f-DP: Unified Privacy Analysis Framework

Updated 28 November 2025

f-DP is a generalization of differential privacy that uses hypothesis-testing trade-off functions to deliver lossless and compositional privacy analysis.
It offers exact composition, privacy amplification by subsampling, and robust auditing, making it effective for federated learning and decentralized protocols.
The framework enables optimal conversion to classical DP parameters, yielding sharper privacy-utility trade-offs for various mechanism designs.

$f$ -DP Approach

The $f$ -DP approach generalizes differential privacy (DP) using hypothesis-testing-based trade-off functions, yielding a lossless, compositional, and robust framework for analyzing privacy in diverse settings. It subsumes $(\epsilon,\delta)$ -DP and Rényi DP, enables optimal privacy accounting for complex mechanisms, and provides sharper privacy-utility trade-offs across mechanism design, federated learning, decentralized protocols, and communication-efficient private learning.

1. Definition and Theoretical Foundations

Let $P,Q$ be probability distributions (typically, the outputs of a randomized mechanism $M$ on adjacent datasets). For any randomized test $\phi\colon\mathcal{X}\to[0,1]$ , define the Type I error $\alpha_\phi=\mathbb{E}_P[\phi]$ and Type II error $\beta_\phi=1-\mathbb{E}_Q[\phi]$ . The trade-off function (ROC curve) is

$T(P,Q)(\alpha) = \inf_{\phi:\,\alpha_\phi\le\alpha} \beta_\phi, \quad \alpha\in[0,1].$

A function $f\colon[0,1]\to[0,1]$ is a valid trade-off if convex, continuous, nonincreasing, and $f(\alpha)\le 1-\alpha$ . A mechanism $M$ is $f$ -differentially private ( $f$ -DP) if for all adjacent datasets $D,D'$ ,

$T(M(D), M(D')) \ge f.$

Classical $(\epsilon,\delta)$ -DP is recovered as the special case $f_{(\epsilon,\delta)}(\alpha) = \max\{0, 1-\delta-e^\epsilon\alpha, e^{-\epsilon}(1-\delta-\alpha)\}$ , while Gaussian DP corresponds to $f(\alpha) = \Phi(\Phi^{-1}(1-\alpha)-\mu)$ where $\Phi$ is the standard normal CDF (Dong et al., 2019, Wang et al., 2023).

Key theoretical properties:

Postprocessing invariance: $f$ -DP guarantees are preserved under arbitrary data-independent mappings.
Exact composition: $f$ -DP is closed under sequential and adaptive composition via tensor products of trade-off functions, without losing tightness (Dong et al., 2019).
Relation to RDP: Rényi differential privacy arises as a special case of $f$ -divergence-based relaxations (Asoodeh et al., 2020).

2. Composition, Subsampling, and Amplification

Composition plays a central role in privacy analysis:

For $f_i$ -DP mechanisms $M_i$ , the composite mechanism is $f_1\otimes\cdots\otimes f_n$ -DP, where

$(f_1\otimes f_2)(\alpha) = T(P_1\times P_2, Q_1\times Q_2)(\alpha).$

For Gaussian DP, this yields compositional additivity of privacy budgets: $G_{\mu_1}\otimes G_{\mu_2} = G_{\sqrt{\mu_1^2+\mu_2^2}}$ (Dong et al., 2019).

Privacy amplification by subsampling: If $M$ is $f$ -DP, applying $M$ to a random $p$ -fraction of the data yields $C_p(f)$ -DP, where $C_p$ is a resolvent operator on trade-off functions. For $(\epsilon,\delta)$ -DP, this produces strictly tighter bounds than classical analysis (Dong et al., 2019).
Group privacy: For $g$ -adjacent changes, the trade-off satisfies $f_{group}(\alpha) = 1 - (1-f)^{\circ g}(\alpha)$ . In the context of Gaussian DP, this yields $G_{g\mu}$ (Dijk et al., 2022).

3. $f$ -DP in Mechanism Design: Discrete and Mixture Mechanisms

$f$ -DP directly supports non-Gaussian, discrete, or mixture mechanisms:

Finite-output and compressed mechanisms: For binomial-noise, binomial mechanisms, and stochastic sign-based compressors, $f$ -DP bounds can be computed exactly as lower envelopes of the induced trade-off functions (often closed form by the Neyman–Pearson lemma) (Jin et al., 2023). This yields optimal privacy analysis in distributed mean estimation, enabling arbitrarily low communication cost without sacrificing accuracy or privacy—thereby breaking the conventional privacy-communication-accuracy trilemma.
Privacy amplification by sparsification: Ternary compressors and random dropping schemes provide privacy gains reflected as flat segments in the $f$ -DP curve, unattainable in pure $(\epsilon,\delta)$ -DP (Jin et al., 2023).
Mixture mechanisms: The joint concavity of trade-off functions (Lemma 2.1) and advanced joint concavity (Lemma 4.3) yield pointwise, near-optimal bounds for mechanisms involving random initialization, shuffling, or batch subsampling. $f$ -DP's inequalities unify and strengthen all previous mixture analyses; shuffling models and randomized initializations are handled seamlessly, resulting in significant privacy amplification compared to prior $(\epsilon,\delta)$ bounds (Wang et al., 2023).

