Differential Privacy Papers
LightNews LightNews
dppapers.bsky.social
Differential Privacy Papers
@dppapers.bsky.social
470 followers 0 following 1K posts
🤖
new arXiv preprints mentioning "differential privacy" or "differentially private" in the title/abstract
- unrelated quantum/FL papers
+ updates from https://differentialprivacy.org

[Under construction.]
Posts Replies Media Videos
dppapers.bsky.social
Call for Papers - TPDP 2026
The 12th Workshop on the Theory and Practice of Differential Privacy (TPDP 2026) will take place on June 1 and 2 in Boston, MA. The deadline to submit a 4-page abstract is February 18, 2026 AoE, with ...
differentialprivacy.org
January 1, 2026 at 7:08 PM
dppapers.bsky.social
MTSP-LDP: A Framework for Multi-Task Streaming Data Publication under Local Differential Privacy

Chang Liu, Junzhou Zhao

http://arxiv.org/abs/2512.24899
MTSP-LDP: A Framework for Multi-Task Streaming Data Publication under Local Differential Privacy Chang Liu, Junzhou Zhao http://arxiv.org/abs/2512.24899 The proliferation of streaming data analytics in data-driven applications raises critical privacy concerns, as directly collecting user data may compromise personal privacy. Although existing $w$-event local differential privacy (LDP) mechanisms provide formal guarantees without relying on trusted third parties, their practical deployment is hindered by two key limitations. First, these methods are designed primarily for publishing simple statistics at each timestamp, making them inherently unsuitable for complex queries. Second, they handle data at each timestamp independently, failing to capture temporal correlations and consequently degrading the overall utility. To address these issues, we propose MTSP-LDP, a novel framework for \textbf{M}ulti-\textbf{T}ask \textbf{S}treaming data \textbf{P}ublication under $w$-event LDP. MTSP-LDP adopts an \emph{Optimal Privacy Budget Allocation} algorithm to dynamically allocate privacy budgets by analyzing temporal correlations within each window. It then constructs a \emph{data-adaptive private binary tree structure} to support complex queries, which is further refined by cross-timestamp grouping and smoothing operations to enhance estimation accuracy. Furthermore, a unified \emph{Budget-Free Multi-Task Processing} mechanism is introduced to support a variety of streaming queries without consuming additional privacy budget. Extensive experiments on real-world datasets demonstrate that MTSP-LDP consistently achieves high utility across various streaming tasks, significantly outperforming existing methods.
January 1, 2026 at 4:53 AM
dppapers.bsky.social
Distributed Fusion Estimation with Protecting Exogenous Inputs

Liping Guo, Jimin Wang, Yanlong Zhao, Ji-Feng Zhang

http://arxiv.org/abs/2512.22914
Distributed Fusion Estimation with Protecting Exogenous Inputs Liping Guo, Jimin Wang, Yanlong Zhao, Ji-Feng Zhang http://arxiv.org/abs/2512.22914 In the context of distributed fusion estimation, directly transmitting local estimates to the fusion center may cause a privacy leakage concerning exogenous inputs. Thus, it is crucial to protect exogenous inputs against full eavesdropping while achieving distributed fusion estimation. To address this issue, a noise injection strategy is provided by injecting mutually independent noises into the local estimates transmitted to the fusion center. To determine the covariance matrices of the injected noises, a constrained minimization problem is constructed by minimizing the sum of mean square errors of the local estimates while ensuring (ε, δ)-differential privacy. Suffering from the non-convexity of the minimization problem, an approach of relaxation is proposed, which efficiently solves the minimization problem without sacrificing differential privacy level. Then, a differentially private distributed fusion estimation algorithm based on the covariance intersection approach is developed. Further, by introducing a feedback mechanism, the fusion estimation accuracy is enhanced on the premise of the same (ε, δ)-differential privacy. Finally, an illustrative example is provided to demonstrate the effectiveness of the proposed algorithms, and the trade-off between differential privacy level and fusion estimation accuracy.
December 30, 2025 at 4:53 AM
dppapers.bsky.social
Composition Theorems for f-Differential Privacy

Natasha Fernandes, Annabelle McIver, Parastoo Sadeghi

http://arxiv.org/abs/2512.21358
Composition Theorems for f-Differential Privacy Natasha Fernandes, Annabelle McIver, Parastoo Sadeghi http://arxiv.org/abs/2512.21358 "f differential privacy" (fDP) is a recent definition for privacy privacy which can offer improved predictions of "privacy loss". It has been used to analyse specific privacy mechanisms, such as the popular Gaussian mechanism. In this paper we show how fDP's foundation in statistical hypothesis testing implies equivalence to the channel model of Quantitative Information Flow. We demonstrate this equivalence by a Galois connection between two partially ordered sets. This equivalence enables novel general composition theorems for fDP, supporting improved analysis for complex privacy designs.
December 29, 2025 at 4:54 AM
dppapers.bsky.social
Weighted Fourier Factorizations: Optimal Gaussian Noise for Differentially Private Marginal and Product Queries

