Inferensys

Glossary

Differential Privacy

A mathematical framework that provides a provable guarantee of privacy by injecting calibrated statistical noise into data or model updates, ensuring that the presence or absence of any single record is indistinguishable.
Governance lead reviewing model governance framework on laptop, policy documents visible, executive office setup.
PRIVACY FRAMEWORK

What is Differential Privacy?

A mathematical definition of privacy that provides a provable guarantee against the identification of an individual's record in a dataset by injecting calibrated statistical noise.

Differential Privacy is a mathematical framework that provides a provable guarantee that the output of a computation reveals no information about whether any single individual's data was included in the input. It achieves this by injecting precisely calibrated statistical noise into the data or the result of a query, making the presence or absence of any single record statistically indistinguishable. The guarantee is controlled by a privacy loss parameter, epsilon (ε), where a smaller epsilon enforces a stronger privacy guarantee by making the output distribution nearly identical regardless of an individual's participation.

In the context of federated wireless learning, differential privacy is applied to model updates before they are transmitted from an edge device to the aggregation server. A differentially private stochastic gradient descent (DP-SGD) algorithm clips the per-example gradients and adds Gaussian noise, ensuring that the aggregated global model does not memorize or leak unique characteristics of a single device's local radio frequency data. This provides a robust defense against model inversion and membership inference attacks, making it a critical component for privacy-preserving over-the-air computation.

MATHEMATICAL GUARANTEES

Core Properties of Differential Privacy

Differential privacy provides a rigorous, quantifiable definition of privacy loss, ensuring that the output of a computation is statistically indistinguishable whether or not any single individual's data is included.

01

The Privacy Budget (ε)

The parameter epsilon (ε) is the privacy loss parameter, quantifying the maximum divergence between outputs on neighboring datasets. A smaller ε provides stronger privacy.

  • ε = 0: Perfect privacy, outputs are identical regardless of any single record's presence.
  • ε ≈ 0.1–1: Strong privacy, typical for high-sensitivity applications like census data.
  • ε > 10: Weak privacy, minimal meaningful protection.

The budget is consumed cumulatively across queries. Once exhausted, no further analysis is permitted without risking re-identification.

ε ≤ 1
Strong Privacy Threshold
02

Sensitivity & Calibrated Noise

Global sensitivity measures the maximum impact a single record can have on a query's output. This determines the scale of noise required.

  • Counting queries: Sensitivity of 1 (adding a person changes count by at most 1).
  • Sum queries: Sensitivity equals the maximum absolute value in the data domain.
  • Median queries: Can have unbounded sensitivity, requiring careful algorithm design.

Noise is typically drawn from a Laplace distribution (for ε-differential privacy) or a Gaussian distribution (for (ε, δ)-relaxed differential privacy), scaled proportionally to sensitivity divided by ε.

03

The Relaxation Parameter (δ)

Delta (δ) is a relaxation parameter in (ε, δ)-differential privacy that allows a small probability of catastrophic privacy failure.

  • δ = 0: Pure ε-differential privacy, the gold standard.
  • δ ≈ 10⁻⁶ to 10⁻⁹: Approximate differential privacy, typical for Gaussian noise mechanisms.
  • δ must be cryptographically small: Smaller than the inverse of the dataset size to prevent membership inference.

This relaxation enables the use of advanced composition theorems and the Gaussian mechanism, which is essential for differentially private stochastic gradient descent (DP-SGD) in federated learning.

04

Sequential Composition

The composition theorem quantifies how privacy degrades when multiple differentially private analyses are performed on the same dataset.

  • Basic Composition: Running k mechanisms each with εᵢ privacy results in a total privacy loss of Σ εᵢ.
  • Advanced Composition: For (ε, δ)-differential privacy, the total privacy loss grows sub-linearly, proportional to √(k) * ε rather than k * ε.

This is critical for iterative algorithms like DP-SGD, where noise is added at every training step. Without advanced composition, the privacy budget would be exhausted after a handful of iterations.

05

Post-Processing Immunity

A defining property of differential privacy is resilience to post-processing. Any arbitrary computation applied to the output of a differentially private mechanism cannot degrade the privacy guarantee.

  • An adversary with unlimited auxiliary information about all but one record still cannot infer that record's presence.
  • Arbitrary transformations: Averaging, thresholding, or feeding the output into another model does not weaken the ε guarantee.
  • This ensures that privacy is preserved even if the output is published publicly or subjected to adversarial analysis.

This property makes differential privacy composable with other systems without requiring trust in downstream consumers.

06

Group Privacy

Differential privacy naturally extends to protect groups of correlated records. If a mechanism provides ε-differential privacy for a single record, it provides k·ε-differential privacy for a group of size k.

  • Family privacy: Protects households in census data where multiple members share attributes.
  • Time-series protection: Safeguards sequences of location pings from a single device.
  • Trade-off: Protecting larger groups requires proportionally more noise, reducing utility.

This property is essential for federated wireless learning, where a single device may contribute multiple correlated updates over time, and the privacy guarantee must account for the entire contribution history.

PRIVACY MECHANISMS

Frequently Asked Questions

Clear, technically precise answers to the most common questions about the mathematical framework of differential privacy and its application in federated wireless learning.

Differential privacy is a mathematical framework that provides a provable guarantee that the output of a computation, such as a model update or a statistical query, reveals virtually no information about whether any single individual's data was included in the input dataset. It works by injecting calibrated statistical noise, typically drawn from a Laplace or Gaussian distribution, into the computation's result. The magnitude of this noise is scaled by a privacy loss parameter, epsilon (ε), which quantifies the privacy guarantee; a smaller epsilon enforces stronger privacy by making the output of the computation on two datasets that differ by only one record statistically almost indistinguishable. This ensures an adversary observing the output cannot confidently infer any single record's presence or value.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.