Differentially Private Continual Counting
- Private continual counting is the process of releasing cumulative, differentially private prefix sums on data streams.
- It employs mechanisms like the binary tree and smooth binary methods to control error via matrix factorization and sensitivity reduction.
- Recent advances address diverse models—including event-level, item-level, and turnstile streams—yielding near-optimal error and utility trade-offs.
Private continual counting is the problem of releasing, after every update in a stream, a differentially private approximation to a running count or closely related cumulative statistic. In the canonical binary setting, the input is and the release at time approximates ; equivalently, the workload is the lower-triangular all-ones counting matrix , so continual counting is the continual release of all prefix sums. The privacy requirement is imposed on the entire output transcript rather than on a final answer alone, making the problem the standard benchmark for the privacy cost of repeated release over time (Fichtenberger et al., 2022, Andersson et al., 2023).
1. Formal model and privacy notions
In privacy under continual observation, data arrive online and the mechanism must output an answer at every time step , with the release at time depending only on the prefix seen so far. For binary continual counting, neighboring streams differ in exactly one position, and the mechanism must privately release all prefix sums
where is the lower-triangular prefix-sum matrix. Accuracy is commonly measured either by worst-case additive -error over time or by variance-based criteria such as maximum squared error and mean squared error (Andersson et al., 2023, Henzinger et al., 6 Apr 2025).
A standard formalization treats continual counting as a matrix mechanism problem. If
then one may compute 0, add Gaussian noise 1, and postprocess via
2
In this view, the relevant quantities are
3
which govern worst-case per-time error and average squared error, respectively (Henzinger et al., 6 Apr 2025). This formulation is central to modern continual counting because it separates sensitivity control in 4 from error amplification in 5.
Although event-level privacy is canonical for prefix sums, stronger neighboring relations also arise. In fully dynamic distinct counting, for example, event-level privacy changes one update, whereas item-level privacy changes all updates involving one universe element. The latter is strictly stronger and materially changes the attainable error landscape (Jain et al., 2023).
2. Core mechanisms and factorization methods
The classical mechanism is the binary mechanism, which organizes the stream in a complete binary tree. Each stream element is placed in a leaf, each internal node stores a noisy partial sum, and each prefix sum is reconstructed from 6 selected tree nodes. Under 7-zCDP, the exact variance at time 8 is
9
where 0 is the number of 1s in the binary representation of 2. The mechanism uses 3 space and 4 total time to output all 5 prefix sums, but its variance is non-uniform across time because it depends on the Hamming weight of 6 (Andersson et al., 2023).
A direct refinement is the smooth binary mechanism. It uses only leaves whose binary labels have a fixed number 7 of zeros, making the 8-sensitivity uniform: 9 Each prefix sum then uses exactly 0 noisy nodes, so the output noise distribution is identical at every time step. With 1, its variance becomes
2
improving the leading constant by a factor about 3 relative to the standard binary mechanism while preserving 4 space and 5 total time (Andersson et al., 2023).
Lower-triangular matrix mechanisms replace the tree by an explicit causal factorization of 6. One explicit Toeplitz factorization uses
7
and sets 8. This yields the bound
9
which in turn gives an 0-DP continual counter whose simultaneous error is bounded by
1
with 2 (Fichtenberger et al., 2022). A later Toeplitz factorization achieves mean squared error
3
about 4 smaller than the error of the binary mechanism, and supports 5 time per release after preprocessing (Henzinger et al., 2022).
3. Lower bounds and optimality
The optimality theory of continual counting is sharply model-dependent. For mean squared error under approximate differential privacy, an almost tight lower bound is known for continual counting mechanisms, matching the leading 6 term of the best upper bounds up to lower-order terms. For sufficiently small 7, the lower bound is formulated via the factorization norm 8, with the paper emphasizing that the upper and lower bounds match in the leading term and differ only in lower-order constant terms (Henzinger et al., 2022).
For online continual counting, lower bounds also isolate the price of not knowing the future. If the total number of events is 9, then any 0-DP online counter with 1 and 2 must incur 3-error 4 with constant probability, yielding the lower bound
5
The same work extends the argument to online threshold queries and thereby to online quantile-query release, and it separates standard private online learning from both non-private online learning and private online prediction (Cohen et al., 2024).
The central asymptotic question for approximate-DP continual counting was whether the 6 dependence of the Gaussian binary tree mechanism is necessary. This is now resolved: every differentially private mechanism for continual counting must incur expected 7 error 8, so the binary tree mechanism is asymptotically optimal in the approximate-DP setting (Bairaktari et al., 1 Jul 2026). At the level of constant factors in factorization norms, explicit constructions remain under active refinement. For the counting matrix,
9
and
0
reducing the gaps between lower and upper bounds to 1 and 2, respectively (Henzinger et al., 17 Sep 2025).
4. Turnstile streams and dynamic cardinality estimation
Insertion-only continual counting admits polylogarithmic error, but fully dynamic streams exhibit qualitatively different behavior. In private continual distinct counting under the turnstile model, the stream may contain insertions 3, deletions 4, and no-ops 5. For each item 6, the existence vector is
7
and the released statistic is
8
The key structural parameter is maximum flippancy,
9
which counts how many times the most oscillatory item changes its contribution from present to absent or vice versa (Jain et al., 2023).
