Edge Differential Privacy
- Edge differential privacy is a graph-theoretic guarantee that protects the existence of individual edges by ensuring minimal output changes when a single edge is added or removed.
- It applies calibrated noise—such as Laplace or randomized response—in various models (central, local, dynamic) to balance accuracy with privacy in network analysis.
- Recent advances optimize mechanisms for dynamic graphs and edge-device settings, enabling improved utility in applications like federated learning and spectral analysis.
Searching arXiv for recent and foundational papers on edge differential privacy to ground the article. Edge differential privacy is a graph-theoretic specialization of differential privacy in which the protected unit is an edge: the mechanism must hide whether any particular edge exists. In the standard graph setting, two graphs are neighboring when they share the same vertex set and differ in exactly one edge, or, in some formulations, in at most edges. The same privacy idea extends to the local model, where each vertex privatizes its own adjacency vector before any communication, and to fully dynamic graphs, where privacy is defined over edge insertions and deletions over time. A distinct systems usage applies differential privacy at the edge device in cloud–edge inference and federated learning, where inputs, feature maps, or gradients are privatized before leaving the device (Chen et al., 2021, Hawkins et al., 2022, Eden et al., 2023, Raskhodnikova et al., 2024, Wang et al., 2022, Li et al., 2019).
1. Definitions and adjacency relations
Standard -differential privacy requires that for all neighboring datasets and all events ,
When datasets are graphs and neighboring means “differ in one edge,” the mechanism is edge-differentially private (Eden et al., 2023). For an undirected graph on a fixed vertex set, the canonical adjacency relation is
and some work generalizes this to
so that the mechanism protects the presence or absence of any subset of up to edges (Chen et al., 2021, Hawkins et al., 2022).
This notion is weaker than node differential privacy. Node-DP considers two graphs neighboring if one can be obtained from the other by removing a node and all its incident edges, or, equivalently, if they differ by one node and all of its relationships. The graph-DP literature repeatedly emphasizes that node-DP is strictly stronger and typically much more costly in utility, whereas edge-DP is appropriate when the set of nodes is public and the sensitive information lies in the relationships between them (Eden et al., 2023, Hu et al., 25 Nov 2025, Hawkins et al., 2022).
The same edge-based adjacency appears outside ordinary graph analytics. In coverage problems, a set system can be viewed as a bipartite graph between sets and elements, and changing the membership of one element in one set is exactly one edge change in that incidence graph. Under that representation, edge-differential privacy for coverage coincides with standard edge-DP on graphs (Dhulipala et al., 2024). In work on network connectedness indices, the adjacency notion is slightly stronger: two labeled networks are edge-adjacent if they differ by at most one edge and in at most one node attribute, so a single release simultaneously protects one tie and one label (Rutter et al., 16 Mar 2026).
2. Central, local, and dynamic privacy models
In the central model, a trusted curator holds the whole graph and releases a noisy statistic. This is the model used for graph Laplacian spectra, algebraic connectivity, power-law exponent estimation, connectedness indices, spectral clustering, and fully dynamic graph release (Chen et al., 2021, Hawkins et al., 2022, Tan et al., 22 Apr 2026, Rutter et al., 16 Mar 2026, Seif et al., 8 Oct 2025, Raskhodnikova et al., 2024). Utility is then determined by the global sensitivity of the graph statistic and by the chosen perturbation mechanism.
In the local model, there is no trusted curator. Each vertex is a party holding its adjacency vector 0, and each party applies an 1-local randomizer to that vector before sending anything to an aggregator. A local randomizer 2 satisfies
3
for any two adjacency vectors that differ in one bit. A distributed graph algorithm is locally edge differentially private (LEDP) if the full interaction transcript is edge-DP with respect to the underlying graph (Eden et al., 2023). This model is especially restrictive because an edge belongs to the local views of both endpoints.
For dynamic graphs, privacy is defined over a sequence 4 of graphs that evolve through edge insertions and deletions. The literature distinguishes two variants. Item-level edge privacy protects the entire life history of one edge: two streams are neighbors if they differ only in the updates involving a single edge. Event-level edge privacy is weaker: one insertion event and the matching deletion event of a single edge may differ, while the rest of the stream is identical. In partially dynamic streams, such as insert-only or delete-only streams, event-level and item-level coincide (Raskhodnikova et al., 2024).
A distinct usage of the term appears in systems papers on edge computing. There, “edge differential privacy” or “edge-side differential privacy” refers not to graph-edge adjacency, but to the location where the noise is added: the edge device applies a DP mechanism to feature maps or gradients before offloading computation to the cloud or a server (Wang et al., 2022, Li et al., 2019). This suggests that the term has two established meanings: a graph-specific adjacency notion and an edge-device deployment pattern.
