Sequential Auditing for f-Differential Privacy

TL;DR

This paper introduces adaptive empirical auditors for $f$-differential privacy that detect privacy violations across the entire spectrum with statistical guarantees, without requiring predefined sample sizes, improving efficiency especially for costly algorithms.

Contribution

It develops novel adaptive auditors for $f$-DP that do not need user-specified sample sizes and work in both whitebox and blackbox settings, enhancing privacy verification methods.

Findings

Auditors detect violations with statistical significance across the $f$-DP spectrum.

The method adaptively determines near-optimal sample sizes, reducing sampling costs.

Supports both whitebox and blackbox privacy auditing scenarios.

Abstract

We present new auditors to assess Differential Privacy (DP) of an algorithm based on output samples. Such empirical auditors are common to check for algorithmic correctness and implementation bugs. Most existing auditors are batch-based or targeted toward the traditional notion of $(\varepsilon,\delta)$-DP; typically both. In this work, we shift the focus to the highly expressive privacy concept of $f$-DP, in which the entire privacy behavior is captured by a single tradeoff curve. Our auditors detect violations across the full privacy spectrum with statistical significance guarantees, which are supported by theory and simulations. Most importantly, and in contrast to prior work, our auditors do not require a user-specified sample size as an input. Rather, they adaptively determine a near-optimal number of samples needed to reach a decision, thereby avoiding the excessively large sample sizes common in many auditing studies. This reduction in sampling cost becomes especially beneficial for expensive training procedures such as DP-SGD. Our method supports both whitebox and blackbox settings and can also be executed in single-run frameworks.