Deep learning models are often trained on data sets that contain sensitive information such as individuals’ shopping transactions, personal contacts, and medical records. An increasingly important line of work therefore has sought to train neural networks subject to privacy constraints that are specified by differential privacy or its divergence-based relaxations. These privacy definitions, however, have weaknesses in handling certain important primitives (composition and subsampling), thereby giving loose or complicated privacy analyses of training neural networks. In this article, we consider a recently proposed privacy definition termed -differential privacy (Dong, Roth, et al., 2019) for a refined privacy analysis of training neural networks. Leveraging the appealing properties of -differential privacy in handling composition and subsampling, this article derives analytically tractable expressions for the privacy guarantees of both stochastic gradient descent and Adam used in training deep neural networks, without the need of developing sophisticated techniques as Abadi et al. (2016) did. Our results demonstrate that the -differential privacy framework allows for a new privacy analysis that improves on the prior analysis (Abadi et al., 2016), which in turn suggests tuning certain parameters of neural networks for a better prediction accuracy without violating the privacy budget. These theoretically derived improvements are confirmed by our experiments in a range of tasks in image classification, text classification, and recommender systems. Python code to calculate the privacy cost for these experiments is publicly available in the TensorFlow Privacy
library.
Keywords: Gaussian differential privacy, deep learning, noisy gradient descent, central limit theorem, privacy accounting
In the era of big data, it is crucial and even urgent to develop algorithms that preserve the privacy of sensitive individual data while maintaining high utility. However, these two goals are generally competing with each other in the sense that privacy guarantees inevitably lead to utility loss. What is the optimal tradeoff between privacy and utility for a given machine learning task? This is a question that any data scientist caring about data privacy would ask.
In this article, the authors offer deep learning models with privacy guarantees in the framework of -differential privacy, which was recently proposed as a unifying generalization of several earlier privacy definitions. The authors train their private neural networks on multiple tasks that involve different types of data, including images, texts, and numeric data. Owing to the versatility of the -differential privacy framework, the experimental results demonstrate that this approach to private deep learning outperforms existing approaches in terms of the tradeoff between privacy and utility.
In many applications of machine learning, the data sets contain sensitive information about individuals such as location, personal contacts, media consumption, and medical records. Exploiting the output of the machine learning algorithm, an adversary may be able to identify some individuals in the data set, thus presenting serious privacy concerns. This reality gave rise to a broad and pressing call for developing privacy-preserving data analysis methodologies. Accordingly, there have been numerous investigations in the scholarly literature of many fields—statistics, cryptography, machine learning, and law—for the protection of privacy in data analysis.
Along this line, research efforts have repeatedly suggested the necessity of a rigorous and versatile definition of privacy. Among other things, researchers have questioned whether the use of a privacy definition gives interpretable privacy guarantees, and if so, whether this privacy definition allows for high accuracy of the private model among alternative definitions. In particular, anonymization as a syntactic and ad hoc privacy concept has been shown to generally fail to guarantee privacy. Examples include the identification of a homophobic individual in the anonymized Netflix Challenge data set (Narayanan & Shmatikov, 2008) and the identification of the health records of the then-Massachusetts governor in public anonymized medical data sets (Sweeney, 1997).
In this context, -differential privacy (DP) arose as a mathematically rigorous definition of privacy by Dwork et al. (2006). Today, this definition has developed into a firm foundation of private data analysis, with its applications deployed by Google (Erlingsson et al., 2014), Apple (2017), Microsoft (Ding et al., 2017), and the U.S. Census Bureau (Abowd, 2018). Despite its impressive popularity both in the scholarly literature and in industry, -DP is not versatile enough to handle composition, which is perhaps the most fundamental primitive in statistical privacy. For example, the training process of deep neural networks is in effect the composition of many primitive building blocks known as stochastic gradient descent (SGD). Under a modest privacy budget in the -DP sense, however, it was not clear how to maintain a high prediction accuracy of deep learning. This requires a tight privacy analysis of composition in the -DP framework. Indeed, the analysis of the privacy costs in deep learning was refined only recently using a sophisticated technique called the moments accountant by Abadi et al. (2016).
Ideally, we hope to have a privacy definition that allows for refined privacy analyses of various algorithms in a principled manner, without resorting to sophisticated techniques. Having a refined privacy analysis not only enhances the trustworthiness of the models but can also be leveraged to improve the prediction accuracy by trading off privacy for utility. One possible candidate is -differential privacy, a relaxation of -DP that was recently proposed by Dong, Roth, and Su (2019). This new privacy definition faithfully retains the hypothesis testing interpretation of differential privacy and can losslessly reason about common primitives associated with differential privacy, including composition, privacy amplification by subsampling, and group privacy. In addition, -DP includes a canonical single-parameter family that is referred to as Gaussian differential privacy (GDP). Notably, GDP is the focal privacy definition due to a central limit theorem (CLT) that states that the privacy guarantees of the composition of private algorithms are approximately equivalent to distinguish two shifted normal distributions.