Christian Janos Lebeda, Aleksandar Nikolov, Haohua Tang

http://arxiv.org/abs/2512.21499
Weighted Fourier Factorizations: Optimal Gaussian Noise for Differentially Private Marginal and Product Queries Christian Janos Lebeda, Aleksandar Nikolov, Haohua Tang http://arxiv.org/abs/2512.21499 We revisit the task of releasing marginal queries under differential privacy with additive (correlated) Gaussian noise. We first give a construction for answering arbitrary workloads of weighted marginal queries, over arbitrary domains. Our technique is based on releasing queries in the Fourier basis with independent noise with carefully calibrated variances, and reconstructing the marginal query answers using the inverse Fourier transform. We show that our algorithm, which is a factorization mechanism, is exactly optimal among all factorization mechanisms, both for minimizing the sum of weighted noise variances, and for minimizing the maximum noise variance. Unlike algorithms based on optimizing over all factorization mechanisms via semidefinite programming, our mechanism runs in time polynomial in the dataset and the output size. This construction recovers results of Xiao et al. [Neurips 2023] with a simpler algorithm and optimality proof, and a better running time. We then extend our approach to a generalization of marginals which we refer to as product queries. We show that our algorithm is still exactly optimal for this more general class of queries. Finally, we show how to embed extended marginal queries, which allow using a threshold predicate on numerical attributes, into product queries. We show that our mechanism is almost optimal among all factorization mechanisms for extended marginals, in the sense that it achieves the optimal (maximum or average) noise variance up to lower order terms.
December 29, 2025 at 4:53 AM
dppapers.bsky.social
First Provable Guarantees for Practical Private FL: Beyond Restrictive Assumptions

Egor Shulgin, Grigory Malinovsky, Sarit Khirirat, Peter Richtárik

http://arxiv.org/abs/2512.21521
First Provable Guarantees for Practical Private FL: Beyond Restrictive Assumptions Egor Shulgin, Grigory Malinovsky, Sarit Khirirat, Peter Richtárik http://arxiv.org/abs/2512.21521 Federated Learning (FL) enables collaborative training on decentralized data. Differential privacy (DP) is crucial for FL, but current private methods often rely on unrealistic assumptions (e.g., bounded gradients or heterogeneity), hindering practical application. Existing works that relax these assumptions typically neglect practical FL features, including multiple local updates and partial client participation. We introduce Fed-$α$-NormEC, the first differentially private FL framework providing provable convergence and DP guarantees under standard assumptions while fully supporting these practical features. Fed-$α$-NormE integrates local updates (full and incremental gradient steps), separate server and client stepsizes, and, crucially, partial client participation, which is essential for real-world deployment and vital for privacy amplification. Our theoretical guarantees are corroborated by experiments on private deep learning tasks.
December 29, 2025 at 4:53 AM
dppapers.bsky.social
Inference in the $p_0$ model for directed networks under local differential privacy

Xueying Sun, Ting Yan, Binyan Jiang

http://arxiv.org/abs/2512.21700
Inference in the $p_0$ model for directed networks under local differential privacy Xueying Sun, Ting Yan, Binyan Jiang http://arxiv.org/abs/2512.21700 We explore the edge-flipping mechanism, a type of input perturbation, to release the directed graph under edge-local differential privacy. By using the noisy bi-degree sequence from the output graph, we construct the moment equations to estimate the unknown parameters in the $p_0$ model, which is an exponential family distribution with the bi-degree sequence as the natural sufficient statistic. We show that the resulting private estimator is asymptotically consistent and normally distributed under some conditions. In addition, we compare the performance of input and output perturbation mechanisms for releasing bi-degree sequences in terms of parameter estimation accuracy and privacy protection. Numerical studies demonstrate our theoretical findings and compare the performance of the private estimates obtained by different types of perturbation methods. We apply the proposed method to analyze the UC Irvine message network.
December 29, 2025 at 4:53 AM
dppapers.bsky.social
Differentially Private Feature Release for Wireless Sensing: Adaptive Privacy Budget Allocation on CSI Spectrograms