Without such structure, deletions create polynomial hardness. For 0-event-level DP with 1, every 2-accurate mechanism on length-3 turnstile streams with maximum flippancy at most 4 must satisfy
5
and the lower bound already holds in the strict turnstile model and even for offline mechanisms. Under item-level privacy, however, there is an adaptive mechanism with additive error
6
or in zCDP form
7
The construction combines a modified binary-tree continual-sum mechanism with an adaptive sparse-vector wrapper that estimates a suitable flippancy scale online without requiring 8 as input (Jain et al., 2023).
A later generalization studies dynamic cardinality-estimation tasks through sensitivity vectors of difference streams. For neighboring inputs, it defines
9
and the structured family
0
For lower-triangular Toeplitz right factors 1 with non-increasing, non-negative diagonals, the core bound is
2
This framework yields improved accuracy for fully dynamic CountDistinct, DegreeCount, and TriangleCount by replacing naive blowups on the difference stream with a 3 dependence (Andersson et al., 5 Jan 2026).
5. Structured variants of continual counting
Continual counting has diversified into several structured workloads. For histograms and monotone histogram queries under event-level privacy, output-sensitive mechanisms partition the stream into segments and update the visible state only at segment boundaries. For a broad family of monotone histogram queries, the pure-DP one-query error becomes
4
and in the turnstile model the mechanism achieves
5
additive error without requiring 6 as input. When 7, this gives continual counting with error depending on the realized scale of the output rather than only on 8 (Henzinger et al., 2023).
Decayed and windowed variants replace the prefix-sum workload by other lower-triangular operators. Sliding-window counting over window size 9 can be handled by blockwise dyadic trees, yielding privacy with 0-sensitivity 1 and error polylogarithmic in 2, independent of the total horizon 3. More general continual decaying sums correspond to lower-triangular Toeplitz matrices 4, and Toeplitz square-root factorizations provide a unified mechanism whose error depends on 5 and 6; setting 7 recovers continual counting as a special case (Bolot et al., 2011, Henzinger et al., 2023).
A further axis of variation alters the privacy model itself. Under gradual privacy expiration, where the privacy loss for an update seen 8 steps in the past is governed by a non-decreasing function 9, a dyadic-interval mechanism with a delay parameter 00 achieves maximum additive 01-error 02 for a broad family of expiration functions
03
and a matching lower bound states that if the additive error is 04, then 05 (Andersson et al., 2024). When the horizon is unknown in advance, an infinite Toeplitz factorization based on logarithmic perturbations of 06 yields an unbounded continual-counting algorithm with smooth variance
07
at time 08, 09 space, and amortized 10 time per round (Jacobsen et al., 17 Jun 2025).
6. Streaming implementations, applications, and adjacent domains
A persistent implementation issue is that the best factorization mechanisms are often not streaming-friendly. Two recent lines of work address this by compressing structured left factors. One approach bins adjacent entries with similar values, producing a 11-binned approximation whose left factor can be maintained in sublinear space while preserving error up to a multiplicative 12. For the Bennett square-root factorization of continual counting, this yields
13
space and time per output while maintaining both MSE and MaxSE within a factor 14 of the original factorization (Andersson et al., 2024). A related result adapts binning to the group algebra factorization and obtains
15
memory and per-row multiplication cost while preserving MeanSE and MaxSE up to a factor 16 (Henzinger et al., 6 Apr 2025). These results suggest that asymptotically sharp factorizations and streaming efficiency need not be mutually exclusive, but they remain separate design constraints.
The continual-counting primitive now appears in a large range of neighboring tasks. It underlies continual histograms over known and unknown domains, continual top-17 release, and frequency-moment estimation, where distinct counting, heavy hitters, and low-frequency counts are reduced to private continual summing (Cardoso et al., 2021, Epasto et al., 2023). It also supports graph statistics under continual release: bounded-degree graph streams admit low-sensitivity difference-sequence mechanisms for high-degree counts, degree histograms, and subgraph counts, while time-aware projections and an online Propose-Test-Release transformation provide the first unconditional node-private continual-release algorithms for edges, triangles, 18-stars, connected components, and degree histograms without assuming the input stream satisfies a degree promise (Song et al., 2018, Jain et al., 2024). In applied privacy systems, continual counting is explicitly identified as a subroutine in private federated learning and private SGD, and sharper factorizations improve the theoretical utility guarantees of those pipelines (Henzinger et al., 2022, Andersson et al., 2023).
A recurrent misconception is that polylogarithmic upper bounds in the insertion-only binary setting settle the general problem. Recent work shows that deletions, online constraints, privacy-expiration models, unknown horizons, and streaming-space requirements each produce distinct regimes, often with different optimal mechanisms and different lower bounds. Private continual counting is therefore less a single solved problem than a family of tightly related workload, privacy, and systems questions centered on one canonical primitive.