The main results of this article show that -DP offers a rigorous and versatile framework for developing private deep learning methodologies.1 Our guarantee provides protection against an attacker with knowledge of the network architecture as well as the model parameters, which is in the same spirit as Shokri and Shmatikov (2015) and Abadi et al. (2016). In short, this article delivers the following messages concerning -DP:
Closed-form privacy bounds. In the -DP framework, the overall privacy loss incurred in training neural networks admits an amenable closed-form expression. In contrast, the privacy analysis via the moments accountant must be done by numerical computation (see Abadi et al., 2016), and the implicit nature of this earlier approach can hinder our understanding of how the tuning parameters affect the privacy bound. This is discussed in Section 3.1.
Stronger privacy guarantees. The -DP approach gives stronger privacy guarantees than the earlier approach by Abadi et al. (2016), even in terms of -DP. This improvement is due to the use of the central limit theorem for -DP, which accurately captures the privacy loss incurred at each iteration in training the deep learning models. This is presented in Section 3.2. and illustrated with numerical experiments in Section 4.1.
Improved prediction accuracy. Leveraging the stronger privacy guarantees provided by -DP, we can trade a certain amount of privacy for an improvement in prediction performance. This can be realized, for example, by appropriately reducing the amount of noise added during the training process of neural networks so as to match the target privacy level in terms of -DP. See Section 3.2 and Section 4.2 for the development of this utility improvement.
The remainder of the article is structured as follows. In Section 1.1 we provide a brief review of related literature. Section 2 introduces -DP and its basic properties at a minimal level. Next, in Section 3 we analyze the privacy cost of training deep neural networks in terms of -DP and compare it to the privacy analysis using the moments accountant. In Section 4, we present numerical experiments to showcase the superiority of the -DP approach to private deep learning in terms of test accuracy and privacy guarantees. The article concludes with a discussion in Section 5.
There are continued efforts to understand how privacy degrades under composition. Developments along this line include the basic composition theorem and the advanced composition theorem by Dwork, Kenthapadi, McSherry, Mironov, and Naor (2006) and Dwork, Rothblum, and Vadhan (2010). In a pioneering work, Kairouz, Oh, and Viswanath (2017) obtained an optimal composition theorem for -DP, which in fact served as one of the motivations for the -DP work by Dong, Roth, et al. (2019). However, it is #P hard to compute the privacy bounds from their composition theorem (see Murtagh & Vadhan, 2016). More recently, Dong, Durfee, and Rogers (2019) derived sharp composition bounds on the overall privacy loss for exponential mechanisms.
From a different angle, a substantial recent effort has been devoted to relaxing differential privacy using divergences of probability distributions to overcome the weakness of -DP in handling composition (see Bun et al., 2018; Bun & Steinke, 2016; Dwork & Rothblum, 2016; and Mironov, 2017). Unfortunately, these relaxations either lack a privacy amplification by subsampling argument or present a quite complex argument that is difficult to use as in Balle et al. (2018) and Wang et al. (2019). As subsampling is inherently used in training neural networks, therefore, it is difficult to directly apply these relaxations to the privacy analysis of deep learning.
To circumvent these technical difficulties associated with -DP and its divergence-based relaxations, Abadi et al. (2016) invented a technique termed "the moments accountant" to track detailed information of the privacy loss in the training process of deep neural networks. Using the moments accountant, their analysis significantly improves on earlier privacy analysis of SGD (e.g., by Bassily et al., 2014; Shokri & Shmatikov, 2015; Song et al., 2013; and Zhang et al., 2017) and allows for meaningful privacy guarantees for deep learning trained on realistically sized data sets. This technique has been extended to a variety of situations by follow-up work from McMahan et al. (2018) and Pichapati et al. (2019). In contrast, our approach to private deep learning in the -DP framework leverages some powerful tools of this new privacy definition, nevertheless providing a sharper privacy analysis, as seen both theoretically and empirically in Sections 3 and 4.
For completeness, we remark that different approaches have been put forward to incorporate privacy considerations into deep learning, without leveraging the iterative and subsampling natures of training deep learning models. This line of work includes training a private model by an ensemble of “teacher” models by Papernot et al. (2018) and Papernot et al. (2016), the development of noised federated averaging algorithms by McMahan et al. (2017), and analyzing privacy costs through the lens of the optimization landscape of neural networks by Xiang et al. (2019).
In the differential privacy framework, we envision an adversary that is well-informed about the data set except for a single individual, and the adversary seeks to determine whether this individual is in the data set on the basis of the output of an algorithm. Roughly speaking, the algorithm is considered private if the adversary finds it hard to determine the presence or absence of any individual.
Informally, a data set can be thought of as a matrix, whose rows each contain one individual’s data. Two data sets are said to be neighbors if one can be derived by discarding an individual from the other. As such, the sizes of neighboring data sets differ by one.2 Let and be neighboring data sets, and be two numbers, and denote by a (randomized) algorithm that takes as input a data set.
Definition 2.1 (Dwork, Kenthapadi, et al., 2006; Dwork, McSherry, et al., 2006). A (randomized) algorithm gives -differential privacy if for any pair of neighboring data sets and any event ,
To achieve privacy, the algorithm is necessarily randomized, whereas the two data sets in Definition 2.1 are deterministic. This privacy definition ensures that, based on the output of the algorithm, the adversary has a limited (depending on how small are) ability to identify the presence or absence of any individual, regardless of whether any individual opts into or opts out of the data set.