Ipek Sena Yilmaz, Onur G. Tuncer, Zeynep E. Aksoy, Zeynep Yağmur Baydemir

http://arxiv.org/abs/2512.20323
Differentially Private Feature Release for Wireless Sensing: Adaptive Privacy Budget Allocation on CSI Spectrograms Ipek Sena Yilmaz, Onur G. Tuncer, Zeynep E. Aksoy, Zeynep Yağmur Baydemir http://arxiv.org/abs/2512.20323 Wi-Fi/RF-based human sensing has achieved remarkable progress with deep learning, yet practical deployments increasingly require feature sharing for cloud analytics, collaborative training, or benchmark evaluation. Releasing intermediate representations such as CSI spectrograms can inadvertently expose sensitive information, including user identity, location, and membership, motivating formal privacy guarantees. In this paper, we study differentially private (DP) feature release for wireless sensing and propose an adaptive privacy budget allocation mechanism tailored to the highly non-uniform structure of CSI time-frequency representations. Our pipeline converts CSI to bounded spectrogram features, applies sensitivity control via clipping, estimates task-relevant importance over the time-frequency plane, and allocates a global privacy budget across spectrogram blocks before injecting calibrated Gaussian noise. Experiments on multi-user activity sensing (WiMANS), multi-person 3D pose estimation (Person-in-WiFi 3D), and respiration monitoring (Resp-CSI) show that adaptive allocation consistently improves the privacy-utility frontier over uniform perturbation under the same privacy budget. Our method yields higher accuracy and lower error while substantially reducing empirical leakage in identity and membership inference attacks.
December 24, 2025 at 4:53 AM
dppapers.bsky.social
Privacy Data Pricing: A Stackelberg Game Approach

Lijun Bo, Weiqiang Chang

http://arxiv.org/abs/2512.18296
Privacy Data Pricing: A Stackelberg Game Approach Lijun Bo, Weiqiang Chang http://arxiv.org/abs/2512.18296 Data markets are emerging as key mechanisms for trading personal and organizational data. Traditional data pricing studies -- such as query-based or arbitrage-free pricing models -- mainly emphasize price consistency and profit maximization but often neglect privacy constraints and strategic interactions. The widespread adoption of differential privacy (DP) introduces a fundamental privacy-utility trade-off: noise protects individuals' privacy but reduces data accuracy and market value. This paper develops a Stackelberg game framework for pricing DP data, where the market maker (leader) sets the price function and the data buyer (follower) selects the optimal query precision under DP constraints. We derive the equilibrium strategies for both parties under a balanced pricing function where the pricing decision variable enters linearly into the original pricing model. We obtain closed-form solutions for the optimal variance and pricing level, and determine the boundary conditions for market participation. Furthermore, we extend the analysis to Stackelberg games involving nonlinear power pricing functions. The model bridges DP and economic mechanism design, offering a unified foundation for incentive-compatible and privacy-conscious data pricing in data markets.
December 23, 2025 at 4:54 AM
dppapers.bsky.social
Protecting Human Activity Signatures in Compressed IEEE 802.11 CSI Feedback

Mohamed Seif, Atsutse Kludze, Yasaman Ghasempour, H. Vincent Poor, Doru Calin, Andrea J. Goldsmith

http://arxiv.org/abs/2512.18529
Protecting Human Activity Signatures in Compressed IEEE 802.11 CSI Feedback Mohamed Seif, Atsutse Kludze, Yasaman Ghasempour, H. Vincent Poor, Doru Calin, Andrea J. Goldsmith http://arxiv.org/abs/2512.18529 Explicit channel state information (CSI) feedback in IEEE~802.11 conveys \emph{transmit beamforming directions} by reporting quantized Givens rotation and phase angles that parametrize the right-singular subspace of the channel matrix. Because these angles encode fine-grained spatial signatures of the propagation environment, recent work have shown that plaintext CSI feedback can inadvertently reveal user activity, identity, and location to passive eavesdroppers. In this work, we introduce a standards-compatible \emph{differentially private (DP) quantization mechanism} that replaces deterministic angular quantization with an $\varepsilon$-DP stochastic quantizer applied directly to the Givens parameters of the transmit beamforming matrix. The mechanism preserves the 802.11 feedback structure, admits closed-form sensitivity bounds for the angular representation, and enables principled privacy calibration. Numerical simulations demonstrate strong privacy guarantees with minimal degradation in beamforming performance.
December 23, 2025 at 4:53 AM
dppapers.bsky.social
DPSR: Differentially Private Sparse Reconstruction via Multi-Stage Denoising for Recommender Systems