3. Mechanism families and sensitivity calibration
A central mechanism family is the Laplace mechanism calibrated to edge sensitivity. For algebraic connectivity 5, the sensitivity bound
6
follows from Gershgorin’s theorem and eigenvalue perturbation inequalities when two graphs differ in at most 7 edges (Chen et al., 2021). Because 8, two spectral papers replace unbounded Laplace noise by a bounded Laplace mechanism supported on 9, avoiding invalid negative or overly large outputs and improving accuracy near the domain boundaries (Chen et al., 2021, Hawkins et al., 2022).
Randomized response is the standard local mechanism for edge indicators. For a bit 0, the local randomizer outputs the true bit with probability 1 and flips it with probability 2. In local triangle counting, this is applied to adjacency bits, then rescaled so that the resulting variable has expectation equal to the true edge indicator. Products of three such unbiased edge estimators yield an unbiased triangle estimator (Eden et al., 2023).
Several papers privatize low-dimensional sufficient statistics instead of high-dimensional graph objects. For estimating a power-law exponent, the central mechanism perturbs
3
using Laplace noise with edge sensitivities 4 and 5, respectively, rather than releasing a noisy degree histogram (Tan et al., 22 Apr 2026). In connectedness indices, the mechanism first perturbs node labels using randomized response, analytically debiases the resulting neighbor-share statistics, and then adds a second layer of Laplace noise calibrated to edge sensitivity (Rutter et al., 16 Mar 2026).
In edge-side systems, sensitivity is bounded by clipping. CIS clips each feature-map channel by an 6 threshold 7, so the channel sensitivity is 8, then adds iid Laplace noise with scale 9 per channel. The total privacy budget is split across channels according to feature-map rank (Wang et al., 2022). In asynchronous federated learning, MAPA clips each mini-batch gradient to an 0 threshold 1 and adds radial Laplace noise with density proportional to 2, yielding per-iteration sample-level DP at the edge (Li et al., 2019).
4. Triangle counting and local graph analysis
Triangle counting is the canonical higher-order test case for edge-DP because each triangle depends on three edges. In the local model, a noninteractive 3-LEDP estimator based on randomized response is unbiased and has variance
4
which implies high-probability error
5
For constant 6, dense graphs with 7 therefore incur 8 additive error (Eden et al., 2023).
The same paper proves matching hardness in the noninteractive model: any noninteractive 9-LEDP triangle counting algorithm must incur 0 additive error for small constant 1. The proof uses a reconstruction attack built from outer-product queries and a mix-and-match strategy for reusing local randomizer outputs across multiple hypothetical graphs (Eden et al., 2023). Interaction helps, but not arbitrarily: for interactive LEDP, the paper proves a lower bound of 2 on additive error by reducing from the local-DP sum-of-bits problem (Eden et al., 2023). This directly contradicts the misconception that adaptivity alone removes the local hardness of graph analytics.
A later LEDP paper refines the practical side of this picture. For 3-core decomposition and triangle counting, it replaces graph-size-driven error bounds by bounds that depend on maximum degree or degeneracy. Its triangle counting algorithm first computes a private low out-degree orientation, then applies a refined variant of randomized response, obtaining variance
4
and additive error
5
where 6 is degeneracy and 7 is the number of oriented 8-cycles (Mundra et al., 25 Jun 2025). On real-world graphs, the same work reports that its 9-core decomposition achieves errors within 0 of exact values, while the baseline of Dhulipala et al. has 1 error, and that its triangle counting algorithm reduces multiplicative approximation errors by up to six orders of magnitude (Mundra et al., 25 Jun 2025). This suggests that, within LEDP, exploiting input-dependent structure can be more important than changing the privacy model itself.
5. Spectral, degree, and connectedness statistics
Spectral graph quantities are a natural domain for edge-DP because their global sensitivity can be bounded analytically. For algebraic connectivity 2, one paper proves 3 and uses bounded Laplace noise to release a private 4. The resulting private value is shown to support accurate estimates of consensus convergence rates and accurate bounds on graph diameter and mean distance (Chen et al., 2021). A later paper extends the same mechanism to the entire Laplacian spectrum and derives scaling laws showing that, for fixed 5, edge-DP noise variance for eigenvalues is 6 in 7, whereas node-DP variance is 8. It concludes that edge-DP is better suited to most engineering applications involving Laplacian spectra (Hawkins et al., 2022).
Edge-DP also supports low-dimensional parametric estimation. For the power-law exponent 9 of the degree distribution tail, the paper “Estimating Power-Law Exponent with Edge Differential Privacy” privatizes only the sufficient statistics needed for estimation, rather than a noisy degree histogram. In the centralized model it supports both the discrete approximation
0
and likelihood-based numerical optimization based on privatized 1 and 2 (Tan et al., 22 Apr 2026). Experiments show that numerical optimization on the privatized sufficient statistics substantially outperforms both histogram-based release and the discrete approximation, in both centralized and local settings (Tan et al., 22 Apr 2026).