In essence, the adversary seeks to distinguish the two probability distributions and using a single draw. In light of this observation, it is natural to interpret what the adversary does as testing two simple hypotheses:
The connection between differential privacy and hypothesis testing was, to our knowledge, first noted in Wasserman & Zhou (2010), and was later developed in Kairouz et al. (2017), Liu et al. (2019), and Balle et al. (2019). Intuitively, privacy is well guaranteed if the hypothesis testing problem is hard. Following this intuition, the definition of -DP essentially uses the worst-case likelihood ratio of the distributions and to measure the hardness of testing the two simple hypotheses.
Is there a more informative measure of the hardness? In Dong, Roth, et al. (2019), the authors propose to use the trade-off between type I error (the probability of erroneously rejecting when is true) and type II error (the probability of erroneously accepting when is true) in place of a few privacy parameters in -DP or divergence-based DP definitions. To formally define this new privacy definition, let and denote the distributions of and , respectively, and let be any (possibly randomized) rejection rule for testing against . With these in place, Dong, Roth, et al. (2019) define the trade-off function of and as
Above, and are type I and type II errors of the rejection rule , respectively. Writing , the definition says that is the minimum type II error among all tests at significance level . Note that the minimum can be achieved by taking the likelihood ratio test, according to the Neymann–Pearson lemma. As is self-evident, the larger the trade-off function is, the more difficult the hypothesis testing problem is (hence more privacy). This motivates the following privacy definition.
Definition 2.2 (Dong, Roth, et al., 2019). A (randomized) algorithm is -differentially private if
for all neighboring data sets and .
In this definition, both and are functions that take as input and the inequality holds pointwise for all , and we abuse notation by identifying and with their associated distributions. This privacy definition is easily interpretable due to its inherent connection with the hypothesis-testing problem. By adapting a result due to Wasserman & Zhou (2010), -DP is a special instance of -DP in the sense that an algorithm is -DP if and only if it is -DP with
The more intimate relationship between the two privacy definitions is that they are dual to each other: briefly speaking, -DP ensures -DP with for every .3
Next, we define a single-parameter family of privacy definitions within the -DP class for a reason that will be apparent later. Let for . Note that this trade-off function admits a closed-form expression , where is the cumulative distribution function of the standard normal distribution.
Definition 2.3 (Dong, Roth, et al., 2019). A (randomized) algorithm is -Gaussian differentially private (GDP) if
for all neighboring data sets and .
In words, -GDP says that determining whether any individual is in the data set is at least as difficult as distinguishing the two normal distributions and based on one draw. The Gaussian mechanism serves as a template to achieve GDP. Consider the problem of privately releasing a univariate statistic . The Gaussian mechanism adds noise to the statistic , which gives -GDP if . Here the sensitivity of is defined as , where the supremum is over all neighboring data sets.
Deep learning models are trained using the composition of many SGD updates. Broadly speaking, composition is concerned with a sequence of analyses on the same data set where each analysis is informed by the explorations of prior analyses. A central issue that every privacy definition is faced with is to pinpoint how the overall privacy guarantee degrades under composition. Formally, letting be the first algorithm and be the second, we define their composition algorithm as . Roughly speaking, the composition is to ‘release all information that is learned by the algorithms.’ Notably, the second algorithm can take as input the output of in addition to the data set . In general, the composition of more than two algorithms follows recursively.
To introduce the composition theorem for -DP, Dong, Roth, et al. (2019) define a binary operation on trade-off functions. Given trade-off functions and , let . This definition depends on the distributions only through and . Moreover, is commutative and associative. Now the composition theorem can be readily stated as follows. Let be -DP conditionally on any output of the prior algorithms for . Then their -fold composition algorithm is -DP. This result shows that the composition of algorithms in the -DP framework is reduced to performing the operation on the associated trade-off functions. As an important fact, the privacy bound in general cannot be improved. Put more precisely, one can find an -DP mechanism for such that their composition is precisely -DP (see the discussion following Theorem 4 in Dong, Roth, et al., 2019).
More profoundly, a central limit theorem phenomenon arises in the composition of many ‘very private’ -DP algorithms in the following sense: the trade-off functions of small privacy leakage accumulate to for some under composition. Informally, assuming each is very close to , which corresponds to perfect privacy, then we have
if the number of iterations is sufficiently large.4 This central limit theorem approximation is especially suitable for the privacy analysis of deep learning, where the training process typically takes at least tens of thousands of iterations. The privacy parameter depends on some functionals such as the Kullback–Leibler divergence of the trade-off functions. The central limit theorem yields a very accurate approximation in the settings considered in Section 4 (see numerical confirmation in Appendix A). For a rigorous account of this central limit theorem for differential privacy, see Theorem 6 in Dong, Roth, et al. (2019). We remark that a conceptually related article by Sommer et al. (2018) developed a central limit theorem for privacy loss random variables.
At a high level, this convergence-to-GDP result brings GDP to the focal point of the family of -DP guarantees, implying that GDP is to -DP as normal random variables are to general random variables. Furthermore, this result serves as an effective approximation tool for approximating the privacy guarantees of composition algorithms. In contrast, privacy loss cannot be losslessly tracked under composition in the -DP framework.
