f-DP Framework: Hypothesis-Testing Privacy

• f-DP is a mathematical privacy framework that uses hypothesis-testing trade-offs to precisely quantify privacy leakage.
• It generalizes (ε, δ)-DP, RDP, and GDP by employing a trade-off function that controls type I and II error probabilities.
• f-DP supports lossless composition and privacy amplification, yielding tighter privacy-utility trade-offs in complex, decentralized settings.

$f$-DP Framework

The $f$-differential privacy ($f$-DP) framework is a mathematical formalism for quantifying privacy leakage in data analysis mechanisms, using a hypothesis-testing perspective. $f$-DP generalizes traditional $(\epsilon,\delta)$-differential privacy and Rényi differential privacy (RDP), enabling precise privacy accounting, especially in complex scenarios such as decentralized federated learning, shuffling, and mixture mechanisms. Instead of summary parameters, $f$-DP characterizes privacy guarantees through a trade-off function $f$ that tightly controls the relation between type I and type II error probabilities in optimal adversarial hypothesis tests between neighboring datasets.

1. Formal Definition and Core Principles

Let $\mathcal{A}$ be a randomized mechanism, and for any pair of adjacent datasets $D, D'$, let $P = \mathrm{Law}(\mathcal{A}(D))$, $Q = \mathrm{Law}(\mathcal{A}(D'))$ be the corresponding output distributions. The $f$-DP guarantee relies on the hypothesis-testing trade-off function: $$T(P,Q)(\alpha) = \inf\{\,\beta_\phi \mid \phi\ \text{test},\ \Pr_P[\phi]=\alpha\,\}$$ where $\alpha$ is type-I error and $\beta_\phi = 1-\mathbb{E}_Q[\phi]$ is type-II error.

A mechanism $\mathcal{A}$ is $f$-DP if, for all neighboring $D \sim D'$, $$T(\mathrm{Law}(\mathcal{A}(D)), \mathrm{Law}(\mathcal{A}(D'))) \geq f$$, with $f$ a valid trade-off function—symmetric, non-increasing, convex (after symmetrization), and satisfying $f(\alpha) \leq 1-\alpha$.

This framework precisely characterizes the privacy risk posed by any possible adversary: the function $f$ gives the strongest bound on the achievable type-II error as a function of type-I error.

2. Relationship to $(\epsilon, \delta)$-DP, RDP, and GDP

$(\epsilon, \delta)$-DP

Every symmetric $f$ defines an $(\epsilon, \delta)$-DP guarantee via

$\delta(\epsilon) = 1 + f^*(-e^\epsilon)$

where $f^*$ is the convex conjugate of $f(\cdot)-\cdot$. Conversely, $(\epsilon, \delta)$-DP admits a trade-off function: $$f(\alpha) = \max\left\{0,\, 1-\delta-e^\epsilon\alpha,\, e^{-\epsilon}(1-\delta-\alpha)\right\}$$

Rényi Differential Privacy (RDP)

If a mechanism is $f$-DP, it is also RDP in the sense that for all orders $\alpha > 1$,

$$\epsilon_f(\alpha) = \frac{1}{\alpha - 1}\log \int_0^1 |f'(x)|^{1-\alpha}\, dx$$

Specifically, if $f = G_\mu$, the Gaussian trade-off curve, then the mechanism is $(\alpha, \frac{1}{2}\mu^2\alpha)$-RDP.

Gaussian Differential Privacy (GDP)

GDP is a one-parameter subclass of $f$-DP where $f=G_\mu$ with

$G_\mu(\alpha) = \Phi(\Phi^{-1}(1-\alpha) - \mu)$

corresponding to the optimal trade-off in distinguishing two shifted univariate Gaussians. This class arises as the universal limit for the composition of arbitrary $f$-DP mechanisms by a central limit theorem (Dong et al., 2019).

3. Lossless Composition and Privacy Amplification

One of the principal advantages of $f$-DP is that it enables lossless privacy accounting under composition and privacy amplification by subsampling and iteration:

• Sequential Composition: If $\mathcal{A}_1$ is $f_1$-DP and $\mathcal{A}_2$ is $f_2$-DP on independent randomness, $(\mathcal{A}_1, \mathcal{A}_2)$ is $f_1 \otimes f_2$-DP, where the tensor product is the trade-off of the product distributions. $f_1^{\otimes n}$ can be computed via repeated convolution, yielding strictly tighter bounds than composition in $(\epsilon,\delta)$-DP.
• Joint Concavity: If $P_w = \sum_i w_i P_i$, $Q_w = \sum_i w_i Q_i$, then $T(P_w, Q_w) \succeq \sum_i w_i f_i$ for $f_i = T(P_i, Q_i)$, with the same mixture of likelihood-ratio thresholds (Wang et al., 2023).
• Privacy Amplification by Iteration and Subsampling: For contractive noisy steps (gradient iterations or Markov process visits), amplification yields sharper bounds than naive summation, as in privacy amplification by random walks, shuffling, or sparsification in distributed protocols (Dijk et al., 2022, Jin et al., 2023, Wang et al., 2023, Li et al., 22 Oct 2025).

