Implementation flaws in differential privacy (DP) can be maliciously exploited to mount stealthy attacks. Method: We propose the Gaussian Pancake Mechanism (GPM), a novel mechanism computationally indistinguishable from the standard Gaussian mechanism yet provably offering significantly weaker privacy guarantees. GPM systematically degrades the effective privacy budget ε by carefully engineering its noise distribution while preserving statistical indistinguishability under standard DP audits. Contribution/Results: GPM constitutes the first evadable backdoor attack against DP systems. We formally prove its computational indistinguishability from the Gaussian mechanism under standard cryptographic assumptions. Empirical evaluation demonstrates that GPM evades detection across diverse auditing strategies—including statistical tests, privacy loss estimation, and implementation-level checks—while inducing substantial real-world privacy leakage. This work exposes critical risks posed by implementation-layer vulnerabilities in open-source DP libraries and underscores the necessity of rigorous formal verification and systematic auditing of DP deployments.

Differential privacy (DP) has become the gold standard for preserving individual privacy in data analysis. However, an implicit yet fundamental assumption underlying these rigorous privacy guarantees is the correct implementation and execution of DP mechanisms. Several incidents of unintended privacy loss have occurred due to numerical issues and inappropriate configurations of DP software, which have been successfully exploited in privacy attacks. To better understand the seriousness of defective DP software, we ask the following question: is it possible to elevate these passive defects into active privacy attacks while maintaining covertness? To address this question, we present the Gaussian pancake mechanism (GPM), a novel mechanism that is computationally indistinguishable from the widely used Gaussian mechanism (GM), yet exhibits arbitrarily weaker statistical DP guarantees. This unprecedented separation enables a new class of backdoor attacks: by indistinguishably passing off as the authentic GM, GPM can covertly degrade statistical privacy. Unlike the unintentional privacy loss caused by GM's numerical issues, GPM is an adversarial yet undetectable backdoor attack against data privacy. We formally prove GPM's covertness, characterize its statistical leakage, and demonstrate a concrete distinguishing attack that can achieve near-perfect success rates under suitable parameter choices, both theoretically and empirically. Our results underscore the importance of using transparent, open-source DP libraries and highlight the need for rigorous scrutiny and formal verification of DP implementations to prevent subtle, undetectable privacy compromises in real-world systems.