Differential privacy imposes a restriction on the algorithm. Intuitively, it requires that the algorithm has roughly the same output distribution on neighboring inputs. If the input is a graph, there are two natural notions of neighboring inputs, edge neighbors and node neighbors, which yield two natural variants of differential privacy for graph data.
Let ε be a positive real number and 
be a randomized algorithm that takes a graph as input and returns an output from a set 
.
The algorithm is 
-differentially private if, for all neighboring graphs 
and 
and all subsets 
of ,
![{\displaystyle \Pr[{\mathcal {A}}(G_{1})\in S]\leq e^{\epsilon }\times \Pr[{\mathcal {A}}(G_{2})\in S],}](https://wikimedia.org/api/rest_v1/media/math/render/svg/59004d063a77703a9be3c00780afdc1bef4ee7f5)
where the probability is taken over the randomness used by the algorithm.
Two graphs are edge neighbors if they differ in one edge. An algorithm is -edge-differentially private if, in the definition above, the notion of edge neighbors is used. Intuitively, an edge differentially private algorithm has similar output distributions on any pair of graphs that differ in one edge, thus protecting changes to graph edges.
Two graphs are node neighbors if one can be obtained from the other by deleting a node and its adjacent edges. An algorithm is -node-differentially private if, in the definition above, the notion of node neighbors is used. Intuitively, a node differentially private algorithm has similar output distributions on any pair of graphs that differ in one one nodes and edges adjacent to it, thus protecting information pertaining to each individual. Node differential privacy give a stronger privacy protection than edge differential privacy.