Perfect Privacy
ε ≈ 0.1–1
Strong Practical Privacy
02

Post-Processing Immunity

A defining resilience property. Any arbitrary computation applied to the output of an ε-differentially private mechanism cannot weaken the privacy guarantee. An adversary cannot 'reverse-engineer' privacy by performing post-hoc analysis. The output remains ε-differentially private regardless of downstream processing. This ensures that data released once with a privacy guarantee remains protected forever, enabling safe sharing with untrusted third parties.

03

Composition Theorems

Formal rules for tracking cumulative privacy loss across multiple queries. Sequential composition states that applying k mechanisms, each with ε_i privacy, results in a total privacy loss of Σε_i. Advanced composition provides tighter bounds for adaptive queries. This allows a privacy budget to be allocated across an entire analysis workflow, preventing death by a thousand cuts where individually harmless queries combine to reveal sensitive data.

04

Group Privacy

A corollary that extends protection to groups. If a mechanism provides ε-differential privacy for individuals, it provides kε-differential privacy for groups of size k. This means protecting a family of four under ε=0.1 individual privacy requires a group privacy budget of 0.4. This property quantifies the inherent degradation of privacy when defending against adversaries targeting correlated records or entire households in a dataset.

05

Resistance to Auxiliary Information

The guarantee holds against adversaries with arbitrary external knowledge. Unlike syntactic anonymization techniques like k-anonymity, which catastrophically fail when linked with public datasets, differential privacy makes no assumptions about an attacker's background information. The mathematical bound remains valid even if the adversary knows every other record in the database, preventing linkage attacks like those that re-identified Netflix Prize and AOL search data.

06

Plausible Deniability

The formal guarantee provides a rigorous form of plausible deniability for any individual. For any output, the probability it was produced from a dataset containing a specific person's record is nearly identical to the probability it was produced from a dataset without it. This means an individual can credibly deny that their data influenced a published statistic, as the outcome is almost equally likely regardless of their participation.

EPSILON-DIFFERENTIAL PRIVACY

Frequently Asked Questions

Clear, technical answers to the most common questions about the mathematical framework of epsilon-differential privacy, its mechanisms, and its practical implementation.

Epsilon-differential privacy (ε-DP) is a mathematical definition of privacy that bounds the probability of any output differing by more than a factor of e^ε between two neighboring datasets—those differing by a single record. It works by injecting calibrated noise into query responses or model training processes, ensuring that an adversary observing the output cannot confidently infer whether any specific individual's data was included. The parameter ε, known as the privacy budget, quantifies the privacy loss: a smaller ε (e.g., 0.1) provides stronger privacy by making outputs nearly indistinguishable, while a larger ε (e.g., 10) allows more utility but weaker guarantees. The mechanism achieves this by adding noise drawn from a probability distribution—typically Laplace or Gaussian—scaled to the query's sensitivity, which measures the maximum change in output caused by a single record's presence or absence.

PRIVACY MODEL COMPARISON

Epsilon-Differential Privacy vs. Related Privacy Definitions

A technical comparison of pure ε-differential privacy against its primary relaxations and alternative privacy frameworks, highlighting differences in formal guarantees, noise mechanisms, and composition properties.

PropertyPure ε-Differential Privacy(ε, δ)-Differential PrivacyRényi Differential PrivacyLocal Differential Privacy

Formal guarantee

Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S]

Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S] + δ

D_α(M(D) || M(D')) ≤ ε for α > 1

Pr[M(x) = y] ≤ e^ε · Pr[M(x') = y]

Failure probability (δ)

Typical noise mechanism

Laplace mechanism

Gaussian mechanism

Gaussian mechanism

Randomized response

Sensitivity metric

L1 sensitivity (Δf)

L2 sensitivity (Δ₂f)

Rényi divergence of order α

Per-record sensitivity

Composition tightness

Basic composition: kε

Advanced composition: O(√(k ln(1/δ))ε + kε²)

Tighter than (ε, δ) via moments accountant

Sequential composition: kε

Post-processing immunity

Trust model

Central server trusted

Central server trusted

Central server trusted

Server untrusted; noise added client-side

Privacy amplification by subsampling

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.