4. Decentralized, Network, and Secret-Based $f$-DP Accounting

The $f$-DP framework is particularly effective for decentralized federated learning, where the combination of communication structure, local computation, and correlated noise induces complex privacy interdependencies.

Pairwise Network $f$-DP (PN-$f$-DP)

PN-$f$-DP quantifies user-level $f$-DP leakage between each pair $(i, j)$ for a random-walk protocol on a connected graph. Let $\tau_{ij}$ be the first-hitting time from $i$ to $j$, and $w_{ij}^t = \Pr[\tau_{ij}=t]$. User $j$'s view is a mixture of per-visit trade-off functions $f^t_{ij}$, which, in the strongly convex case, are lower-bounded by $G_{\mu_t}$ with $\mu_t$ capturing the contraction and noise accumulation over $tK$ iterations. The overall privacy for $j$ is composed over approximately $T/n$ visits (with fluctuations controlled by Markov-chain concentration), giving: $$T(\mathcal{A}_j(D), \mathcal{A}_j(D')) \succeq (f^{\text{single}}_{ij})^{\otimes \lceil (1+\zeta)T/n \rceil}$$ with small failure probability (Li et al., 22 Oct 2025).

Secret-based $f$-Local DP (Sec-$f$-LDP)

In Sec-$f$-LDP, each pair of users shares secret randomness (e.g., correlated Gaussian noise), resulting in privacy guarantees conditional on adversary knowledge of secrets. If up to $q$ out of $n$ users collude, the privacy parameter $\mu$ in $G_\mu$-DP satisfies: $$\mu = \Delta \sqrt{\frac{1}{(n-q)\sigma_{\text{DP}}^2 + \lambda_2(L)\sigma_{\text{cor}}^2}}$$ where $\lambda_2(L)$ is the graph Laplacian's second-smallest eigenvalue (Li et al., 22 Oct 2025).

5. Conversion to Concrete Privacy Parameters

From the $f$-DP guarantee, concrete $(\epsilon, \delta)$ privacy can be obtained as follows:

• PRV (Privacy Loss Random Variable) Approach: The privacy loss is $L = \log \frac{q(X)}{p(X)}$, and for $f = T(p, q)$, $(\epsilon, \delta)$-DP is achieved for any $\epsilon$ with $\delta = \Pr[L > \epsilon]$.
• Closed-form for $G_\mu$: For Gaussian trade-off $f = G_\mu$, the $(\epsilon, \delta)$-curve is $\delta(\epsilon) = 1 + f^*(-e^\epsilon)$, with $f^*$ the convex conjugate of $f(\cdot) - \cdot$.
• Exact and Numerical Methods: Under tensor-product composition, privacy loss RVs add, and CDF convolution yields overall privacy; this can often be performed numerically.

6. Empirical Gains and Practical Impact

Empirical studies highlight that $f$-DP-based accounting yields noticeably tighter $(\epsilon, \delta)$ bounds than the best existing Rényi DP methods, both in synthetic and real-world network topologies:

Setting	$(\epsilon,\delta)$ (RDP-based)	$(\epsilon,\delta)$ (PN-$f$-DP)	Test Accuracy Gain
Hypercube/Expander graphs	Higher $\epsilon$	$20$–$50\%$ lower $\epsilon$	Several %
Correlated-noise DecoR FL	Higher $(\epsilon,\delta)$	Lower $(\epsilon,\delta)$	Improved

In private logistic regression and MNIST classification, $f$-DP-based calibrated noise is lower for a fixed privacy target, yielding higher test accuracy under the same privacy constraint. This effect is pronounced in protocols combining correlation, sparsity, and iterative communication (Li et al., 22 Oct 2025).

7. Significance and Future Directions

The $f$-DP framework subsumes classical $(\epsilon, \delta)$-DP and RDP, offering a hypothesis-testing-based lens on privacy. Its tight, lossless compositional rules, amplification capabilities, and precise analysis of networked, decentralized, or correlated-noise mechanisms make it a preferred tool for privacy accounting in modern federated and decentralized settings. Empirical evidence demonstrates that $f$-DP leads to more favorable privacy–utility trade-offs and improved model performance under the same privacy guarantees. The framework's compatibility with post-processing, arbitrarily fine-grained accounting, and potential for further extensions to adaptive protocols and advanced randomized mechanisms suggests multiple avenues for future research and deployment (Li et al., 22 Oct 2025).