Advanced Composition Theorems for Differential Obliviousness

Authors Mingxun Zhou, Mengshi Zhao, T-H. Hubert Chan, Elaine Shi

Thumbnail PDF


  • Filesize: 0.77 MB
  • 24 pages

Document Identifiers

Author Details

Mingxun Zhou
  • Carnegie Mellon University, Pittsburgh, PA, USA
Mengshi Zhao
  • The University of Hong Kong, Hong Kong SAR, China
T-H. Hubert Chan
  • The University of Hong Kong, Hong Kong SAR, China
Elaine Shi
  • Carnegie Mellon University, Pittsburgh, PA, USA

Cite AsGet BibTex

Mingxun Zhou, Mengshi Zhao, T-H. Hubert Chan, and Elaine Shi. Advanced Composition Theorems for Differential Obliviousness. In 15th Innovations in Theoretical Computer Science Conference (ITCS 2024). Leibniz International Proceedings in Informatics (LIPIcs), Volume 287, pp. 103:1-103:24, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)


Differential obliviousness (DO) is a privacy notion which mandates that the access patterns of a program satisfy differential privacy. Earlier works have shown that in numerous applications, differential obliviousness allows us to circumvent fundamental barriers pertaining to fully oblivious algorithms, resulting in asymptotical (and sometimes even polynomial) performance improvements. Although DO has been applied to various contexts, including the design of algorithms, data structures, and protocols, its compositional properties are not explored until the recent work of Zhou et al. (Eurocrypt'23). Specifically, Zhou et al. showed that the original DO notion is not composable. They then proposed a refinement of DO called neighbor-preserving differential obliviousness (NPDO), and proved a basic composition for NPDO. In Zhou et al.’s basic composition theorem for NPDO, the privacy loss is linear in k for k-fold composition. In comparison, for standard differential privacy, we can enjoy roughly √k loss for k-fold composition by applying the well-known advanced composition theorem given an appropriate parameter range. Therefore, a natural question left open by their work is whether we can also prove an analogous advanced composition for NPDO. In this paper, we answer this question affirmatively. As a key step in proving an advanced composition theorem for NPDO, we define a more operational notion called symmetric NPDO which we prove to be equivalent to NPDO. Using symmetric NPDO as a stepping stone, we also show how to generalize NPDO to more general notions of divergence, resulting in Rényi-NPDO, zero-concentrated-NPDO, Gassian-NPDO, and g-NPDO notions. We also prove composition theorems for these generalized notions of NPDO.

Subject Classification

ACM Subject Classification
  • Security and privacy → Information-theoretic techniques
  • Differential Privacy
  • Oblivious Algorithms