Next, we turn to the subsampling property of -DP. In training neural networks, the gradient at each iteration is computed from a mini-batch that is subsampled from the training examples. Intuitively, an algorithm applied to a subsample gives stronger privacy guarantees than when applied to the full sample. Looking closely, this privacy amplification is due to the fact that an individual enjoys perfect privacy if not selected in the subsample. A concrete and pressing question is, therefore, to precisely characterize how much privacy is amplified by subsampling in the -DP framework.
Consider the following sampling scheme: for each individual in the data set , include his or her datum in the subsample independently with probability , which is sometimes referred to as the Poisson subsampling (see Wang et al., 2019). The resulting subsample is denoted by . For the purpose of clearing up any confusion, we remark that the subsample has a random size and as an intermediate step is not released. Given any algorithm , denote by the subsampled algorithm.
The subsampling theorem for -DP states as follows. Let be -DP, write for , and denote by the inverse5 of . It is proved in Appendix A that the subsampled algorithm satisfies
if can be obtained by removing one individual from . Likewise,
As such, the two displays above say that the trade-off function of on any neighboring data sets is lower bounded by which however is in general non convex and thus is not a trade-off function. This suggests that we can boost the privacy bound by replacing with its double conjugate , which is the greatest convex lower bound of and is indeed a trade-off function. Taken together, all the pieces show that the subsampled algorithm is -DP.
Notably, the privacy bound is larger than and cannot be improved in general. In light of the above, the -DP framework is flexible enough to nicely handle the analysis of privacy amplification by subsampling. In the case where the original algorithm is -DP, this privacy bound strictly improves on the subsampling theorem for -DP by Li et al. (2012).
SGD and Adam (Kingma & Ba, 2014) are among the most popular optimizers in deep learning. Here we introduce a new privacy analysis of a private variant of SGD in the -DP framework and then extend the study to a private version of Adam.
Letting denote the data set, we consider minimizing the empirical risk
where denotes the weights of the neural networks and is a loss function. At iteration , a mini-batch is selected from with subsampling probability , thereby having an approximate size of . Taking learning rate and initial weights , the vanilla SGD updates the weights according to
To preserve privacy, Bassily et al. (2014), Chaudhuri et al. (2011), Song et al. (2013), and Abadi et al. (2016) introduce two modifications to the vanilla SGD. First, a clip step is applied to the gradient so that the gradient is in effect bounded. This step is necessary to have a finite sensitivity. The second modification is to add Gaussian noise to the clipped gradient, which is equivalent to applying the Gaussian mechanism to the updated iterates. Formally, the private SGD algorithm is described in Algorithm 1. Herein is the identity matrix, denotes the norm, and we abuse notation by using to denote the number of iterations. Formally, we present this in Algorithm 1, which we henceforth refer to as NoisySGD
. As a contribution of the present paper, NoisySGD
uses the Poisson subsampling, as opposed to the uniform sampling used in Dong, Roth, et al. (2019). For completeness, we remark that there is another possible subsampling method: shuffling (randomly permuting and dividing data into folds at each epoch). We emphasize that different subsampling mechanisms produce different privacy guarantees.
Algorithm 1 | |||
---|---|---|---|
Input: | data set , loss function . | ||
Parameters: | initial weights , learning rate , subsampling probability , number of iterations , noise scale , gradient norm bound . | ||
for | t= 0,...,T−1 do Take a Poisson subsample It ⊆ {1,...,n} with subsampling probability p for i ∈ It do | ||
| >Clip gradient >Apply Gaussian mechanism | ||
Output: |
The analysis of the overall privacy guarantee of NoisySGD
makes heavy use of the compositional and subsampling properties of -DP. We first focus on the privacy analysis of the step that computes from . Let denote the gradient update and write for the mini-batch (we drop the subscript for simplicity). This allows us to use to represent what NoisySGD
does at each iteration. Next, note that adding or removing one individual would change the value of by at most in the norm due to the clipping operation, that is, has sensitivity . Consequently, the Gaussian mechanism with noise standard deviation ensures that is -GDP. With a few additional arguments, in Appendix B we show that NoisySGD
is -DP with . As a remark, it has been empirically observed in Abadi et al. (2016) and Bagdasaryan et al. (2019) that the performance of the private neural networks is not sensitive to the choice of the clipping norm bound (see more discussion in Pichapati et al., 2019, and Xu et al., 2019).
To facilitate the use of this privacy bound, we now derive an analytically tractable approximation of using the privacy central limit theorem in a certain asymptotic regime, which further demonstrates the mathematical coherence and versatility of the -DP framework. The central limit theorem shows that, in the asymptotic regime where for a constant as ,
where . Thus, the overall privacy loss in the form of the double conjugate satisfies
As such, the central limit theorem demonstrates that NoisySGD
is approximately -GDP. Denoting by the mini-batch size, the privacy parameter equals . Intuitively, this reveals that NoisySGD
gives good privacy guarantees if is small and is not too small.
As an aside, we remark that this new privacy analysis is different from the one performed in section 5 of Dong, Roth, et al. (2019). Therein, the authors consider Algorithm 1 with uniform subsampling and obtain a privacy bound that is different from the one in the present article.