Sarwan Ali

http://arxiv.org/abs/2512.18932
DPSR: Differentially Private Sparse Reconstruction via Multi-Stage Denoising for Recommender Systems Sarwan Ali http://arxiv.org/abs/2512.18932 Differential privacy (DP) has emerged as the gold standard for protecting user data in recommender systems, but existing privacy-preserving mechanisms face a fundamental challenge: the privacy-utility tradeoff inevitably degrades recommendation quality as privacy budgets tighten. We introduce DPSR (Differentially Private Sparse Reconstruction), a novel three-stage denoising framework that fundamentally addresses this limitation by exploiting the inherent structure of rating matrices -- sparsity, low-rank properties, and collaborative patterns. DPSR consists of three synergistic stages: (1) \textit{information-theoretic noise calibration} that adaptively reduces noise for high-information ratings, (2) \textit{collaborative filtering-based denoising} that leverages item-item similarities to remove privacy noise, and (3) \textit{low-rank matrix completion} that exploits latent structure for signal recovery. Critically, all denoising operations occur \textit{after} noise injection, preserving differential privacy through the post-processing immunity theorem while removing both privacy-induced and inherent data noise. Through extensive experiments on synthetic datasets with controlled ground truth, we demonstrate that DPSR achieves 5.57\% to 9.23\% RMSE improvement over state-of-the-art Laplace and Gaussian mechanisms across privacy budgets ranging from $\varepsilon=0.1$ to $\varepsilon=10.0$ (all improvements statistically significant with $p < 0.05$, most $p < 0.001$). Remarkably, at $\varepsilon=1.0$, DPSR achieves RMSE of 0.9823, \textit{outperforming even the non-private baseline} (1.0983), demonstrating that our denoising pipeline acts as an effective regularizer that removes data noise in addition to privacy noise.
December 23, 2025 at 4:53 AM
dppapers.bsky.social
Optimizer Dynamics at the Edge of Stability with Differential Privacy

Ayana Hussain, Ricky Fang

http://arxiv.org/abs/2512.19019
Optimizer Dynamics at the Edge of Stability with Differential Privacy Ayana Hussain, Ricky Fang http://arxiv.org/abs/2512.19019 Deep learning models can reveal sensitive information about individual training examples, and while differential privacy (DP) provides guarantees restricting such leakage, it also alters optimization dynamics in poorly understood ways. We study the training dynamics of neural networks under DP by comparing Gradient Descent (GD), and Adam to their privacy-preserving variants. Prior work shows that these optimizers exhibit distinct stability dynamics: full-batch methods train at the Edge of Stability (EoS), while mini-batch and adaptive methods exhibit analogous edge-of-stability behavior. At these regimes, the training loss and the sharpness--the maximum eigenvalue of the training loss Hessian--exhibit certain characteristic behavior. In DP training, per-example gradient clipping and Gaussian noise modify the update rule, and it is unclear whether these stability patterns persist. We analyze how clipping and noise change sharpness and loss evolution and show that while DP generally reduces the sharpness and can prevent optimizers from fully reaching the classical stability thresholds, patterns from EoS and analogous adaptive methods stability regimes persist, with the largest learning rates and largest privacy budgets approaching, and sometimes exceeding, these thresholds. These findings highlight the unpredictability introduced by DP in neural network optimization.
December 23, 2025 at 4:53 AM
dppapers.bsky.social
AlignDP: Hybrid Differential Privacy with Rarity-Aware Protection for LLMs

Madhava Gaikwad

http://arxiv.org/abs/2512.17251
AlignDP: Hybrid Differential Privacy with Rarity-Aware Protection for LLMs Madhava Gaikwad http://arxiv.org/abs/2512.17251 Large language models are exposed to risks of extraction, distillation, and unauthorized fine-tuning. Existing defenses use watermarking or monitoring, but these act after leakage. We design AlignDP, a hybrid privacy lock that blocks knowledge transfer at the data interface. The key idea is to separate rare and non-rare fields. Rare fields are shielded by PAC indistinguishability, giving effective zero-epsilon local DP. Non-rare fields are privatized with RAPPOR, giving unbiased frequency estimates under local DP. A global aggregator enforces composition and budget. This two-tier design hides rare events and adds controlled noise to frequent events. We prove limits of PAC extension to global aggregation, give bounds for RAPPOR estimates, and analyze utility trade-off. A toy simulation confirms feasibility: rare categories remain hidden, frequent categories are recovered with small error.
December 22, 2025 at 4:53 AM
dppapers.bsky.social
An Iconic Heavy Hitter Algorithm Made Private

