There are two standard definitions of "neighboring," and they change the sensitivity by a factor of 2:
Add/Remove definition: D2 is D1 with one record added or removed. ∣D1∣=∣D2∣.
Replace-one definition: D2 is D1 with one record replaced by another. ∣D1∣=∣D2∣.
Example (add/remove):
D1={x1,x2,…,xn}
D2={x1,x2,…,xn,xn+1} (one extra person)
Why this matters: Under add/remove, a summed query changes by at most one record's contribution. Under replace-one, it can change by two record's worth (remove old + add new), doubling the sensitivity. We state which definition we use in every derivation below.
Step 2: Why the exponential bound?
Take the ratio of probabilities:
Pr[M(D2)∈S]Pr[M(D1)∈S]≤eε
Why this form? The exponential makes ε additive under composition (we'll see why this matters). For small ε, eε≈1+ε, meaning probabilities are "close."
Step 3: What's a "mechanism"?
A mechanism M is any algorithm that takes data and produces output. For ML:
Computing gradients
Releasing model parameters
Answering queries about data statistics
The guarantee: An adversary with unlimited computational power, seeing M(D), cannot confidently determine whether any specific individual is in D.
Why this step? The Laplace distribution's exponential tails create the exact bound we need. Gaussian noise doesn't satisfy pure DP (though it satisfies approximate DP).
Problem: Each gradient ∇ℓ(θ,xi) can contain unbounded information about individual xi.
DP-SGD Fix (Abadi et al., 2016):
Clip each gradient: gˉi=gi/max(1,∥gi∥2/C)
Why? Bounds each per-example gradient norm to C. Under the add/remove neighboring definition, removing one clipped gradient from the sum∑igˉi changes it by at most C, so the sensitivity of the summed gradient is Δ=C. (Under the replace-one definition it would be 2C, since you remove one contribution of norm ≤C and add another.) We use add/remove throughout.
Add Gaussian noise: To the summed clipped gradient ∑igˉi we add noise with standard deviation proportional to the sensitivity C:
g~=B1(∑i=1Bgˉi+N(0,σ2C2I))
Why the 1/B outside? Noise is calibrated to the sensitivity of the sum (∼σC), and then the whole sum (signal + noise) is averaged by 1/B. Equivalently, the noise added to the averaged gradient has standard deviation σC/B per coordinate. Both statements describe the same mechanism; the noise is scaled to sensitivity C of the sum before averaging.
Why Gaussian? We use (ε, δ)-DP (approximate DP) where small failure probability δ is acceptable.
Update: θt+1=θt−ηg~
Privacy accounting: After T steps with Poisson subsampling rate q=B/N, privacy degrades. The moments accountant / advanced-composition bound for the subsampled Gaussian mechanism is:
ε(T)≈q2Tln(1/δ)/σ
Why this scaling? Privacy loss accumulates as T (not linearly!) due to advanced composition, and is amplified by subsampling through the factor q=B/N: an individual only appears in a q fraction of steps. Note the sensitivity C and batch size B do not appear separately here — they are absorbed into the noise multiplier σ (the ratio of noise std to sensitivity), which is the quantity that actually controls privacy.
Low ε (strong privacy): Need large noise → poor model accuracy
High ε (weak privacy): Less noise → better accuracy but more leakage
Practical values:
ε < 1: Strong privacy, significant utility loss
ε = 1-10: Moderate privacy, acceptable utility
ε > 10: Weak privacy, minimal utility impact
Why no free lunch? Information-theoretically, learning requires extracting signal from data. Privacy requires hiding individual contributions. These goals conflict.
Dekho, yaha core baat samajhne ki hai — ML models sirf patterns nahi seekhte, wo apne training data ko literally memorize bhi kar lete hain. Matlab agar tumne kisi language model ko private emails pe train kiya, to wo model kisi ki private email word-by-word wapas nikaal sakta hai. Ya ek medical classifier bata sakta hai ki kisi specific person ka record training set mein tha ya nahi. Traditional privacy poochti thi "kya tum raw data dekh sakte ho?" — par ML privacy ek deeper sawaal poochti hai: "kya tum model se hi individuals ke baare mein infer kar sakte ho?" Yahi reason hai ki model khud ek privacy leak ban jaata hai, chahe tum training data kabhi na dekho.
Ab isse bachne ke liye do concepts kaam aate hain jo ek dusre ke opposite side pe khade hain. Membership Inference Attack ek adversarial technique hai jo pata lagati hai ki koi specific record training mein tha ya nahi — ye attack hai. Aur Differential Privacy (DP) uska defense hai. DP ka core idea simple intuition pe based hai: agar kisi ek bhi individual ka data add ya remove karne se model ke output pe bilkul minimal farak padta hai, to attacker kabhi confidently nahi keh paayega ki wo banda dataset mein tha ya nahi. Mathematically ye guarantee "epsilon" se control hoti hai — jitna chhota epsilon, utni strong privacy. Practically ye Laplace noise add karke achieve karte hain, jaha noise ka amount "sensitivity" (Δf) pe depend karta hai — yaani ek record maximum kitna output badal sakta hai.
Ye matter isliye karta hai kyunki aaj real-world mein healthcare, finance, aur personal data pe models train ho rahe hain, aur ek chhoti si leak legal aur ethical disaster ban sakti hai. DP ki khoobsurti ye hai ki ye ek mathematical guarantee deta hai — even agar attacker ke paas unlimited computing power ho, tab bhi wo individual ke baare mein confidently kuch nahi nikaal paayega. Isliye jab bhi tum sensitive data pe ML padhoge, ye samajhna zaroori hai ki privacy ek afterthought nahi, balki design ka core part honi chahiye — attack aur defense dono ko saath samajhna hi asli picture deta hai.