On Choosing the μ Parameter in Gaussian Differential Privacy

Recent work argues for using Gaussian differential privacy (GDP) to report the privacy guarantees in privacy-preserving machine learning. We provide principled mappings from pure-DP $\varepsilon$ to GDP $\mu$ by matching the worst-case success of a strong-adversary membership inference attack in terms of three metrics: multiplicative advantage at fixed FPR, precision at fixed recall, and the standard privacy profile. We tabulate $\mu$ values across a useful range of parameters and recommend $\mu \approx \varepsilon/5$ as a conservative general-purpose conversion.