Rayne Holland

http://arxiv.org/abs/2512.17295
An Iconic Heavy Hitter Algorithm Made Private Rayne Holland http://arxiv.org/abs/2512.17295 Identifying heavy hitters in data streams is a fundamental problem with widespread applications in modern analytics systems. These streams are often derived from sensitive user activity, making update-level privacy guarantees necessary. While recent work has adapted the classical heavy hitter algorithm Misra-Gries to satisfy differential privacy in the streaming model, the privatization of other heavy hitter algorithms with better empirical utility is absent. Under this observation, we present the first differentially private variant of the SpaceSaving algorithm, which, in the non-private setting, is regarded as the state-of-the-art in practice. Our construction post-processes a non-private SpaceSaving summary by injecting asymptotically optimal noise and applying a carefully calibrated selection rule that suppresses unstable labels. This yields strong privacy guarantees while preserving the empirical advantages of SpaceSaving. Second, we introduce a generic method for extracting heavy hitters from any differentially private frequency oracle in the data stream model. The method requires only O(k) additional memory, where k is the number of heavy items, and provides a mechanism for safely releasing item identities from noisy frequency estimates. This yields an efficient, plug-and-play approach for private heavy hitter recovery from linear sketches. Finally, we conduct an experimental evaluation on synthetic and real-world datasets. Across a wide range of privacy parameters and space budgets, our method provides superior utility to the existing differentially private Misra-Gries algorithm. Our results demonstrate that the empirical superiority of SpaceSaving survives privatization and that efficient, practical heavy hitter identification is achievable under strong differential privacy guarantees.
December 22, 2025 at 4:53 AM
dppapers.bsky.social
Improved Lower Bounds for Privacy under Continual Release

Bardiya Aryanfard, Monika Henzinger, David Saulpic, A. R. Sricharan

http://arxiv.org/abs/2512.15981
Improved Lower Bounds for Privacy under Continual Release Bardiya Aryanfard, Monika Henzinger, David Saulpic, A. R. Sricharan http://arxiv.org/abs/2512.15981 We study the problem of continually releasing statistics of an evolving dataset under differential privacy. In the event-level setting, we show the first polynomial lower bounds on the additive error for insertions-only graph problems such as maximum matching, degree histogram and $k$-core. This is an exponential improvement on the polylogarithmic lower bounds of Fichtenberger et al.[ESA 2021] for the former two problems, and are the first continual release lower bounds for the latter. Our results run counter to the intuition that the difference between insertions-only vs fully dynamic updates causes the gap between polylogarithmic and polynomial additive error. We show that for maximum matching and $k$-core, allowing small multiplicative approximations is what brings the additive error down to polylogarithmic. Beyond graph problems, our techniques also show that polynomial additive error is unavoidable for Simultaneous Norm Estimation in the insertions-only setting. When multiplicative approximations are allowed, we circumvent this lower bound by giving the first continual mechanism with polylogarithmic additive error under $(1+ζ)$ multiplicative approximations, for $ζ>0$, for estimating all monotone symmetric norms simultaneously. In the item-level setting, we show polynomial lower bounds on the product of the multiplicative and the additive error of continual mechanisms for a large range of graph problems. To the best of our knowledge, these are the first lower bounds for any differentially private continual release mechanism with multiplicative error. To obtain this, we prove a new lower bound on the product of multiplicative and additive error for 1-Way-Marginals, from which we reduce to continual graph problems. This generalizes the lower bounds of Hardt and Talwar[STOC 2010] and Bun et al.[STOC 20
December 19, 2025 at 4:54 AM
dppapers.bsky.social
Observer-based Differentially Private Consensus for Linear Multi-agent Systems

Xiaofeng Zong, Ming-Yu Wang, Jimin Wang, Ji-Feng Zhang

http://arxiv.org/abs/2512.16736
Observer-based Differentially Private Consensus for Linear Multi-agent Systems Xiaofeng Zong, Ming-Yu Wang, Jimin Wang, Ji-Feng Zhang http://arxiv.org/abs/2512.16736 This paper investigates the differentially private consensus problem for general linear multi-agent systems (MASs) based on output feedback protocols. To protect the output information, which is considered private data and may be at high risk of exposure, Laplace noise is added to the information exchange. The conditions for achieving mean square and almost sure consensus in observer-based MASs are established using the backstepping method and the convergence theory for nonnegative almost supermartingales. It is shown that the separation principle remains valid for the consensus problem of linear MASs with decaying Laplace noise. Furthermore, the convergence rate is provided. Then, a joint design framework is developed for state estimation gain, feedback control gain, and noise to ensure the preservation of ε-differential privacy. The output information of each agent is shown to be protected at every time step. Finally, sufficient conditions are established for simultaneously achieving consensus and preserving differential privacy for linear MASs utilizing both full-order and reduced-order observers. Meanwhile, an ε*-differentially private consensus is achieved to meet the desired privacy level. Two simulation examples are provided to validate the theoretical results.
December 19, 2025 at 4:53 AM
dppapers.bsky.social
PrivateXR: Defending Privacy Attacks in Extended Reality Through Explainable AI-Guided Differential Privacy