Next, we present a private version of Adam in Algorithm 2, which we refer to as NoisyAdam
and can be found in Tensorflow (2019). This algorithm has the same privacy bound as NoisySGD
in the -DP framework. In short, this is because the momentum and are deterministic functions of the noisy gradients and no additional privacy cost is incurred due to the post-processing property of differential privacy. In passing, we remark that the same argument applies to AdaGrad (Duchi et al., 2011) and therefore it is also asymptotically GDP in the same asymptotic regime.
Algorithm 2 | |||
---|---|---|---|
Input: | data set , loss function . | ||
Parameters: | initial weights , learning rate , subsampling probability , number of iterations , noise scale , gradient norm bound , momentum parameters , initial momentum , initial past squared gradient , and a small constant . | ||
for | t = 0,...,T− 1 do Take a Poisson subsample It ⊆ {1,...,n} with subsample probability p for i ∈ It do | ||
| >Clip gradient | ||
>Apply Gaussian mechanism > is the Hadamard product >Component-wise division | |||
Output: |
It is instructive to compare the moments accountant with our privacy analysis performed in Section 3.1 using the -DP framework. Developed in Abadi et al. (2016), the moments accountant gives a tight one-to-one mapping between and for specifying the overall privacy loss in terms of -DP under composition, which is beyond the reach of the advanced composition theorem by Dwork et al. (2010). In slightly more detail, the moments accountant uses the moment-generating function of the privacy loss random variable to track the privacy loss under composition. As abuse of notation, this article uses functions and to denote the mapping induced by the moments accountant in both directions6. For self-containedness, the appendix includes a formal description of the two functions.
Although NoisySGD
and NoisyAdam
are our primary focus, the following discussion applies to general iterative algorithms where composition must be addressed in the privacy analysis. Let algorithm be -DP for and write for their composition. On the one hand, the moments accountant technique ensures that is -DP for any or, put equivalently,7 is -DP. On the other hand, the composition algorithm is -DP from the -DP viewpoint and, following from the central limit theorem (2.2), this composition can be shown to be approximately GDP in a certain asymptotic regime. For example, both NoisySGD
and NoisyAdam
presented in and Algorithm 1 and Algorithm 2, respectively, asymptotically satisfy -GDP with privacy parameter
In light of the above, it is tempting to ask which of the two approaches yields a sharper privacy analysis. In terms of -DP guarantees, it must be the latter, which we refer to as the CLT
approach, because the composition theorem of -DP is tight and, more importantly, the privacy central limit theorem is asymptotically exact. To formally state the result, note that the moments accountant asserts that the private optimizer is -DP for all , which is equivalent to -DP by recognizing (2.1) (see also Proposition 2.11 in Dong, Roth, et al., 2019). Roughly speaking, the following theorem says that -DP (asymptotically) promises no more privacy guarantees than the bound of -GDP given by the CLT
approach. This simple result is summarized by the following theorem and see Appendix B for a formal proof of this result.
Theorem 1 (Comparison in -DP). Assume that converges to a positive constant as . Then, both and satisfy
for every .
Remark 1. For ease of reading, we point out that, in the -DP framework, the smaller are, the more privacy is guaranteed. In contrast, in the -DP framework, the smaller is, the less privacy is guaranteed.
From the -DP viewpoint, however, the question as to which approach gives a sharper privacy analysis is presently unclear. Explicitly, the duality between -DP and -DP shows that -GDP implies -DP for all , where8
Answering the question is, therefore, reduced to the comparison between and or, equivalently9, between and .
Theorem 2 (Comparison in -DP). Under the assumptions of Theorem 1, the -DP framework gives an asymptotically sharper privacy analysis of both and than the moments accountant in terms of -DP. That is,
for all .
In words, the CLT
approach in the -DP framework allows for an asymptotically smaller than the moments accountant at the same . It is worthwhile mentioning that the inequality in this theorem holds for any finite if is derived by directly applying the duality to the (exact) privacy bound . Equivalently, the theorem says that for10 any . As such, by setting the same in both approaches, say , the -DP based CLT
approach shall give a smaller value of .
From a practical viewpoint, this refined privacy analysis allows us to trade privacy guarantees for improvement in utility. More precisely, recognizing the aforementioned conclusion that (for sufficiently large ) and that increases as increases, one can find such that
Put differently, we can carefully adjust some parameters in Algorithm 1 and Algorithm 2 in order to let the algorithms be -GDP. For example, we can reduce the scale of the added noise from to a certain , which can be solved from (3.3) and
Note that this is adapted from (3.1).
Figure 1 shows the flowchart of the privacy analyses using the two approaches and their relationship. In addition, numerical comparisons are presented in Figure 2, consistently demonstrating the superiority of the CLT
approach.
Figure 2. Tradeoffs between ε and δ for both |
In this section, we use NoisySGD
and NoisyAdam
to train private deep learning models on data sets for tasks ranging from image classification (MNIST), text classification (IMDb movie review), recommender systems (MovieLens movie rating), to regular binary classification (Adult income). Note that these data sets all contain sensitive information about individuals, and this fact necessitates privacy consideration in the training process. Code to reproduce the results using the TensorFlow Privacy
library is available at https://github.com/tensorflow/privacy/tree/master/research/GDP_2019.
This section demonstrates the utility and practicality of the private deep learning methodologies with associated privacy guarantees in terms of -DP. In Section 4.2, we extend the empirical study to the -DP framework. Throughout the experiments, the parameter we use always satisfies , where is the number of training examples.
