$f$-Differential Privacy Filters: Validity and Approximate Solutions

TL;DR

This paper investigates the validity of $f$-DP privacy filters under adaptive composition, demonstrating fundamental limitations, establishing a central limit theorem, and proposing an approximate GDP filter that outperforms RDP-based methods in certain regimes.

Contribution

It reveals the invalidity of the natural $f$-DP filter under full adaptivity, characterizes conditions for validity, and introduces a Gaussian approximation-based filter for subsampled mechanisms.

Findings

The natural $f$-DP filter is fundamentally invalid under full adaptivity.

A central limit theorem for $f$-DP establishes Gaussian convergence of privacy losses.

An approximate GDP filter for subsampled Gaussian mechanisms outperforms RDP in asymptotic regimes.

Abstract

Accounting for privacy loss under fully adaptive composition -- where mechanism choice and privacy parameters may depend on the history of prior outputs -- is a central challenge in differential privacy (DP). Here, privacy filters are stopping rules ensuring a prescribed global budget is not exceeded. A leading candidate for optimal filter design is $f$-DP, which characterizes the full extent of adversarial hypothesis testing and recovers $(\varepsilon,\delta)$-DP through piece-wise linear trade-off functions, while enabling tight $(\varepsilon,\delta)$-DP accounting in standard compositions via tensor products. Yet whether such filters can be correctly defined under $f$-DP remains unclear. We show that the natural $f$-DP filter -- tracking path-wise accumulating tensor products and stopping when the prescribed curve is crossed -- is fundamentally invalid, precluding the direct use of standard efficient numerical Fast-Fourier-Transform accounting in the fully adaptive setting. We characterize this failure, establishing necessary and sufficient conditions for the natural filter's validity. Furthermore, we prove a fully adaptive central limit theorem for $f$-DP, establishing Gaussian convergence of cumulative privacy losses under full adaptivity. As a demonstration, we construct a closed-form approximate GDP filter for subsampled Gaussian mechanisms that provably outperforms RDP-based accounting in asymptotic regimes ($q\ll 1$ and $q\approx 1$) without tracking the full trade-off function, demonstrating that the slack in RDP is not intrinsic to adaptive composition -- though CLT-based approximations are known to be optimistic at realistic subsampling rates, a limitation that remains an open challenge.