Inferensys

Glossary

Privacy Amplification by Subsampling

The phenomenon where randomly sampling a subset of data before applying a differentially private mechanism yields a stronger privacy guarantee than processing the full dataset.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
PRIVACY ACCOUNTING

What is Privacy Amplification by Subsampling?

Privacy amplification by subsampling is a phenomenon in differential privacy where randomly selecting a subset of data before applying a differentially private mechanism yields a stronger overall privacy guarantee than processing the full dataset.

Privacy amplification by subsampling is a core property of the subsampled Gaussian mechanism used in DP-SGD. When a batch is drawn via Poisson sampling—where each record has an independent probability q of inclusion—the privacy loss parameter epsilon is reduced by a factor approximately proportional to q, because any single record's maximum influence on the output is probabilistically bounded.

This effect is rigorously tracked by a privacy accountant using composition theorems from Rényi Differential Privacy (RDP) or Gaussian Differential Privacy (GDP). The accountant multiplies the sampling probability by the noise multiplier to compute a tight upper bound on cumulative privacy expenditure, enabling useful model training within a strict privacy budget.

MECHANISM

Key Properties of Privacy Amplification by Subsampling

Privacy amplification by subsampling is the phenomenon where applying a differentially private mechanism to a random subset of data yields a stronger privacy guarantee than applying the same mechanism to the full dataset. This section breaks down the core mathematical properties and operational benefits.

01

The Core Mechanism

The subsampled Gaussian mechanism is the workhorse of privacy amplification. It operates by first selecting a random subset of records from the dataset, then applying Gaussian noise to the query result computed on that subset. The randomness of the sampling process itself introduces uncertainty about whether any given individual's data was even included in the computation, effectively amplifying the base privacy guarantee of the noise addition step.

O(q·ε)
Amplified Privacy Loss
02

Poisson Sampling vs. Uniform Sampling

The method of subsampling critically impacts the privacy analysis. Poisson sampling includes each data point independently with probability q, which simplifies privacy accounting and yields tight composition bounds. Uniform sampling without replacement selects a fixed batch of size B from N records. While practically common, uniform sampling requires more complex analysis using Rényi differential privacy or privacy loss distributions to avoid loose bounds.

03

Amplification by Iteration

In iterative algorithms like DP-SGD, privacy amplification compounds across training steps. The privacy accountant tracks the cumulative privacy loss. Because each step operates on a fresh random subsample, the total privacy cost grows sublinearly with the number of iterations. This is formalized through strong composition theorems and moments accountant techniques, which provide tight bounds on the overall epsilon after T steps.

04

Sampling Rate Trade-offs

The sampling rate q directly governs the privacy-utility trade-off:

  • Smaller q (e.g., 0.001): Stronger amplification, lower epsilon per step, but slower convergence and higher variance.
  • Larger q (e.g., 0.1): Weaker amplification, higher privacy cost per step, but faster learning. The optimal q balances the total privacy budget against model accuracy, often requiring hyperparameter tuning under a fixed epsilon constraint.
05

Tight Composition with Rényi DP

Rényi Differential Privacy (RDP) provides a natural framework for analyzing subsampled mechanisms. The RDP parameters of a subsampled Gaussian mechanism compose cleanly across iterations. After T steps with sampling rate q and noise multiplier σ, the RDP order α can be converted to a standard (ε, δ)-DP guarantee. This approach avoids the looseness of basic composition and is the standard in modern DP-SGD implementations.

06

Operational Meaning in Federated Learning

In cross-device federated learning, privacy amplification by subsampling is a free lunch. Because only a fraction of devices participate in each training round, the server's view of any individual user's contribution is inherently probabilistic. This means that even without adding large amounts of noise, the random participation pattern provides a baseline level of privacy, which can be further strengthened by combining with secure aggregation or local differential privacy.

PRIVACY AMPLIFICATION

Frequently Asked Questions

Explore the core mechanisms and mathematical foundations that make random subsampling a powerful tool for strengthening differential privacy guarantees in machine learning workflows.

Privacy Amplification by Subsampling is a phenomenon in differential privacy where applying a randomized mechanism to a random subset of a dataset yields a stronger privacy guarantee than applying the same mechanism to the full dataset. The core mechanism works by introducing uncertainty about participation: an adversary cannot determine whether a specific record influenced the output because the record may not have been included in the random sample at all. Formally, if a mechanism M satisfies (ε, δ)-differential privacy, then applying M to a random subset sampled with probability q yields a privacy loss of approximately O(qε, qδ). This amplification is foundational to the DP-SGD algorithm, where Poisson Sampling selects mini-batches with a fixed probability per example, dramatically reducing the per-iteration privacy cost and enabling practical deep learning with formal privacy guarantees.

AMPLIFICATION TECHNIQUES

Privacy Amplification Methods Compared

Comparison of core methods that amplify differential privacy guarantees through data subsampling, shuffling, and iteration.

FeaturePoisson SubsamplingShuffle ModelCheck-in Model

Core Mechanism

Each record included independently with probability q

Random permutation followed by fixed-size batches

Clients randomly select themselves to participate

Privacy Amplification Factor

O(q)

O(1/√n)

O(1/√n)

Requires Central Trust

Compatible with DP-SGD

Typical Epsilon Reduction

2-10x

2-5x

1.5-3x

Communication Overhead

None

Moderate

Low

Suitable for Federated Learning

Formal Proof Framework

Subsampled Gaussian Mechanism

Amplification by Shuffling

Amplification by Iteration

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.