The MNIST data set, created by LeCun & Cortes (2010), contains 60,000 training images and 10,000 test images. Each image is in gray-scale representing a handwritten digit ranging from 0 to 9. We train neural networks with the same architecture (two convolutional layers followed by one dense layer) as in Tensorflow (2019) and Abadi et al. (2016) on this data set. Throughout the experiment, we set the subsampling probability to and use a constant learning rate .
Table 1 displays the test accuracy of the neural networks trained by NoisySGD
as well as the associated privacy analyses. The privacy parameters in the last two columns are both with respect to . Over all six sets of experiments with different tuning parameters, the CLT
approach gives a significantly smaller value of than the moments accountant, which is consistent with our discussion in Section 3.2. The point we wish to emphasize, however, is that -DP offers a much more comprehensive interpretation of the privacy guarantees than -DP. For instance, the model from the third row preserves a decent amount of privacy since it is not always easy to distinguish and . In stark contrast, the -DP viewpoint is too conservative, suggesting that for the same model not much privacy is left, due to a very large ‘likelihood ratio’ in Definition 2.1: it equals or depending on which approach is chosen. This shortcoming of -DP cannot be overcome by taking a larger , which, although giving rise to a smaller , would undermine the privacy guarantee from a different perspective.
NoisySGD
and their privacy analyses on MNIST.Epochs | Test accuracy (%) |
|
|
| |||
---|---|---|---|---|---|---|---|
0.25 | 1.5 | 1.3 | 15 | 95.0 | 0.23 | 0.83 | 1.19 |
0.15 | 1.0 | 1.1 | 60 | 96.6 | 0.57 | 2.32 | 3.01 |
0.25 | 1.5 | 0.7 | 45 | 97.0 | 1.13 | 5.07 | 7.10 |
0.25 | 1.5 | 0.6 | 62 | 97.6 | 2.00 | 9.98 | 13.27 |
0.25 | 1.5 | 0.55 | 68 | 97.8 | 2.76 | 14.98 | 18.72 |
0.25 | 1.5 | 0.5 | 100 | 98.0 | 4.78 | 31.12 | 32.40 |
Note. The accuracy is averaged over 10 independent runs. The hyperparameters in the first three rows are the same as in Tensorflow (2019). The in the 6th column is calculated using (3.1), which carries over to the 7th column via (3.2) with . The number of epochs is equal to .
For all experiments described in Table 1, Figure 3 illustrates the privacy bounds given by the CLT
approach and the moments accountant both in terms of trade-off functions. The six plots in the first and third rows are with respect to , from which the -DP framework is seen to provide an analyst with substantial improvements in the privacy bounds. Note that the first row in Figure 3 corresponds to the first three rows in Table 1, and the third row in Figure 3 corresponds to the last three rows in Table 1. For the model corresponding to 96.6% test accuracy, concretely, the minimum sum of type I and type II errors in the sense of hypothesis testing is (at least) by the CLT
approach, whereas it is merely (at least) by the moments accountant. For completeness, we show the optimal trade-off functions over all pairs of given by the moments accountant in the middle row. The gaps between the two approaches exist, as predicted by Theorem 1, and remain significant.
Figure 3. Comparisons between the two ways of privacy analysis on MNIST in terms of the trade-off between type I and type II errors, in the same setting as Table 1. The plots are different from Figure 7 in Dong, Roth, et al. (2019). The ()-DP guarantees are plotted according to (2.1). The blue regions in the plots from the second row correspond to all pairs of () computed by . The blue regions are not noticeable in the third row. |
Next, we extend our experiments to other data sets to further test -DP for training private neural networks. The experiments compare private models under the privacy budget to their non-private counterparts and some popular baseline methods. For simplicity, we focus on shallow neural networks and leave the investigation of complex architectures for future research.
Originally from the UCI repository in Dua and Graff (2017), the Adult income data set has been preprocessed into the LIBSVM format by Chang and Lin (2011). This data set contains 32,561 examples, each of which has 123 features and a label indicating whether the individual’s annual income is more than $50,000 or not. We randomly choose of the examples as the test set (3,256 examples) and use the remaining 29,305 examples as the training set.
Our model is a single-layer multi-perceptron with 16 neurons and the ReLU activation. We set , , , and use NoisySGD
as our optimizer. The results displayed in Table 2 show that our private model achieves performance comparable to the baselines in the MLC++ library by Kohavi et al. (1996) in terms of test accuracy.
NoisySGD
on the adult income data set.Models | Epochs | Test accuracy (%) |
|
|
|
---|---|---|---|---|---|
private networks | 18 | 84.0 | 2.03 | 10.20 | 14.70 |
non-private networks | 20 | 84.5 | — | — | — |
NN (Cover & Hart, 1967) | — | 79.7 | — | — | — |
naive Bayes | — | 83.9 | — | — | — |
voted ID3 (Quinlan, 1986) | — | 84.4 | — | — | — |
C4.5 (Quinlan, 2014) | — | 84.5 | — | — | — |
Note. The parameters are with respect to .
We use the IMDb movie review data set from Maas et al. (2011) for binary sentiment classification (positive or negative reviews). The data set contains 25,000 training and 25,000 test examples. In our experiments, we preprocess the data set by including only the top 10,000 frequently used words and discard the rest. Next, we set every example to have 256 words by truncating the length or filling with zeros if necessary.