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Technology deep dive: Building a faster oram layer for enclaves., 2022.
  2. Borja Balle, Gilles Barthe, and Marco Gaboardi. Privacy amplification by subsampling: Tight analyses via couplings and divergences. NeurIPS, 2018. Google Scholar
  3. Borja Balle, James Bell, Adrià Gascón, and Kobbi Nissim. The privacy blanket of the shuffle model. In CRYPTO, 2019. Google Scholar
  4. Gilles Barthe, Marco Gaboardi, Justin Hsu, and Benjamin Pierce. Programming language techniques for differential privacy. ACM SIGLOG News, 3(1):34-53, February 2016. Google Scholar
  5. Amos Beimel, Kobbi Nissim, and Mohammad Zaheri. Exploring differential obliviousness. In APPROX/RANDOM, 2019. Google Scholar
  6. Dmytro Bogatov, Georgios Kellaris, George Kollios, Kobbi Nissim, and Adam O'Neill. εpsolute: Efficiently querying databases while providing differential privacy. In CCS, 2021. Google Scholar
  7. Elette Boyle, Kai-Min Chung, and Rafael Pass. Oblivious parallel ram. In Theory of Cryptography Conference (TCC), 2015. Google Scholar
  8. Mark Bun and Thomas Steinke. Concentrated differential privacy: Simplifications, extensions, and lower bounds. In TCC (B1), volume 9985 of Lecture Notes in Computer Science, pages 635-658, 2016. Google Scholar
  9. Ethan Cecchetti, Fan Zhang, Yan Ji, Ahmed E. Kosba, Ari Juels, and Elaine Shi. Solidus: Confidential distributed ledger transactions via PVORM. In ACM CCS, pages 701-717. ACM, 2017. Google Scholar
  10. T-H. Hubert Chan, Kai-Min Chung, Bruce M. Maggs, and Elaine Shi. Foundations of differentially oblivious algorithms. In SODA, 2019. Google Scholar
  11. Albert Cheu. Differential privacy in the shuffle model: A survey of separations. arXiv preprint, 2021. URL:
  12. Albert Cheu, Adam Smith, Jonathan Ullman, David Zeber, and Maxim Zhilyaev. Distributed differential privacy via shuffling. In EUROCRYPT, 2019. Google Scholar
  13. Shumo Chu, Danyang Zhuo, Elaine Shi, and T.-H. Hubert Chan. Differentially oblivious database joins: Overcoming the worst-case curse of fully oblivious algorithms. In ITC, 2021. Google Scholar
  14. Jinshuo Dong, David Durfee, and Ryan Rogers. Optimal differential privacy composition for exponential mechanisms. In ICML, volume 119 of Proceedings of Machine Learning Research, pages 2597-2606. PMLR, 2020. Google Scholar
  15. Jinshuo Dong, Aaron Roth, and Weijie J Su. Gaussian differential privacy. Journal of the Royal Statistical Society Series B: Statistical Methodology, 84(1):3-37, 2022. Google Scholar
  16. Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. Calibrating noise to sensitivity in private data analysis. In TCC, 2006. Google Scholar
  17. Cynthia Dwork and Aaron Roth. The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science, 9(3-4):211-407, 2014. Google Scholar
  18. Cynthia Dwork, Guy N. Rothblum, and Salil P. Vadhan. Boosting and differential privacy. In FOCS, pages 51-60. IEEE Computer Society, 2010. Google Scholar
  19. Úlfar Erlingsson, Vitaly Feldman, Ilya Mironov, Ananth Raghunathan, Kunal Talwar, and Abhradeep Thakurta. Amplification by shuffling: From local to central differential privacy via anonymity. In SODA, 2019. Google Scholar
  20. Vitaly Feldman, Audra McMillan, and Kunal Talwar. Stronger privacy amplification by shuffling for rényi and approximate differential privacy. In Proceedings of the 2023 Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), pages 4966-4981. SIAM, 2023. Google Scholar
  21. Vitaly Feldman and Tijana Zrnic. Individual privacy accounting via a renyi filter. Advances in Neural Information Processing Systems, 34:28080-28091, 2021. Google Scholar
  22. Craig Gentry, Shai Halevi, Steve Lu, Rafail Ostrovsky, Mariana Raykova, and Daniel Wichs. Garbled ram revisited. In EUROCRYPT, pages 405-422, 2014. Google Scholar
  23. Badih Ghazi, Noah Golowich, Ravi Kumar, Pasin Manurangsi, Rasmus Pagh, and Ameya Velingker. Pure differentially private summation from anonymous messages. CoRR, 2020. URL:
  24. Antonious M Girgis, Deepesh Data, and Suhas Diggavi. Shuffled model of differential privacy in federated learning. In Arindam Banerjee and Kenji Fukumizu, editors, Proceedings of The 24th International Conference on Artificial Intelligence and Statistics, volume 130 of Proceedings of Machine Learning Research, pages 2521-2529. PMLR, 13-15 Apr 2021. URL:
  25. Antonious M. Girgis, Deepesh Data, Suhas Diggavi, Peter Kairouz, and Ananda Theertha Suresh. Shuffled model of federated learning: Privacy, communication and accuracy trade-offs. CoRR, 2020. URL:
  26. O. Goldreich. Towards a theory of software protection and simulation by oblivious RAMs. In STOC, 1987. Google Scholar
  27. Oded Goldreich and Rafail Ostrovsky. Software protection and simulation on oblivious RAMs. J. ACM, 1996. Google Scholar
  28. S. Dov Gordon, Jonathan Katz, Vladimir Kolesnikov, Fernando Krell, Tal Malkin, Mariana Raykova, and Yevgeniy Vahlis. Secure two-party computation in sublinear (amortized) time. In ACM CCS, pages 513-524. ACM, 2012. Google Scholar
  29. S. Dov Gordon, Jonathan Katz, Mingyu Liang, and Jiayu Xu. Spreading the privacy blanket: Differentially oblivious shuffling for differential privacy. In ACNS, 2022. Google Scholar
  30. Peter Kairouz, Sewoong Oh, and Pramod Viswanath. The composition theorem for differential privacy. In ICML, volume 37 of JMLR Workshop and Conference Proceedings, pages 1376-1385., 2015. Google Scholar
  31. Ilan Komargodski and Elaine Shi. Differentially oblivious turing machines. In 12th Innovations in Theoretical Computer Science Conference, ITCS 2021, January 6-8, 2021, Virtual Conference, volume 185 of LIPIcs, pages 68:1-68:19. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2021. Google Scholar
  32. Ios Kotsogiannis, Yuchao Tao, Xi He, Maryam Fanaeepour, Ashwin Machanavajjhala, Michael Hay, and Gerome Miklau. Privatesql: A differentially private sql query engine. Proc. VLDB Endow., 12(11):1371-1384, July 2019. Google Scholar
  33. Kasper Green Larsen and Jesper Buus Nielsen. Yes, there is an oblivious ram lower bound! In CRYPTO, 2018. Google Scholar
  34. Chang Liu, Michael Hicks, Austin Harris, Mohit Tiwari, Martin Maas, and Elaine Shi. Ghostrider: A hardware-software system for memory trace oblivious computation. In ASPLOS, 2015. Google Scholar
  35. Chang Liu, Xiao Shaun Wang, Kartik Nayak, Yan Huang, and Elaine Shi. ObliVM: A programming framework for secure computation. In IEEE S & P, 2015. Google Scholar
  36. Martin Maas, Eric Love, Emil Stefanov, Mohit Tiwari, Elaine Shi, Kriste Asanovic, John Kubiatowicz, and Dawn Song. Phantom: Practical oblivious computation in a secure processor. In ACM Conference on Computer and Communications Security (CCS), 2013. Google Scholar
  37. Frank McSherry. Privacy integrated queries: an extensible platform for privacy-preserving data analysis. Commun. ACM, 53:89-97, September 2010. URL:
  38. Ilya Mironov. Renyi differential privacy. In Computer Security Foundations Symposium (CSF), 2017 IEEE 30th, pages 263-275. IEEE, 2017. Google Scholar
  39. Prashanth Mohan, Abhradeep Guha Thakurta, Elaine Shi, Dawn Song, and David Culler. GUPT: Privacy preserving data analysis made easy. In ACM SIGMOD, 2012. Google Scholar
  40. Jack Murtagh and Salil P. Vadhan. The complexity of computing the optimal composition of differential privacy. In TCC (A1), volume 9562 of Lecture Notes in Computer Science, pages 157-175. Springer, 2016. Google Scholar
  41. Arjun Narayan and Andreas Haeberlen. Djoin: Differentially private join queries over distributed databases. In 10th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2012, Hollywood, CA, USA, October 8-10, 2012, pages 149-162. USENIX Association, 2012. Google Scholar
  42. Milad Nasr, Jamie Hayes, Thomas Steinke, Borja Balle, Florian Tramèr, Matthew Jagielski, Nicholas Carlini, and Andreas Terzis. Tight auditing of differentially private machine learning. arXiv preprint, 2023. URL:
  43. Giuseppe Persiano and Kevin Yeo. Lower bounds for differentially private rams. In Advances in Cryptology - EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part I, volume 11476 of Lecture Notes in Computer Science, pages 404-434. Springer, 2019. Google Scholar
  44. Giuseppe Persiano and Kevin Yeo. Lower bound framework for differentially private and oblivious data structures. In Advances in Cryptology - EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part I, volume 14004 of Lecture Notes in Computer Science, pages 487-517. Springer, 2023. Google Scholar
  45. Lianke Qin, Rajesh Jayaram, Elaine Shi, Zhao Song, Danyang Zhuo, and Shumo Chu. Differentially oblivious relational database operators. Proc. VLDB Endow., 16(4):842-855, 2022. Google Scholar
  46. Vijaya Ramachandran and Elaine Shi. Data oblivious algorithms for multicores. In SPAA, 2021. Google Scholar
  47. Ling Ren, Xiangyao Yu, Christopher W. Fletcher, Marten van Dijk, and Srinivas Devadas. Design space exploration and optimization of path oblivious RAM in secure processors. In ISCA, pages 571-582, 2013. Google Scholar
