Machine learning models are increasingly served behind APIs. This renders private prediction, i.e., privatizing a model's outputs rather than its parameters, a natural privacy target: model outputs are lower-dimensional and far more stable to training-data changes than weights. While differential privacy (DP) cannot effectively exploit this as it calibrates noise to worst-case sensitivity that is intractable to bound for non-convex models, we argue that PAC privacy is a natural fit for private prediction. It is instance-based, and calibrates noise to a black-box function's empirical stability to control mutual-information (MI) leakage. The missing ingredient is efficient, adaptive composition. Serving predictions means answering a long stream of adaptively chosen queries from untrusted users; existing composition either fails under adaptivity, grows quadratically, or reverts to input-independent, DP-like noise. We close this gap with a new adversarial composition result via adaptive noise calibration and prove that MI accumulates only linearly under adaptive and adversarial querying. Experiments across modalities show that prediction stability enables high utility even at a tiny per-query budget: on CIFAR-10, we achieve 87.79% accuracy with a per-query MI budget of $2^{-32}$. This enables serving one million queries while provably bounding membership-inference success to 51.08% -- the same guarantee as $(0.04, 10^{-5})$-DP. Further, in the presence of auxiliary public data, the large volume of PAC-private predictions enables us to distill a publishable model that can be queried without limit. Concretely, 210,000 private labels on an ImageNet subset distill into a student reaching 91.86% accuracy on CIFAR-10 with membership inference success bounded by 50.49%, comparable to $(0.02, 10^{-5})$-DP.

翻译：机器学习模型越来越多地通过API提供服务。这使得私有预测（即私有化模型输出而非其参数）成为一个自然的隐私目标：模型输出的维度更低，且相较于权重而言对训练数据变化的稳定性高得多。虽然差分隐私（DP）无法有效利用这一特性，因为它将噪声校准到最坏情况下的敏感度，而对于非凸模型，其边界难以界定。我们认为PAC隐私是私有预测的自然选择。它是基于实例的，并将噪声校准到黑盒函数的经验稳定性，以控制互信息（MI）泄露。缺失的环节是高效、自适应的组合。服务预测意味着需要回答来自不可信用户的一系列自适应选择的查询；现有的组合要么在自适应条件下失效，要么二次增长，要么退回到与输入无关的、类似DP的噪声。我们通过自适应噪声校准，利用一个新的对抗性组合结果填补了这一空白，并证明在自适应和对抗性查询下MI仅线性累积。跨模态的实验表明，即使每个查询的预算极小，预测稳定性也能实现高效用：在CIFAR-10数据集上，我们以每个查询$2^{-32}$的MI预算实现了87.79%的准确率。这使得在可证明将成员推断成功率限制在51.08%的同时，能够服务一百万次查询——这与$(0.04, 10^{-5})$-DP所提供的保证相同。此外，在存在辅助公共数据的情况下，大量PAC隐私预测使我们能够提炼出一个可无限制查询的可发布模型。具体来说，在ImageNet子集上的21万个私有标签提炼成一个学生模型，该模型在CIFAR-10上的准确率达到91.86%，成员推断成功率限制在50.49%，与$(0.02, 10^{-5})$-DP相当。