In our neural networks, the input is first embedded into 16 units and then is passed through a global average pooling. The intermediate output is fed to a fully-connected layer with 16 neurons, followed by a ReLU layer. We set , , , and use NoisyAdam
as our optimizer, which is observed to converge much faster than NoisySGD
in this training task. We use the (non private) two-layer LSTM RNN model in the Tensorflow tutorials as a baseline model. Table 3 reports the experimental results. Notably, the private neural networks perform comparably to the baseline model, at a cost of only one percent drop in test accuracy compared to the non-private counterpart.
NoisyAdam
on the IMDB data set, with used in the privacy analyses.Models | Epochs | Test accuracy (%) |
|
|
|
---|---|---|---|---|---|
private networks | 9 | 83.8 | 2.07 | 10.43 | 15.24 |
non-private networks | 20 | 84.7 | — | — | — |
LSTM-RNN | 10 | 85.4 | — | — | — |
(Hochreiter & Schmidhuber, 1997) |
The MovieLens movie rating data set from Harper and Konstan (2016) is a benchmark data set for recommendation tasks. Our experiments consider the MovieLens 1M data set, which contains 1,000,209 movie ratings from 1 star to 5 stars. In total, there are 6,040 users who rated 3,706 different movies. For this multi-class classification problem, the root mean squared error (RMSE) is chosen as the performance measure. It is worthwhile to mention that, as each user watched only a small fraction of all the movies, most (user, movie) pairs correspond to missing ratings. We randomly sample 20% of the examples as the test set and take the remainder as the training set.
Our model is a simplified version of the neural collaborative filtering in He et al. (2017). The network architecture consists of two branches. The left branch applies generalized matrix factorization to embed the users and movies using five latent factors. The output of the user embedding is multiplied by the item embedding. In the right branch, we use 10 latent factors for embedding. The embedding from both branches are then concatenated, which is fed to a fully connected output layer. We set , and in NoisyAdam
.
NoisyAdam
on the MovieLens 1M data set, with used in the privacy analyses.Models | Epochs | RMSE |
|
|
|
---|---|---|---|---|---|
private networks | 20 | 0.915 | 1.94 | 10.61 | 15.39 |
non-private networks | 20 | 0.893 | — | — | — |
SVD | — | 0.873 | — | — | — |
NMF | — | 0.916 | — | — | — |
user-based CF (Sarwar et al., 2001) | — | 0.923 | — | — | — |
global average | — | 1.117 | — | — | — |
Note. CF stands for collaborative filtering.
Table 4 presents the numerical results of our neural networks as well as baseline models in the Surprise
library from Hug (2017) in their default settings. The difference in RMSE between the non-private networks and the private one is relatively large for the MovieLens 1M data set. Nevertheless, the private model still outperforms many popular non-private models, including the user-based collaborative filtering and nonnegative matrix factorization.
While we hope that the -DP perspective has been conclusively demonstrated to be advantageous, this section shows that the CLT
approach continues to bring considerable benefits even in terms of -DP. Specifically, by making use of the comparisons between the CLT
approach and the moments accountant in Section 3.2, we can add less noise to the gradients in NoisySGD
and NoisyAdam
while achieving the same -DP guarantees provided by the moments accountant. With less added noise, conceivably, an optimizer would have a higher prediction accuracy.
Figure 4 illustrates the experimental results on MNIST. In the top two plots, we set the noise scales to , which are both shown to give -DP at epoch 20 using the moments accountant and the CLT
approach, respectively. The test accuracy associated with the CLT
approach is almost always higher than that associated with the moments accountant. In addition, another benefit of taking the CLT
approach is that it gives rise to stronger privacy protection before reaching epoch 20, as shown by the right plot. For the bottom plots, although the improvement in test accuracy at the end of training is less significant, the CLT
approach leads to much faster convergence at early epochs. To be concrete, the numbers of epochs needed to achieve , and test accuracy are , and , respectively, for the neural networks with less noise, whereas the numbers of epochs are , and , respectively, using a noise level that is computed by the moments accountant. In a similar vein, the moments accountant gives a test accuracy of 92% for the first time when and the CLT
approach achieves 96% under the same privacy budget.
Figure 4. Experimental results from one run of |
In this article, we have showcased the use of -DP, a very recently proposed privacy definition, for training private deep learning models using SGD or Adam. Owing to its strength in handling composition and subsampling and the powerful privacy central limit theorem, the -DP framework allows for a closed-form privacy bound that is sharper than the one given by the moments accountant in the -DP framework. Employing numerical experiments, we show that the trained neural networks can be quite private from the -DP viewpoint (for instance, -GDP11) but are not in the -DP sense due to overly conservative privacy bounds (for instance, -DP) computed in the -DP framework. This in turn suggests that one can add less noise during the training process while having the same privacy guarantees as using the moments accountant, thereby improving model utility.
