Inferensys

Glossary

(ε, δ)-Differential Privacy

A relaxed definition of differential privacy that allows a small probability delta (δ) of the strict epsilon guarantee being violated, enabling the use of more efficient mechanisms like the Gaussian mechanism.
Strategy consultant facilitating AI use case discovery workshop, sticky notes on glass wall, casual corporate meeting.
Approximate Differential Privacy

What is (ε, δ)-Differential Privacy?

A relaxed definition of differential privacy that introduces a small failure probability δ, allowing the strict ε-guarantee to be violated with negligible chance to enable more practical and efficient mechanisms.

(ε, δ)-Differential Privacy is a formal privacy definition where a randomized mechanism M guarantees that for all neighboring datasets D and D' and all output sets S, the probability Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S] + δ. The parameter δ represents a small, typically cryptographically negligible, probability that the strict ε-privacy bound is violated, relaxing the pure ε-differential privacy guarantee.

This relaxation enables the use of the Gaussian mechanism, which adds noise calibrated to the L2-sensitivity, and permits tighter composition under repeated queries compared to pure ε-DP. The δ parameter is typically chosen to be much smaller than 1/N, where N is the dataset size, ensuring the privacy failure probability is negligible relative to the risk of a record being included in the dataset at all.

Relaxed Privacy Guarantees

Core Properties of (ε, δ)-DP

The (ε, δ)-differential privacy framework introduces a failure probability δ, allowing for more efficient mechanisms like the Gaussian mechanism while maintaining a provable, albeit slightly relaxed, privacy guarantee.

01

The Failure Probability (δ)

The parameter δ represents a small, cryptographically negligible probability that the strict ε-differential privacy guarantee is violated. This allows a mechanism to output a result with a privacy loss exceeding ε, but only with probability at most δ. This relaxation is not a bug but a feature, enabling the use of the Gaussian mechanism and tighter composition theorems, which are essential for iterative algorithms like DP-SGD. A typical choice for δ is much smaller than 1/N, where N is the dataset size, ensuring the violation is statistically unlikely to affect any single individual.

δ ≪ 1/N
Cryptographically Small
02

Gaussian Mechanism Enablement

The core motivation for (ε, δ)-DP is that pure ε-DP is incompatible with the Gaussian mechanism. Pure ε-DP requires noise from a Laplace distribution, which has a heavier tail. The Gaussian mechanism adds noise calibrated to the L2-sensitivity of a query, but its privacy loss is unbounded. The δ parameter explicitly accounts for the tail probability where this loss exceeds ε. This is the foundational mechanism for Differentially Private Stochastic Gradient Descent (DP-SGD), where Gaussian noise is added to clipped gradients in every training step.

03

Advanced Composition

A key property of (ε, δ)-DP is its behavior under composition. When multiple (ε, δ)-DP mechanisms are run on the same dataset, the total privacy loss accumulates. The advanced composition theorem provides a much tighter bound on this accumulation compared to basic composition. For k mechanisms, the total privacy loss is roughly O(√k * ε, kδ + δ'). This sub-linear scaling is critical for training deep learning models over thousands of iterations, allowing a meaningful privacy budget to be tracked and maintained by a moments accountant.

04

Group Privacy

(ε, δ)-DP provides a graceful degradation of privacy for groups. If a mechanism is (ε, δ)-DP for a single record, it is (kε, k * e^(k-1)ε * δ)-DP for a group of size k. This means the privacy guarantee weakens predictably for correlated data or when protecting a user with multiple records. This property is crucial for defining user-level privacy, where all contributions from a single user must be protected, often requiring a larger privacy budget allocation than item-level privacy.

05

Post-Processing Immunity

Like pure ε-DP, (ε, δ)-DP is immune to post-processing. Any arbitrary computation applied to the output of an (ε, δ)-DP mechanism cannot weaken the privacy guarantee. An adversary with access to the output cannot increase the ε or δ values, regardless of the auxiliary information they possess or the transformations they apply. This property is vital for system design, as it guarantees that privacy is not compromised by downstream analysis, visualization, or model publishing.

06

Hypothesis Testing Interpretation

The (ε, δ)-DP guarantee has a powerful operational interpretation in terms of membership inference attacks. An adversary trying to distinguish between two neighboring datasets based on the mechanism's output cannot have both a low false positive rate (Type I error) and a low false negative rate (Type II error). The parameters ε and δ define a trade-off function between these errors, formalized by Gaussian Differential Privacy (GDP). This provides a concrete, semantic meaning to the abstract privacy parameters.

PRIVACY DEFINITIONS

Frequently Asked Questions

Clear answers to the most common questions about the relaxed (ε, δ)-differential privacy definition, its mechanisms, and its practical trade-offs.

(ε, δ)-differential privacy is a relaxed definition of differential privacy that guarantees a randomized mechanism M satisfies Pr[M(D) ∈ S] ≤ e^ε · Pr[M(D') ∈ S] + δ for all neighboring datasets D and D'. Unlike pure ε-differential privacy, which requires the output distributions to be multiplicatively close, this definition allows a small probability δ (typically cryptographically small, like 10^-5 or smaller) of the strict ε-guarantee being violated. This relaxation enables the use of the Gaussian mechanism instead of the Laplace mechanism, which provides better utility under composition and is essential for practical algorithms like DP-SGD. The δ parameter represents the probability that the privacy loss exceeds the ε bound, effectively allowing a 'failure probability' for the privacy guarantee.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.