Ripan Kumar Kundu, Istiak Ahmed, Khaza Anuarul Hoque

http://arxiv.org/abs/2512.16851
PrivateXR: Defending Privacy Attacks in Extended Reality Through Explainable AI-Guided Differential Privacy Ripan Kumar Kundu, Istiak Ahmed, Khaza Anuarul Hoque http://arxiv.org/abs/2512.16851 The convergence of artificial AI and XR technologies (AI XR) promises innovative applications across many domains. However, the sensitive nature of data (e.g., eye-tracking) used in these systems raises significant privacy concerns, as adversaries can exploit these data and models to infer and leak personal information through membership inference attacks (MIA) and re-identification (RDA) with a high success rate. Researchers have proposed various techniques to mitigate such privacy attacks, including differential privacy (DP). However, AI XR datasets often contain numerous features, and applying DP uniformly can introduce unnecessary noise to less relevant features, degrade model accuracy, and increase inference time, limiting real-time XR deployment. Motivated by this, we propose a novel framework combining explainable AI (XAI) and DP-enabled privacy-preserving mechanisms to defend against privacy attacks. Specifically, we leverage post-hoc explanations to identify the most influential features in AI XR models and selectively apply DP to those features during inference. We evaluate our XAI-guided DP approach on three state-of-the-art AI XR models and three datasets: cybersickness, emotion, and activity classification. Our results show that the proposed method reduces MIA and RDA success rates by up to 43% and 39%, respectively, for cybersickness tasks while preserving model utility with up to 97% accuracy using Transformer models. Furthermore, it improves inference time by up to ~2x compared to traditional DP approaches. To demonstrate practicality, we deploy the XAI-guided DP AI XR models on an HTC VIVE Pro headset and develop a user interface (UI), namely PrivateXR, allowing users to adjust privacy levels (e.g., low, medium, high) while receiving real-time task predicti
December 19, 2025 at 4:53 AM
dppapers.bsky.social
Distributed HDMM: Scalable, Distributed, Accurate, and Differentially Private Query Workloads without a Trusted Curator

Ratang Sedimo, Ivoline C. Ngong, Jami Lashua, Joseph P. Near

http://arxiv.org/abs/2512.15648
Distributed HDMM: Scalable, Distributed, Accurate, and Differentially Private Query Workloads without a Trusted Curator Ratang Sedimo, Ivoline C. Ngong, Jami Lashua, Joseph P. Near http://arxiv.org/abs/2512.15648 We present the Distributed High-Dimensional Matrix Mechanism (Distributed HDMM), a protocol for answering workloads of linear queries on distributed data that provides the accuracy of central-model HDMM without a trusted curator. Distributed HDMM leverages a secure aggregation protocol to evaluate HDMM on distributed data, and is secure in the context of a malicious aggregator and malicious clients (assuming an honest majority). Our preliminary empirical evaluation shows that Distributed HDMM can run on realistic datasets and workloads with thousands of clients in less than one minute.
December 18, 2025 at 4:53 AM
dppapers.bsky.social
The Cost of Adaptation under Differential Privacy: Optimal Adaptive Federated Density Estimation

T. Tony Cai, Abhinav Chakraborty, Lasse Vuursteen

http://arxiv.org/abs/2512.14337
The Cost of Adaptation under Differential Privacy: Optimal Adaptive Federated Density Estimation T. Tony Cai, Abhinav Chakraborty, Lasse Vuursteen http://arxiv.org/abs/2512.14337 Privacy-preserving data analysis has become a central challenge in modern statistics. At the same time, a long-standing goal in statistics is the development of adaptive procedures -- methods that achieve near-optimal performance across diverse function classes without prior knowledge of underlying smoothness or complexity. While adaptation is often achievable at no extra cost in the classical non-private setting, this naturally raises a fundamental question: to what extent is adaptation still possible under privacy constraints? We address this question in the context of density estimation under federated differential privacy (FDP), a framework that encompasses both central and local DP models. We establish sharp results that characterize the cost of adaptation under FDP for both global and pointwise estimation, revealing fundamental differences from the non-private case. We then propose an adaptive FDP estimator that achieves explicit performance guarantees by introducing a new noise mechanism, enabling one-shot adaptation via post-processing. This approach strictly improves upon existing adaptive DP methods. Finally, we develop new lower bound techniques that capture the limits of adaptive inference under privacy and may be of independent interest beyond this problem. Our findings reveal a sharp contrast between private and non-private settings. For global estimation, where adaptation can be achieved for free in the classical non-private setting, we prove that under FDP an intrinsic adaptation cost is unavoidable. For pointwise estimation, where a logarithmic penalty is already known to arise in the non-private setting, we show that FDP introduces an additional logarithmic factor, thereby compounding the cost of adaptation. Taken together, these results provide the first rigorous c
December 17, 2025 at 4:54 AM
dppapers.bsky.social
Black-Box Auditing of Quantum Model: Lifted Differential Privacy with Quantum Canaries

