Tight Auditing of Differential Privacy in MST and AIM

Georgi Ganev; Meenatchi Sundaram Muthu Selva Annamalai; Bogdan Kulynych

✨ TL;DR

This paper introduces a GDP-based auditing framework that provides the first tight privacy audits for state-of-the-art differentially private synthetic data generators MST and AIM. The audits show a small gap between theoretical guarantees and empirical measurements in strong-privacy regimes.

01 · Problem

Differentially Private (DP) synthetic data generators like MST and AIM are widely deployed in practice, but verifying that they actually achieve their claimed privacy guarantees is difficult. Existing auditing methods struggle to provide tight bounds, especially in strong-privacy regimes where privacy parameters are stringent. Without tight audits, there is uncertainty about whether these systems provide the privacy protection they promise, which is critical for real-world deployment where privacy violations could have serious consequences.

02 · Approach

The authors develop an auditing framework based on Gaussian Differential Privacy (GDP) that measures privacy through the complete false-positive/false-negative tradeoff curve rather than single-point estimates. They apply this framework to audit MST and AIM synthetic data generators under worst-case settings, which represent the most challenging scenarios for privacy preservation. The GDP framework allows for more precise characterization of privacy loss by examining the full hypothesis testing tradeoff, providing tighter bounds than previous auditing approaches.

03 · Key insights

What the paper shows.

01GDP-based auditing can provide tight privacy bounds by measuring the full false-positive/false-negative tradeoff rather than relying on single privacy parameters

02The first tight audits of MST and AIM in strong-privacy regimes are achievable, closing the gap between theory and practice

03For privacy parameters (ε,δ)=(1,10^-2), the empirical privacy measure μ_emp≈0.43 is very close to the theoretical bound μ=0.45, demonstrating a small theory-practice gap

04Worst-case auditing settings provide conservative but verifiable privacy guarantees for real-world deployment

04 · Results

The auditing framework successfully provides tight privacy bounds for MST and AIM generators. For the specific case of privacy parameters (ε,δ)=(1,10^-2), the empirical measurement yields μ_emp≈0.43 compared to the theoretically implied μ=0.45, demonstrating only a small gap of approximately 0.02. This represents the first tight audit of these systems in strong-privacy regimes, validating that the theoretical privacy guarantees closely match empirical behavior under worst-case conditions.

05 · Limitations

The paper focuses on worst-case auditing settings, which while providing strong guarantees, may be overly conservative for typical use cases. The audits are specifically conducted on MST and AIM generators, and generalization to other DP synthetic data methods is not explicitly addressed. The computational cost and scalability of the GDP-based auditing framework for larger datasets or more complex generators are not discussed. Additionally, the audits measure privacy under specific parameter settings, and comprehensive evaluation across the full range of privacy parameters used in practice may require additional work.

✨ Generated by Claude · Apr 21, 2026 · Read the PDF for authoritative content.

What the paper shows.

↘ Related papers