Connectedness indices provide a different example. For binary labels, the mechanism perturbs labels with randomized response, constructs debiased weights
3
forms a ratio estimator 4, and then adds Laplace noise scaled to the edge sensitivity of 5 (Rutter et al., 16 Mar 2026). For continuous labels in 6, the paper uses truncated Laplace noise on attributes, computes a bounded-DP regression of average friend label on own label, and then applies an errors-in-variables correction. It proves consistency and asymptotic normality for both discrete and continuous labels, and reports that the method works well on simulations and on real networks with as few as 200 nodes (Rutter et al., 16 Mar 2026).
A common misconception is that direct noisy release of primitive graph objects is always the natural route. These examples show the opposite: privatizing only the analytically sufficient statistics can avoid the distortion introduced by releasing a full degree distribution or a full labeled adjacency structure (Tan et al., 22 Apr 2026, Rutter et al., 16 Mar 2026).
6. Fully dynamic graphs and reductions to stronger privacy notions
Fully dynamic graph privacy requires continual release under edge insertions and deletions. The paper “Fully Dynamic Graph Algorithms with Edge Differential Privacy” studies event-level and item-level edge privacy in this setting and gives the first fully dynamic private algorithms for triangle count, number of connected components, maximum matching size, and degree histogram. It also gives the first nontrivial item-level fully dynamic graph algorithms, which had not been known previously (Raskhodnikova et al., 2024).
The same work establishes strong lower bounds. For event-level triangle counting it proves polynomial lower bounds in 7 and 8 by reducing from submatrix queries, and for several item-level problems its algorithms match the lower bounds up to polylogarithmic factors (Raskhodnikova et al., 2024). This suggests that, in continual release, edge privacy imposes intrinsic polynomial-in-9 accuracy costs for many structural statistics even when the protected unit is only an edge and not a node.
Edge-DP is also used as a primitive for node-DP. The framework N2E reduces node-DP graph tasks to edge-DP ones by combining distance-preserving clipping with a node-DP mechanism for maximum degree approximation. Its central guarantee is that the resulting node-DP error depends on the graph’s true maximum degree rather than on a worst-case node bound, which allows existing edge-DP mechanisms to be reused for node-DP edge counting, maximum degree estimation, and degree distribution estimation (Hu et al., 25 Nov 2025). The paper reports up to a 0 reduction in error for edge counting and up to an 1 reduction for degree distribution estimation relative to prior node-DP approaches (Hu et al., 25 Nov 2025). A plausible implication is that, for many tasks, the main technical difficulty lies not in the edge-DP mechanism itself but in controlling how node adjacency expands into edge distance.
7. Edge-side differential privacy in cloud–edge systems
A distinct usage of the term appears in systems research on collaborative inference and federated learning. In CIS, a deep neural network is split at a cut layer 2 into an edge-side subnetwork and a cloud-side subnetwork. The edge computes the intermediate feature map 3, clips each channel by an 4 threshold 5, and releases
6
with the total privacy budget distributed across channels according to feature-map rank (Wang et al., 2022). By composition over channels, the full cut layer satisfies pure 7-DP, and by post-processing the final cloud prediction inherits the same guarantee (Wang et al., 2022). The paper explicitly shows that “not sending the raw image” is not enough: intermediate feature maps support white-box and black-box reconstruction attacks unless they are privatized (Wang et al., 2022).
In asynchronous federated learning, MAPA applies DP at the edge by clipping mini-batch gradients and adding radial Laplace noise before upload. With gradient sensitivity 8, the noise density is
9
giving per-iteration 0-DP at the sample level (Li et al., 2019). The paper analyzes convergence under both asynchrony and DP noise, and proposes a multi-stage schedule that shrinks both the clipping bound and the learning rate over time (Li et al., 2019).
These systems papers are not about graph-edge adjacency. They are about applying differential privacy at the edge device. Still, they are part of the modern literature around “edge differential privacy,” and they reinforce a shared design principle: privacy is often improved by clipping, privatizing low-dimensional or intermediate representations, and allocating budget where it most affects utility (Wang et al., 2022, Li et al., 2019).
Edge differential privacy therefore denotes a family of closely related ideas rather than a single mechanism. In graph analysis, it is the formal guarantee that adding or removing one edge produces only a small change in the output distribution. In local and dynamic graph models, that guarantee becomes a constraint on transcripts or update streams. In edge-computing systems, the same phrase can denote where the privacy mechanism is enforced. Across these settings, the recurring themes are sensitivity control, structure-aware postprocessing, and a persistent tradeoff: edge-DP is substantially more accurate than node-DP for many graph tasks, but it can still impose sharp lower bounds for higher-order structure and continual release (Eden et al., 2023, Hawkins et al., 2022, Raskhodnikova et al., 2024).