Baobao Song, Shiva Raj Pokhrel, Athanasios V. Vasilakos, Tianqing Zhu, Gang Li

http://arxiv.org/abs/2512.14388
Black-Box Auditing of Quantum Model: Lifted Differential Privacy with Quantum Canaries Baobao Song, Shiva Raj Pokhrel, Athanasios V. Vasilakos, Tianqing Zhu, Gang Li http://arxiv.org/abs/2512.14388 Quantum machine learning (QML) promises significant computational advantages, yet models trained on sensitive data risk memorizing individual records, creating serious privacy vulnerabilities. While Quantum Differential Privacy (QDP) mechanisms provide theoretical worst-case guarantees, they critically lack empirical verification tools for deployed models. We introduce the first black-box privacy auditing framework for QML based on Lifted Quantum Differential Privacy, leveraging quantum canaries (strategically offset-encoded quantum states) to detect memorization and precisely quantify privacy leakage during training. Our framework establishes a rigorous mathematical connection between canary offset and trace distance bounds, deriving empirical lower bounds on privacy budget consumption that bridge the critical gap between theoretical guarantees and practical privacy verification. Comprehensive evaluations across both simulated and physical quantum hardware demonstrate our framework's effectiveness in measuring actual privacy loss in QML models, enabling robust privacy verification in QML systems.
December 17, 2025 at 4:53 AM
dppapers.bsky.social
PrivATE: Differentially Private Average Treatment Effect Estimation for Observational Data

Quan Yuan, Xiaochen Li, Linkang Du, Min Chen, Mingyang Sun, Yunjun Gao, Shibo He, Jiming Chen, Zhikun Zhang

http://arxiv.org/abs/2512.14557
PrivATE: Differentially Private Average Treatment Effect Estimation for Observational Data Quan Yuan, Xiaochen Li, Linkang Du, Min Chen, Mingyang Sun, Yunjun Gao, Shibo He, Jiming Chen, Zhikun Zhang http://arxiv.org/abs/2512.14557 Causal inference plays a crucial role in scientific research across multiple disciplines. Estimating causal effects, particularly the average treatment effect (ATE), from observational data has garnered significant attention. However, computing the ATE from real-world observational data poses substantial privacy risks to users. Differential privacy, which offers strict theoretical guarantees, has emerged as a standard approach for privacy-preserving data analysis. However, existing differentially private ATE estimation works rely on specific assumptions, provide limited privacy protection, or fail to offer comprehensive information protection. To this end, we introduce PrivATE, a practical ATE estimation framework that ensures differential privacy. In fact, various scenarios require varying levels of privacy protection. For example, only test scores are generally sensitive information in education evaluation, while all types of medical record data are usually private. To accommodate different privacy requirements, we design two levels (i.e., label-level and sample-level) of privacy protection in PrivATE. By deriving an adaptive matching limit, PrivATE effectively balances noise-induced error and matching error, leading to a more accurate estimate of ATE. Our evaluation validates the effectiveness of PrivATE. PrivATE outperforms the baselines on all datasets and privacy budgets.
December 17, 2025 at 4:53 AM
dppapers.bsky.social
PerProb: Indirectly Evaluating Memorization in Large Language Models

Yihan Liao, Jacky Keung, Xiaoxue Ma, Jingyu Zhang, Yicheng Sun

http://arxiv.org/abs/2512.14600
PerProb: Indirectly Evaluating Memorization in Large Language Models Yihan Liao, Jacky Keung, Xiaoxue Ma, Jingyu Zhang, Yicheng Sun http://arxiv.org/abs/2512.14600 The rapid advancement of Large Language Models (LLMs) has been driven by extensive datasets that may contain sensitive information, raising serious privacy concerns. One notable threat is the Membership Inference Attack (MIA), where adversaries infer whether a specific sample was used in model training. However, the true impact of MIA on LLMs remains unclear due to inconsistent findings and the lack of standardized evaluation methods, further complicated by the undisclosed nature of many LLM training sets. To address these limitations, we propose PerProb, a unified, label-free framework for indirectly assessing LLM memorization vulnerabilities. PerProb evaluates changes in perplexity and average log probability between data generated by victim and adversary models, enabling an indirect estimation of training-induced memory. Compared with prior MIA methods that rely on member/non-member labels or internal access, PerProb is independent of model and task, and applicable in both black-box and white-box settings. Through a systematic classification of MIA into four attack patterns, we evaluate PerProb's effectiveness across five datasets, revealing varying memory behaviors and privacy risks among LLMs. Additionally, we assess mitigation strategies, including knowledge distillation, early stopping, and differential privacy, demonstrating their effectiveness in reducing data leakage. Our findings offer a practical and generalizable framework for evaluating and improving LLM privacy.
December 17, 2025 at 4:53 AM
dppapers.bsky.social
Differentially Private Community Detection in $h$-uniform Hypergraphs

