ANALYTICAL COMPOSITION OF DIFFERENTIAL PRI-VACY VIA THE EDGEWORTH ACCOUNTANT

Abstract

Many modern machine learning algorithms are in the form of a composition of simple private algorithms; thus, an increasingly important problem is to efficiently compute the overall privacy loss under composition. In this paper, we introduce the Edgeworth Accountant, an analytical approach to composing differential privacy guarantees of private algorithms. The Edgeworth Accountant starts by losslessly tracking the privacy loss under composition using the f -differential privacy framework (Dong et al., 2022), which allows us to express the privacy guarantees using privacy-loss log-likelihood ratios (PLLRs). As the name suggests, this accountant next uses the Edgeworth expansion (Hall, 2013) to upper and lower bound the probability distribution of the sum of the PLLRs. Moreover, by relying on a technique for approximating complex distributions by simple ones, we demonstrate that the Edgeworth Accountant can be applied to composition of any noise-addition mechanism. Owing to certain appealing features of the Edgeworth expansion, the (ε, δ)-differential privacy bounds offered by this accountant are non-asymptotic, with essentially no extra computational cost, as opposed to the prior approaches in Koskela et al. (2020); Gopi et al. (2021), in which the running times are increasing with the number of compositions. Finally, we show our upper and lower (ε, δ)-differential privacy bounds are tight in certain regimes of training private deep learning models and federated analytics.

1. INTRODUCTION

Differential privacy (DP) provides a mathematically rigorous framework for analyzing and developing private algorithms working on datasets containing sensitive information about individuals (Dwork et al., 2006) . This framework, however, is often faced with challenges when it comes to analyzing the privacy loss of complex algorithms such as privacy-preserving deep learning and federated analytics (Ramage & Mazzocchi, 2020; Wang et al., 2021) , which are composed of simple private building blocks. Therefore, a central question in this active area is to understand how the overall privacy guarantees degrade from the repetition of simple algorithms applied to the same dataset. Continued efforts to address this question have led to the development of relaxations of differential privacy and privacy analysis techniques (Dwork et al., 2010; Dwork & Rothblum, 2016; Bun et al., 2018; Bun & Steinke, 2016) . A recent flurry of activity in this line of research was triggered by Abadi et al. (2016) , which proposed a technique called moments accountant for providing upper bounds on the overall privacy loss of training private deep learning models over iterations. A shortcoming of moments accountant is that the privacy bounds are generally not tight, albeit computationally efficient. This is because this technique is enabled by Rényi DP in Mironov (2017) and its following works (Balle et al., 2018; Wang et al., 2019) , whose privacy loss profile can be lossy for many mechanisms. Alternatively, another line of works directly compose (ε, δ)-DP guarantees via numerical methods such as the fast Fourier transform (Koskela et al., 2020; Gopi et al., 2021) . This approach can be computationally expensive, as the number of algorithms under composition is huge, which unfortunately is often the case for training deep neural networks. Instead, this paper aims to develop computationally efficient lower and upper privacy bounds for the composition of private algorithms with finite-sample guaranteesfoot_0 by relying on a new privacy defini-



Here, "sample" refers to the number of compositions of DP algorithms. From now on we use the term "finite-sample" to mean that the bound is non-asymptotic in the number of compositions.

