Inferensys

Glossary

Privacy Amplification by Subsampling

A property where randomly sampling a subset of data for each training step amplifies the privacy guarantee, as the uncertainty of inclusion provides an additional layer of deniability.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
DEFINITION

What is Privacy Amplification by Subsampling?

Privacy amplification by subsampling is a property in differential privacy where randomly selecting a subset of data for each training step provides a stronger privacy guarantee than processing the entire dataset, as the uncertainty of inclusion creates an additional layer of deniability.

Privacy amplification by subsampling is a fundamental technique in differentially private machine learning where the privacy guarantee (ε) is mathematically strengthened by the randomness of data selection. When a model trains on a random subset rather than the full dataset, an adversary cannot determine whether a specific record influenced the output because they cannot distinguish between the record being excluded from the sample or its influence being masked by noise.

This property is central to the DP-SGD algorithm, where each training batch is randomly sampled from the larger dataset. The subsampling probability directly affects the privacy budget calculation, with smaller sampling rates yielding exponentially tighter privacy bounds. Modern privacy accounting methods like Rényi Differential Privacy and Privacy Loss Distributions explicitly model this amplification effect to provide accurate composition analysis across training iterations.

MECHANISM

Key Properties of Privacy Amplification by Subsampling

Privacy amplification by subsampling is a foundational technique in differential privacy where randomly selecting a subset of data for each training iteration provides a stronger privacy guarantee than processing the entire dataset. The uncertainty of whether any individual record was included in a given batch creates an additional layer of plausible deniability.

01

The Core Mechanism: Random Sampling

At each training step, a batch of examples is drawn uniformly at random from the full dataset without replacement. A differentially private mechanism (such as DP-SGD) is then applied only to this subset. Because an adversary cannot know whether a specific record was included in the sampled batch, the effective privacy loss is reduced. Formally, if a mechanism M satisfies (ε, δ)-DP, applying M to a random subset sampled with probability q yields a mechanism satisfying approximately (q·ε, q·δ)-DP under the subsampling amplification theorem.

  • Poisson sampling: Each record is independently included with probability q, providing the strongest amplification guarantees
  • Uniform sampling without replacement: A fixed-size batch is drawn, yielding slightly weaker but still substantial amplification
  • The amplification effect is most pronounced when the sampling rate q is small relative to the dataset size
O(q·ε)
Amplified Privacy Loss
02

Privacy Loss Composition with Subsampling

When subsampling is applied repeatedly over T training iterations, the privacy guarantees compose according to advanced accounting methods. The Privacy Loss Distribution (PLD) approach tracks the exact distribution of privacy loss random variables, yielding significantly tighter bounds than simple linear composition. Under Rényi Differential Privacy (RDP), the subsampled Gaussian mechanism's RDP parameters compose additively across iterations, enabling precise privacy budget tracking.

  • Moments Accountant: The classical method introduced with DP-SGD that computes tight bounds on the privacy loss of subsampled mechanisms
  • Privacy amplification by iteration: Even without explicit subsampling, the iterative nature of SGD provides inherent privacy amplification when the dataset is accessed sequentially
  • The effective epsilon after T iterations scales roughly as O(q·ε·√T) under advanced composition theorems
O(q·ε·√T)
Composed Privacy Loss
03

Amplification by Shuffling

A related but distinct form of amplification occurs when data is shuffled before being partitioned into batches. In the shuffle model of differential privacy, each user's data is first locally randomized, then a trusted shuffler permutes all submissions before the analyzer processes them. The shuffling operation amplifies the local privacy guarantee: if each user applies an ε₀-local randomizer, the shuffled output satisfies approximately O(e^{ε₀}·√(log(1/δ)/n))-DP centrally.

  • Shuffle amplification bridges the gap between local DP (weak per-user guarantees) and central DP (strong aggregate guarantees)
  • Requires an honest-but-curious shuffler that does not collude with the analyzer
  • Enables strong privacy for federated learning without trusting a central aggregator with raw data
O(√(log(1/δ))/n)
Shuffle Amplification Factor
04

Tight Bounds via Privacy Loss Distributions

Modern privacy accounting for subsampled mechanisms relies on privacy loss distributions (PLDs) rather than moment-based approximations. The PLD of a subsampled Gaussian mechanism is computed by convolving the PLD of the base mechanism with the sampling distribution. This approach, implemented in libraries like Google's DP Accounting and Opacus, yields numerically tight (ε, δ) guarantees by directly computing the tail probabilities of the composed privacy loss.

  • Fourier accountants: Leverage fast Fourier transforms to efficiently convolve PLDs across many iterations
  • Privacy loss random variable: A single scalar that captures the entire privacy loss incurred on a specific outcome
  • The tightness of PLD-based accounting can reduce the reported epsilon by 2-5× compared to the Moments Accountant for the same actual privacy protection
2-5×
Tighter Epsilon vs. Moments Accountant
05

Practical Impact on Model Utility

Privacy amplification by subsampling creates a utility-privacy tradeoff governed by the sampling rate q. Smaller sampling rates provide stronger amplification but require more iterations to converge, increasing the total computational cost. In practice, typical DP-SGD training uses sampling rates of 0.1% to 1% (e.g., batch sizes of 256-1024 on datasets of 50k-1M examples). The amplified privacy guarantee allows models to achieve useful accuracy at meaningful epsilon values (ε = 1-8) that would be impossible without subsampling.

  • Large batch training: Using larger batches reduces the effective sampling rate, improving amplification at the cost of increased memory and compute
  • Epoch accounting: The number of passes over the dataset interacts with the sampling rate to determine total privacy expenditure
  • Empirical studies show that subsampling amplification is the single most important factor enabling practical deep learning with differential privacy
0.1-1%
Typical Sampling Rate
ε = 1-8
Practical Epsilon Range
06

Subsampling in Federated Learning

In federated learning, subsampling occurs at two levels: client-level and example-level. Client-level subsampling randomly selects a subset of participating devices in each round, providing amplification against adversaries who might compromise the central server. Example-level subsampling within each client further amplifies the guarantee. The combination of both levels, analyzed through federated privacy accounting, yields end-to-end differential privacy guarantees that protect individual user contributions across the entire training process.

  • Cross-device FL: Millions of devices with small local datasets, where client sampling is the dominant amplification mechanism
  • Cross-silo FL: Tens to hundreds of organizations, where example-level subsampling within each silo provides the primary amplification
  • The DP-FedAvg algorithm combines federated averaging with subsampled Gaussian mechanisms at both levels
2-Level
Amplification Hierarchy
PRIVACY AMPLIFICATION BY SUBSAMPLING

Frequently Asked Questions

Explore the core mechanics and practical implications of privacy amplification by subsampling, a fundamental technique for achieving tighter differential privacy guarantees in iterative machine learning algorithms.

Privacy amplification by subsampling is a property where randomly selecting a subset of data for each training step provides a stronger differential privacy guarantee than processing the entire dataset. The mechanism works by introducing uncertainty about whether any specific record was included in the computation. If an attacker observes the model's output, they cannot be certain if a target record influenced the result because it may not have been sampled. Formally, if a mechanism M satisfies (ε, δ)-differential privacy, applying it to a random q-fraction sample amplifies the guarantee to approximately (qε, qδ). This is the foundational principle behind the DP-SGD algorithm, where mini-batch sampling is the primary source of privacy amplification before gradient clipping and noise addition.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.