Javad Zahedi Moghaddam, Aria Nosratinia

http://arxiv.org/abs/2512.12031
Differentially Private Community Detection in $h$-uniform Hypergraphs Javad Zahedi Moghaddam, Aria Nosratinia http://arxiv.org/abs/2512.12031 This paper studies the exact recovery threshold subject to preserving the privacy of connections in $h$-uniform hypergraphs. Privacy is characterized by the $(ε, δ)$-hyperedge differential privacy (DP), an extension of the notion of $(ε, δ)$-edge DP in the literature. The hypergraph observations are modeled through a $h$-uniform stochastic block model ($h$-HSBM) in the dense regime. We investigate three differentially private mechanisms: stability-based, sampling-based, and perturbation-based mechanisms. We calculate the exact recovery threshold for each mechanism and study the contraction of the exact recovery region due to the privacy budget, $(ε, δ)$. Sampling-based mechanisms and randomized response mechanisms guarantee pure $ε$-hyperedge DP where $δ=0$, while the stability-based mechanisms cannot achieve this level of privacy. The dependence of the limits of the privacy budget on the parameters of the $h$-uniform hypergraph is studied. More precisely, it is proven rigorously that the minimum privacy budget scales logarithmically with the ratio between the density of in-cluster hyperedges and the cross-cluster hyperedges for stability-based and Bayesian sampling-based mechanisms, while this budget depends only on the size of the hypergraph for the randomized response mechanism.
December 16, 2025 at 4:54 AM
dppapers.bsky.social
Differentially Private Online Distributed Aggregative Games With Time-Varying and Non-Identical Communication and Feedback Delays

Olusola Odeyomi, Tokunbo Ogunfunmi, Adjovi Laba

http://arxiv.org/abs/2512.12344
Differentially Private Online Distributed Aggregative Games With Time-Varying and Non-Identical Communication and Feedback Delays Olusola Odeyomi, Tokunbo Ogunfunmi, Adjovi Laba http://arxiv.org/abs/2512.12344 This paper investigates online distributed aggregative games with time-varying cost functions, where agents are interconnected through an unbalanced communication graph. Due to the distributed and noncooperative nature of the game, some curious agents may wish to steal sensitive information from neighboring agents during parameter exchanges. Additionally, communication delays arising from network congestion, particularly in wireless settings, as well as feedback delays, can hinder the convergence of agents to a Nash equilibrium. Although a recent work addressed both communication and feedback delays in aggregative games, it is based on the unrealistic assumption that the delays are fixed over time and identical across agents. Hence, the case of time-varying and non-identical delays across agents has never been considered in aggregative games. In this work, we address the combined challenges of privacy leakage with time-varying and non-identical communication and feedback delays for the first time. We propose an online distributed dual averaging algorithm that simultaneously tackles these challenges while achieving a provably low regret bound. Our simulation result shows that the running average of each client's local action converges over time.
December 16, 2025 at 4:53 AM
dppapers.bsky.social
DP-EMAR: A Differentially Private Framework for Autonomous Model Weight Repair in Federated IoT Systems

Chethana Prasad Kabgere, Shylaja S S

http://arxiv.org/abs/2512.13460
DP-EMAR: A Differentially Private Framework for Autonomous Model Weight Repair in Federated IoT Systems Chethana Prasad Kabgere, Shylaja S S http://arxiv.org/abs/2512.13460 Federated Learning (FL) enables decentralized model training without sharing raw data, but model weight distortion remains a major challenge in resource constrained IoT networks. In multi tier Federated IoT (Fed-IoT) systems, unstable connectivity and adversarial interference can silently alter transmitted parameters, degrading convergence. We propose DP-EMAR, a differentially private, error model based autonomous repair framework that detects and reconstructs transmission induced distortions during FL aggregation. DP-EMAR estimates corruption patterns and applies adaptive correction before privacy noise is added, enabling reliable in network repair without violating confidentiality. By integrating Differential Privacy (DP) with Secure Aggregation (SA), the framework distinguishes DP noise from genuine transmission errors. Experiments on heterogeneous IoT sensor and graph datasets show that DP-EMAR preserves convergence stability and maintains near baseline performance under communication corruption while ensuring strict (epsilon, delta)-DP guarantees. The framework enhances robustness, communication efficiency, and trust in privacy preserving Federated IoT learning.
December 16, 2025 at 4:53 AM