Papers
Topics
Authors
Recent
Search
2000 character limit reached

Tight Auditing of Differential Privacy in MST and AIM

Published 20 Apr 2026 in cs.CR, cs.AI, and cs.LG | (2604.18352v1)

Abstract: State-of-the-art Differentially Private (DP) synthetic data generators such as MST and AIM are widely used, yet tightly auditing their privacy guarantees remains challenging. We introduce a Gaussian Differential Privacy (GDP)-based auditing framework that measures privacy via the full false-positive/false-negative tradeoff. Applied to MST and AIM under worst-case settings, our method provides the first tight audits in the strong-privacy regime. For $(ฮต,ฮด)=(1,10{-2})$, we obtain $ฮผ_{emp}\approx0.43$ vs. implied $ฮผ=0.45$, showing a small theory-practice gap. Our code is publicly available: https://github.com/sassoftware/dpmm.

Summary

  • The paper demonstrates that a GDP-based auditing method tightly aligns empirical privacy leakage (ฮผ_emp โ‰ˆ 0.43) with theoretical guarantees.
  • It employs a robust hypothesis-testing framework using optimal classifier thresholding and worst-case dataset selection to maximize adversarial advantage.
  • The study validates MST and AIM implementations in strong-privacy settings, ensuring practical DP guarantees that closely mirror zCDP/GDP profiles.

Tight Auditing of Differential Privacy in MST and AIM

Introduction and Motivation

Differentially Private (DP) synthetic data generation is central to privacy-preserving data sharing, especially for sensitive tabular datasets. Two frameworksโ€”MST (Maximum Spanning Tree) and AIM (Adaptive and Iterative Mechanism)โ€”are extensively adopted for this purpose due to their competitive privacy-utility tradeoffs and integration in important applications (e.g., NIST competition, UK Census). Despite the formal (ฯต,ฮด)(\epsilon, \delta)-DP guarantees of these models, rigorously auditing their real-world privacy leakage, particularly in the strong-privacy regime (ฯต=1\epsilon = 1), represents a persistent challenge. Existing empirical audits have been loose or inconclusive, exposing a risk of undetected privacy violations or over-conservative design.

This paper introduces a Gaussian Differential Privacy (GDP)-based empirical auditing methodology for MST and AIM, enabling tight, systematic evaluation of membership inference risk and direct comparison with theoretical guarantees under multiple DP notions.

GDP-Based Auditing Methodology

The cornerstone of the approach is reframing DP auditing through the lens of the hypothesis testing interpretationโ€”specifically, using the full tradeoff between False Positive Rate (FPR) and False Negative Rate (FNR) in Membership Inference Attacks (MIA). This is formalized by mapping each DP guarantee (conventional (ฯต,ฮด)(\epsilon, \delta)-DP, zero-Concentrated DP (zCDP), and GDP) onto a ฮผ\mu-parameterized Gaussian tradeoff curve that sets a lower bound on the achievable adversarial advantage.

The audit apparatus consists of:

  • Worst-case neighboring datasets: DoutD_{out} with identical background records and DinD_{in} differing by a single target record, maximizing susceptibility to MIA.
  • Hybrid threat model: Exploiting both black-box (synthetic data-based) and white-box (model internals) features for MIA feature construction.
  • Large-scale randomized mechanism runs: Training thousands of independent MST/AIM models on both DoutD_{out}/DinD_{in} and releasing synthetic data and/or noisy marginals.
  • Empirical estimation of ฮผemp\mu_{emp}: Adversarial classifiers (XGBoost) are calibrated for maximal empirical advantage, then TPR/FPR tradeoffs are mapped onto the GDP curve to obtain a tight Bayesian lower bound for ฮผ\mu.

A key procedural step is the optimal selection of the classifier decision threshold on validation data to maximize empirical adversarial advantage, ensuring the tightest possible audit bound.

Experimental Evaluation

The central claim is validated through systematic experiments targeting MST/AIM in the independent-marginal regime (identical one-way marginals), under worst-case privacy threat models and parameters ฯต=1\epsilon = 10. Empirical and theoretical tradeoff curves are compared in the ฯต=1\epsilon = 11-GDP framework. Figure 1

Figure 1: Empirical privacy tradeoff of MIA for MST/AIM compared to theoretical GDP and ฯต=1\epsilon = 12-DP bounds across the FPRโ€“FNR spectrum. At ฯต=1\epsilon = 13, empirical leakage nearly saturates the theoretical GDP bound, with ฯต=1\epsilon = 14 and implied ฯต=1\epsilon = 15.

A salient result is the narrow theory-practice gap in the strong-privacy regime: the empirical bound ฯต=1\epsilon = 16 is almost equal to the implied ฯต=1\epsilon = 17 from zCDP accounting, establishing the first nontrivial audit in this regime for MST/AIM. In contrast, direct ฯต=1\epsilon = 18 conversion without the zCDP intermediate step yields weaker privacy (larger ฯต=1\epsilon = 19), underscoring the implications of accounting paths in DP mechanisms.

Optimal threshold selection (Figure 2) is shown to maximize the adversarial advantage, with smooth, stable empirical advantage curves as a function of the decision threshold. Figure 2

Figure 2

Figure 2: Threshold selection on validation data, reporting FPR, FNR, and empirical advantage (TPRโ€“FPR) as the threshold varies. The optimum (ฯต,ฮด)(\epsilon, \delta)0 yields maximal advantage.

The auditing framework's robustness is demonstrated through an extensive ablation study, varying audit component choices (threshold selection, estimator, (ฯต,ฮด)(\epsilon, \delta)1 size, classifier, threat model). The default configuration is consistently the tightest; naively chosen thresholds or estimators can produce vacuous ((ฯต,ฮด)(\epsilon, \delta)2) bounds, explaining prior failures to audit the strong-privacy regime.

Use of higher-order marginals (see Appendix) does not degrade, and in some cases slightly tightens, the empirical audit, confirming the generality of the findings.

Practical and Theoretical Implications

This work provides evidence that MST and AIM, under standard implementations and proper accounting, realize privacy guarantees in practice that closely match their formal zCDP/GDP profiles. The small gap between empirical and theoretical guarantees validates the current accounting and highlights the utility-conserving effect of sound zCDP-to-GDP conversion.

From a theoretical perspective, the audit paradigm adopted here bridges the abstract hypothesis-testing DP view with operational privacy leakage in deployed models. Consistent tightness of the audit bounds across variants and threat models elevates empirical auditing from a diagnostic tool to a reliable certificate of privacy in the strong-regime, at least for mechanisms based on Gaussian noise and marginal measurements.

Future research directions include extending GDP-based auditing to more general generative models (e.g., deep generative models under custom noise injection schemes), and formalizing the statistical properties of the Bayesian lower bound estimator for audit reproducibility, especially for mechanisms that diverge from the Gaussian paradigm. Moreover, practitioners should standardize such tight auditing as part of the responsible deployment pipeline for any DP synthetic data toolchain.

Conclusion

This paper demonstrates that GDP-based empirical privacy auditing provides a practical, reproducible, and tight modality for certifying the privacy of MST and AIM synthetic data generators in the strong-privacy regime. The framework exposes the empirical-theoretical closeness of leakage risks, reinforcing confidence in these mechanisms when correctly implemented and accounted. Broader community adoption of this auditing standard, facilitated by the open-source code release, will further enhance the operational verifiability of DP guarantees and drive higher assurance in differential privacy deployments.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.