Fully Adaptive Composition for Gaussian Differential Privacy

We show that Gaussian Differential Privacy, a variant of differential privacy tailored to the analysis of Gaussian noise addition, composes gracefully even in the presence of a fully adaptive analyst. Such an analyst selects mechanisms (to be run on a sensitive data set) and their privacy budgets adaptively, that is, based on the answers from other mechanisms run previously on the same data set. In the language of Rogers, Roth, Ullman and Vadhan, this gives a filter for GDP with the same parameters as for nonadaptive composition. One can also characterize GDP, via Blackwell's theorem, in terms of bounds on the ROC curve for all tests that aim to distinguish M(D) from M(D We prove that Gaussian Differential Privacy (GDP) [DRS19] composes even when the analyst is fully adaptive; the privacy parameters adds up in exactly the same way as in nonadaptive composition. In the language of [RRUV16], there is a filter for this privacy concept that simply sums the squares of privacy budgets and compares them to a threshold. The analyst's choices at each stage can depend arbitrarily on the interaction up to that point.