We are setting up a Federated Learning System including differential privacy and we have noticed that the implementation of the SVTProtocol is not consistent with the implementation in the paper Li et al., Privacy-preserving Federated Brain Tumour Segmentation, arXiv:1910.00962. The implementation differs from the paper in the following points:

- calculation of the threshold, Algo 2, Line 5: In the paper it is
`Lap(s/eps_2)`

and in the implementation`Lap(s/eps_1)`

- calculation of eps_2: The paper proposes
`eps_2 = ((2qs)**(2/3)) * eps_1`

and in the implementation it is`eps_2 = ((2q)**(2/3)) * eps_1`

- calculation of threshold noise, Algo 2, Line 8: In the paper it is
`Lap(2qs/eps_1)`

and in the implementation`Lap(2qs/eps_2)`

- calculation noisy answer, Algo 2, Line 9: In the paper it is
`Lap(qs/eps_3)`

and in the implementation`Lap(s/eps_3)`

The following questions arise for us now:

- is the implementation correct and what are the thoughts behind the changes?
- what guarantee does the implemented algorithm have? Is the guarantee
`(eps_1 + eps_2 + eps_3)-DP`

from the paper still valid?

Thank you for your support!

All the best,

Iwan