Concurrent Composition for Differentially Private Continual Mechanisms

Many intended uses of differential privacy involve a $\textit{continual mechanism}$ that is set up to run continuously over a long period of time, making more statistical releases as either queries come in or the dataset is updated. In this paper, we give the first general treatment of privacy against $\textit{adaptive}$ adversaries for mechanisms that support dataset updates and a variety of queries, all arbitrarily interleaved. It also models a very general notion of neighboring, that includes both event-level and user-level privacy. We prove several $\textit{concurrent}$ composition theorems for continual mechanisms, which ensure privacy even when an adversary can interleave queries and dataset updates to the different composed mechanisms. Previous concurrent composition theorems for differential privacy were only for the case when the dataset is static, with no adaptive updates. Moreover, we also give the first interactive and continual generalizations of the “parallel composition theorem” for noninteractive differential privacy. Specifically, we show that the analogue of the noninteractive parallel composition theorem holds if either there are no adaptive dataset updates or each of the composed mechanisms satisfies pure differential privacy, but it fails to hold for composing approximately differentially private mechanisms with dataset updates. We then formalize a set of general conditions on a continual mechanism $M$ that runs multiple continual sub-mechanisms such that the privacy guarantees of $M$ follow directly using the above concurrent composition theorems on the sub-mechanisms, without further privacy loss. This enables us to give a simpler and more modular privacy analysis of a recent continual histogram mechanism of Henzinger, Sricharan, and Steiner. In the case of approximate DP, ours is the first proof showing that its privacy holds against adaptive adversaries.

💡 Research Summary

Differential privacy (DP) has become the de‑facto standard for protecting individual information when performing statistical analysis or machine learning on sensitive data. While the classic DP definition concerns a single, non‑interactive mechanism that receives a static dataset and releases a single output, many modern applications require continual mechanisms that operate over long periods, handling a stream of queries and a stream of dataset updates. Moreover, an adaptive adversary may choose each new query or update based on all previously observed answers, a scenario that is not covered by existing composition theorems.

The paper introduces a comprehensive formalism for continual mechanisms (Definition 3.7) that simultaneously supports (i) arbitrary query streams, (ii) arbitrary update streams, and (iii) a secret internal state that evolves over time. The authors generalize the neighboring relation to encompass event‑level, user‑level, and any user‑specified adjacency, thereby unifying previous models of interactive DP and DP under continual observation.

The core technical contribution is a suite of concurrent composition theorems for such mechanisms. In the concurrent setting, an adversary may interleave queries and updates across multiple mechanisms, possibly creating new mechanisms on the fly and selecting their privacy parameters adaptively. The authors prove tight privacy bounds for several important cases:

1. Fixed privacy parameters – When each constituent mechanism uses a predetermined (ε, δ), the classic advanced composition bounds for approximate DP extend unchanged to the concurrent composition of continual mechanisms (Theorem 4.12). The same holds for Rényi DP and f‑DP (Corollaries 13.4, 14.7).

2. Concurrent parallel composition – For an unbounded number of adaptively chosen interactive mechanisms, the parallel composition theorem holds exactly if every mechanism satisfies pure DP (δ = 0) (Corollary 5.5). The authors show that for approximate DP the theorem fails in general (Theorem 5.2) and provide a counterexample. By imposing an upper bound on the quantity Σ_i (1 − δ_i), they derive a new tight composition bound (Theorem 5.4) that restores privacy guarantees.

3. Filter composition – A filter Filt maps each mechanism’s privacy parameters to a Boolean decision (⊤/⊥). The paper proves that if the filter‑composition of non‑interactive mechanisms is (ε, δ)‑DP, then the concurrent filter‑composition of continual mechanisms enjoys the same guarantee (Theorem 12.4). This result also lifts to Rényi DP and f‑DP (Corollaries 13.8, 14.10).

4. Extensions to other DP notions – All the above theorems are instantiated for Rényi DP and f‑DP, showing that the same structural arguments apply across these privacy measures.

Beyond the theoretical results, the authors present a modular analysis framework. If a high‑level continual mechanism M internally runs several sub‑mechanisms that each satisfy the appropriate concurrent composition theorem, then M’s overall privacy guarantee follows without any additional loss. This modularity is demonstrated by re‑analyzing a recent continual histogram mechanism (Henzinger, Sricharan, and Steiner). Notably, the paper supplies the first rigorous proof that this histogram mechanism remains differentially private against adaptive adversaries in the approximate DP setting.

The paper also clarifies the limitations of existing approaches. Prior works on concurrent composition of interactive mechanisms assumed static datasets; they do not handle the case where the adversary adaptively selects both the datasets and the updates. The authors’ negative results (Theorem 5.2, Theorem 13.5) show that naïvely extending the classic parallel composition theorem to approximate DP with adaptive updates leads to privacy breaches, emphasizing the necessity of the new bounds.

In terms of practical impact, these results are directly applicable to systems such as online advertising platforms, streaming analytics, and any service that continuously ingests user data while answering queries in real time. The filter‑composition theorem, in particular, provides a clean tool for designing adaptive privacy‑budget managers (privacy odometers, filters) that can be embedded in continual algorithms. The modular framework simplifies the privacy audit of complex pipelines, allowing designers to reason about each component separately and then compose them safely.

Overall, the paper delivers the first unified theory of concurrent composition for continual differential privacy, covering pure, approximate, Rényi, and f‑DP, handling both fixed and adaptively chosen privacy parameters, and providing both positive composition bounds and tight impossibility results. This fills a critical gap in the DP literature and offers a solid foundation for future work on efficient, privacy‑preserving continual data analysis.