4. $f$ -DP in Distributed and Federated Learning

The $f$ -DP approach is pivotal in privacy accounting for federated and decentralized learning:

Federated learning convergence: In classical FL with per-round noise, standard composition yields privacy losses that diverge as the number of rounds grows. Using $f$ -DP, and leveraging the shifted interpolation technique, provably convergent bounds are achieved for both noisy FedAvg and FedProx, even for non-convex objectives (Sun et al., 28 Aug 2024). Explicit convergence rates can be computed in terms of exact trade-off functions, and these can be converted to $(\epsilon,\delta)$ -DP or RDP without loss.
Decentralized protocols: In random-walk or gossip-based decentralized SGD, $f$ -DP quantifies pairwise privacy between any two users via the first-hit time distributions of the communication Markov chain. This enables granular, topology-aware privacy accounting (PN- $f$ -DP). Moreover, secret-based correlated noise protocols, where noise is shared between users via cryptographic secrets, are analyzed via $f$ -DP to achieve near-central utility in the presence of honest-but-curious adversaries (Li et al., 22 Oct 2025).
Empirical comparison and impact: Across complex network topologies, $f$ -DP-based accounting was empirically shown to yield %%%%50 $P,Q$ 51%%%% less noise (and 5–15% higher utility) relative to RDP-based accounting at fixed $(\epsilon,\delta)$ (Li et al., 22 Oct 2025).

5. Auditing, Estimation, and Black-Box Validation

Auditing mechanisms for $f$ -DP are enabled by the hypothesis-testing foundation:

Statistical estimation of $f$ -DP: Black-box estimation, using perturbed likelihood-ratio tests, kernel density estimation, and k-NN Bayes classification, provides uniform confidence intervals on the entire trade-off curve, with nonparametric convergence guarantees (Askin et al., 10 Feb 2025).
Empirical audits in practice: One-run randomized injection games and tail-bound-based scoring enable empirical estimation of $f$ -DP (and thus $(\epsilon,\delta)$ ) from a single run of a private mechanism. Empirical results on DP mechanisms demonstrate that $f$ -DP-based audits deliver up to 2 $\times$ tighter privacy estimates than prior $(\epsilon,\delta)$ audits, particularly for high-dimensional or Gaussian mechanisms (Mahloujifar et al., 29 Oct 2024).
Sample complexity and robustness: Empirical $f$ -DP estimation is feasible and practical at sample sizes $m=10^5$ – $10^7$ for canonical mechanisms, overcoming the scalability limits of earlier black-box DP audits.

6. Conversion to Classical DP, Bounds, and Accounting

Given an $f$ -DP trade-off $f$ , the optimal $(\epsilon,\delta)$ -DP parameters can be derived via convex conjugation: $\delta(\epsilon) = 1 + f^*(-e^\epsilon),$ where $f^*$ is the Legendre–Fenchel dual. For symmetric $f$ , this conversion is tight and lossless (Dong et al., 2019, Wang et al., 2023). This mechanism yields strictly improved conversions from RDP to $(\epsilon,\delta)$ -DP compared to the classical "moment accountant"—resulting in substantial reductions in required noise for private SGD, and enabling up to 100 additional training rounds under the same privacy budget in concrete settings (Asoodeh et al., 2020).

In mixture mechanisms (e.g., shuffling, random initialization), the advanced joint concavity of trade-offs yields improved bounds in the low- $\alpha$ regime, crucial for small- $\delta$ $(\epsilon,\delta)$ privacy (Wang et al., 2023).

7. Impact, Limitations, and Future Directions

The $f$ -DP framework achieves an information-theoretically lossless, optimal, and compositional theory of privacy, underpinning:

Lossless analysis for arbitrary composition, post-processing, and subsampling (Dong et al., 2019).
Optimal privacy-utility-accounting in federated and decentralized learning, including robust handling of correlated noise and communication constraints (Li et al., 22 Oct 2025, Sun et al., 28 Aug 2024).
Tight privacy for compressed, discrete, and mixture mechanisms, including those not covered by $(\epsilon,\delta)$ -DP or RDP (Jin et al., 2023, Wang et al., 2023).
Robust, black-box empirical auditing and privacy validation (Askin et al., 10 Feb 2025, Mahloujifar et al., 29 Oct 2024).

Potential limitations include computational costs for numerical composition in large-scale graphs, and extensions to time-varying or non-Gaussian mechanisms. Future research is expected to develop scalable computational tools for $f$ -DP evaluation and numerical accounting, extend the analysis to more adversarial threat models, and further generalize the application of $f$ -DP to interactive and adaptive data analysis regimes.

References:

(Dong et al., 2019, Asoodeh et al., 2020, Wang et al., 2023, Jin et al., 2023, Dijk et al., 2022, Sun et al., 28 Aug 2024, Li et al., 22 Oct 2025, Askin et al., 10 Feb 2025, Mahloujifar et al., 29 Oct 2024).