  48. Ali Shafiee, Rajeev Balasubramonian, Mohit Tiwari, and Feifei Li. Secure DIMM: moving ORAM primitives closer to memory. In IEEE International Symposium on High Performance Computer Architecture, HPCA 2018, Vienna, Austria, February 24-28, 2018, pages 428-440. IEEE Computer Society, 2018. Google Scholar
  49. Elaine Shi, T.-H. Hubert Chan, Emil Stefanov, and Mingfei Li. Oblivious RAM with O((log N)³) worst-case cost. In ASIACRYPT, 2011. Google Scholar
  50. Emil Stefanov and Elaine Shi. Oblivistore: High performance oblivious cloud storage. In S & P, 2013. Google Scholar
  51. Emil Stefanov, Marten van Dijk, Elaine Shi, T.-H. Hubert Chan, Christopher W. Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. Path ORAM: an extremely simple oblivious RAM protocol. J. ACM, 65(4):18:1-18:26, 2018. Google Scholar
  52. Emil Stefanov, Marten van Dijk, Elaine Shi, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. Path oram: An extremely simple oblivious ram protocol. In ACM CCS, pages 299-310, 2013. Google Scholar
  53. Thomas Steinke, Milad Nasr, and Matthew Jagielski. Privacy auditing with one (1) training run. arXiv preprint, 2023. URL:
  54. Florian Tramer, Andreas Terzis, Thomas Steinke, Shuang Song, Matthew Jagielski, and Nicholas Carlini. Debugging differential privacy: A case study for privacy auditing. arXiv preprint, 2022. URL:
  55. Salil Vadhan and Wanrong Zhang. Concurrent composition theorems for differential privacy. In Proceedings of the 55th Annual ACM Symposium on Theory of Computing, STOC 2023, pages 507-519, 2023. Google Scholar
  56. Salil P. Vadhan. The complexity of differential privacy. In Yehuda Lindell, editor, Tutorials on the Foundations of Cryptography, pages 347-450. Springer International Publishing, 2017. URL:
  57. Elisabet Lobo Vesga, Alejandro Russo, and Marco Gaboardi. A programming framework for differential privacy with accuracy concentration bounds. In 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, May 18-21, 2020, pages 411-428. IEEE, 2020. Google Scholar
  58. Sameer Wagh, Paul Cuff, and Prateek Mittal. Differentially private oblivious RAM. PoPETs, 2018(4):64-84, 2018. Google Scholar
  59. Chenghong Wang, Johes Bater, Kartik Nayak, and Ashwin Machanavajjhala. Incshrink: Architecting efficient outsourced databases using incremental MPC and differential privacy. In SIGMOD '22: International Conference on Management of Data, Philadelphia, PA, USA, June 12 - 17, 2022, pages 818-832. ACM, 2022. Google Scholar
  60. Xiao Shaun Wang, T-H. Hubert Chan, and Elaine Shi. Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound. In CCS, 2015. Google Scholar
  61. Xiao Shaun Wang, Kartik Nayak, Chang Liu, T-H. Hubert Chan, Elaine Shi, Emil Stefanov, and Yan Huang. Oblivious Data Structures. In CCS, 2014. Google Scholar
  62. Larry Wasserman and Shuheng Zhou. A statistical framework for differential privacy. Journal of the American Statistical Association, 105(489):375-389, 2010. Google Scholar
  63. Justin Whitehouse, Aaditya Ramdas, Ryan Rogers, and Steven Wu. Fully-adaptive composition in differential privacy. In International Conference on Machine Learning, ICML 2023, 23-29 July 2023, Honolulu, Hawaii, USA, volume 202 of Proceedings of Machine Learning Research, pages 36990-37007. PMLR, 2023. Google Scholar
  64. Peter Williams, Radu Sion, and Alin Tomescu. Privatefs: A parallel oblivious file system. In CCS, 2012. Google Scholar
  65. Danfeng Zhang and Daniel Kifer. Lightdp: towards automating differential privacy proofs. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, Paris, France, January 18-20, 2017, pages 888-901. ACM, 2017. Google Scholar
  66. Mingxun Zhou, Elaine Shi, T.-H. Hubert Chan, and Shir Maimon. A theory of composition for differential obliviousness. In EUROCRYPT (3), volume 14006 of Lecture Notes in Computer Science, pages 3-34. Springer, 2023. Google Scholar
  67. Mingxun Zhou, Mengshi Zhao, T-H. Hubert Chan, and Elaine Shi. Advanced composition theorems for differential obliviousness. Cryptology ePrint Archive, Paper 2023/842, 2023. URL:
  68. Yuqing Zhu, Jinshuo Dong, and Yu-Xiang Wang. Optimal accounting of differential privacy via characteristic function. In International Conference on Artificial Intelligence and Statistics, pages 4782-4817. PMLR, 2022. Google Scholar
Questions / Remarks / Feedback

Feedback for Dagstuhl Publishing

Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail