Privacy loss bound#

Classes that represent bounds on privacy loss, to represent differential privacy.

class pfl.internal.privacy_loss_bound.ApproximatePrivacyLossBound(epsilon, delta)#

A bound on the privacy loss, in the sense of approximate differential privacy. This is parameterised with ε and δ. It is therefore often called (ε,δ) differential privacy.

A lower ε and a lower δ indicates less loss of privacy.

Parameters:

  • epsilon (float) – An upper bound on the privacy loss.

  • delta (float) – The δ parameter of approximate differential privacy. Very loosely speaking, this is the probability that the upper bound of epsilon is exceeded.

apply_multiple_times(step_num)#

Convert this bound to one for losing privacy this multiple times. This yields only one of the possible guarantees, and it is often a loose bound.

The guarantee that is returned has a higher epsilon and delta, since the privacy loss after multiple applications is greater.

class pfl.internal.privacy_loss_bound.PrivacyLossBound(epsilon)#

A bound on the privacy loss, in the sense of pure differential privacy. This is parameterised with ε.

A guarantee with a lower ε loses less privacy.

Parameters:

epsilon (float) – An upper bound on the privacy loss.

apply_multiple_times(step_num)#

Convert this guarantee to one for applying this multiple times. This yields only one of the possible guarantees, and it is often a loose bound.

The guarantee that is returned has a higher epsilon and delta, since the privacy loss after multiple iterations is greater.

class pfl.internal.privacy_loss_bound.RenyiPrivacyLossBound(order, epsilon)#

A bound for privacy loss in terms of Rényi differential privacy. This measures a Rényi divergence between the output of a mechanism applied on two adjacent databases. This is parameterised by a parameter α, the order of the Rényi divergence used, and the divergence ε, which is analogous but not the same as ε in standard or approximate DP.

This is based on Mironov (2017), “Rényi Differential Privacy”. https://arxiv.org/abs/1702.07476

A bound for one order does not imply any bound for another order. However, it is possible to convert a bound for a specific order to one expressed as (ε,δ)-approximate differential privacy.

Parameters:

  • order (float) – The order of the Rényi divergence that is used. This must at least 1.

  • epsilon (float) – The bound on the value of the Rényi divergence that the mechanism provides.

apply_multiple_times(num_applications)#

Convert this bound to one for applying this multiple times.

The bound that is returned has a higher epsilon, since the privacy loss after multiple applications is greater.

convert_to_approximate_dp(desired_delta)#

Convert a bound in terms of the (α,ε)-Rényi differential privacy into a bound in terms of (ε,δ)-approximate differential privacy.

The desired δ parameter is given, and the corresponding ε is returned.

This implements Mironov (2017), Proposition 3. It may well be possible to improve the bound that this relies on in the future.

Parameters:

  • order – The order of the Rényi differential privacy.

  • renyi_epsilon – The epsilon parameter in terms of Rényi differential privacy.

  • desired_delta (float) – The desired delta parameter for the approximate DP bound.

Return type:

ApproximatePrivacyLossBound