Privacy Audit as Bits Transmission: (Im)possibilities for Audit by One Run

TL;DR

This paper introduces an information-theoretic framework for privacy audits, modeling them as bits transmission problems, which enables tighter privacy guarantees and reduces the number of observations needed.

Contribution

It unifies privacy auditing under a new theoretical framework and clarifies when single-run audits are feasible, improving privacy guarantee tightness and efficiency.

Findings

Tighter privacy lower bounds on DP mechanisms

Reduced number of observations for privacy audits

Successful detection of privacy violations in flawed algorithms

Abstract

Auditing algorithms' privacy typically involves simulating a game-based protocol that guesses which of two adjacent datasets was the original input. Traditional approaches require thousands of such simulations, leading to significant computational overhead. Recent methods propose single-run auditing of the target algorithm to address this, substantially reducing computational cost. However, these methods' general applicability and tightness in producing empirical privacy guarantees remain uncertain. This work studies such problems in detail. Our contributions are twofold: First, we introduce a unifying framework for privacy audits based on information-theoretic principles, modeling the audit as a bit transmission problem in a noisy channel. This formulation allows us to derive fundamental limits and develop an audit approach that yields tight privacy lower bounds for various DP protocols. Second, leveraging this framework, we demystify the method of privacy audit by one run, identifying the conditions under which single-run audits are feasible or infeasible. Our analysis provides general guidelines for conducting privacy audits and offers deeper insights into the privacy audit. Finally, through experiments, we demonstrate that our approach produces tighter privacy lower bounds on common differentially private mechanisms while requiring significantly fewer observations. We also provide a case study illustrating that our method successfully detects privacy violations in flawed implementations of private algorithms.