I am unclear about how privacy accounting works under sequential composition for the gaussian distribution. What I take from your example is that, for epsilon = 1 and assuming three queries, the epsilon for each query would be 1/3 (assuming queries for overlapping records). Since epsilon enters the mechanism only once (to determine the initial value of rho), it seems that the number of queries determines the budget for each query (and not the fraction of epsilon used per query, as with the Laplace mechanism). Therefore, this would imply that epsilon would be evenly divided among all the queries (by whatever the number of queries). So, epsilon could not be varied on a per query basis (i.e., assuming n queries, epsilon_per_q = epsilon/n, and not some other scheme, i.e., where epsilon/n1 + epsilon/n2 + ... + epsilon/nk = epsilon).

Is this correct? Thanks.

Hi!

So, to clarify, the example uses concentrated differential privacy composition (where the "rho" parameters add up), rather than pure DP composition (where the "epsilon" parameters add up). This gives better results.

The example starts with epsilon=1 and delta=10^-6 and converts this to a concentrated DP guarantee rho. That rho can be divided arbitrarily between the queries; the example divides it evenly (i.e., rho_per_q = rho / k). More generally, each query i will satisfy a guarantee rho_q[i]. The overall system satisfies the privacy guarantee if sum(rho_q) <= rho.