We conclude this article by offering several directions for future research. As the first direction, we may consider using time-dependent noise scales and learning rates in NoisySGD
and NoisyAdam
for a better tradeoff between privacy loss and utility in the -DP framework. Note that Lee and Kifer (2018) made considerable progress using concentrated differential privacy along this line. More generally, a straightforward but interesting problem is to extend this work to complex neural network architectures with a variety of optimization strategies. For example, can we develop some guidelines for choosing an optimizer among NoisySGD
, NoisyAdam
, and others for a given classification problem under some privacy constraint? Empirically, deep learning models are very sensitive to hyperparameters such as mini-batch size in terms of test accuracy. Therefore, from a practical standpoint, it would be of great importance to incorporate hyperparameter tuning into the -DP framework (see Gupta et al., 2010). Inspired by Lecuyer et al. (2019), another interesting direction is to explore the possible relationship between -DP guarantees and adversarial robustness of neural networks. Given -DP’s good interpretability and powerful toolbox, it is worthwhile investigating whether, from a broad perspective, its superiority over earlier differential privacy relaxations would hold in general private statistical and machine learning tasks. We look forward to more research efforts to further the theory and extend the use of -DP.
We are grateful to David Durfee, Ryan Rogers, Aaron Roth, and Qinqing Zheng for stimulating discussions in the early stages of this work. We would also like to thank two anonymous referees for their constructive comments that improved the presentation of the paper. This work was supported in part by NSF through CAREER DMS-1847415, CCF-1763314, and CCF-1934876, the Wharton Dean’s Research Fund, and NIH through R01GM124111 and RF1AG063481.
Zhiqi Bu, Jinshuo Dong, Qi Long, and Weijie Su have no financial or non-financial disclosures to share for this article.
Abadi, M., Chu, A., Goodfellow, I., McMahan, H. B., Mironov, I., Talwar, K., & Zhang, L. (2016). Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 308–318). https://doi.org/10.1145/2976749.2978318
Abowd, J. M. (2018). The US Census Bureau adopts differential privacy. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 2867–2867). https://doi.org/10.1145/3219819.3226070
Bagdasaryan, E., Poursaeed, O., & Shmatikov, V. (2019). Differential privacy has disparate impact on model accuracy. In 33rd Conference on Neural Information Processing Systems (NeurIPS 2019). http://papers.nips.cc/paper/9681-differential-privacy-has-disparate-impact-on-model-accuracy
Balle, B., Barthe, G., & Gaboardi, M. (2018). Privacy amplification by subsampling: Tight analyses via couplings and divergences. In 31st Conference on Neural Information Processing Systems (NeurIPS 2018) (pp. 6280–6290). http://papers.nips.cc/paper/7865-privacy-amplification-by-subsampling-tight-analyses-via-couplings-and-divergences
Balle, B., Barthe, G., Gaboardi, M., Hsu, J., & Sato, T. (2019). Hypothesis testing interpretations and Renyi differential privacy. arXiv. https://doi.org/10.48550/arXiv.1905.09982
Bassily, R., Smith, A., & Thakurta, A. (2014). Private empirical risk minimization: Efficient algorithms and tight error bounds. In 2014 IEEE 55th Annual Symposium on Foundations of Computer Science (pp. 464–473). https://doi.org/10.1109/FOCS.2014.56
Bun, M., Dwork, C., Rothblum, G. N., & Steinke, T. (2018). Composable and versatile privacy via truncated CDP. In Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing (pp. 74–86). https://doi.org/10.1145/3188745.3188946
Bun, M., & Steinke, T. (2016). Concentrated differential privacy: Simplifications, extensions, and lower bounds. In Proceedings, Part I, of the 14th International Conference on Theory of Cryptography: Vol. 9985 (pp. 635–658). https://doi.org/10.1007/978-3-662-53641-4_24
Chang, C.-C., & Lin, C.-J. (2011). LIBSVM: A library for support vector machines. ACM Transactions on Intelligent Systems and Technology (TIST), 2(3), Article 27. https://doi.org/10.1145/1961189.1961199
Chaudhuri, K., Monteleoni, C., & Sarwate, A. D. (2011). Differentially private empirical risk minimization. Journal of Machine Learning Research, 12(29), 1069–1109. https://jmlr.org/papers/v12/chaudhuri11a.html
Cover, T., & Hart, P. (1967). Nearest neighbor pattern classification. IEEE Transactions on Information Theory, 13(1), 21–27. https://doi.org/10.1109/TIT.1967.1053964
Differential-Privacy-Team. (2017). Learning with privacy at scale. Apple. https://machinelearning.apple.com/research/learning-with-privacy-at-scale
Ding, B., Kulkarni, J., & Yekhanin, S. (2017). Collecting telemetry data privately. In Proceedings of the 30th Conference on Advances in Neural Information Processing Systems (NIPS 2017). http://papers.nips.cc/paper/6948-collecting-telemetry-data-privately
Dong, J., Durfee, D., & Rogers, R. (2019). Optimal differential privacy composition for exponential mechanisms and the cost of adaptivity. arXiv. https://doi.org/10.48550/arXiv.1909.13830
Dong, J., Roth, A., & Su, W. J. (2019). Gaussian differential privacy. arXiv https://doi.org/10.48550/arXiv.1905.02383
Dua, D., & Graff, C. (2017). UCI machine learning repository. University of California, Irvine, School of Information; Computer Sciences. http://archive.ics.uci.edu/ml
Duchi, J., Hazan, E., & Singer, Y. (2011). Adaptive subgradient methods for online learning and stochastic optimization. Journal of Machine Learning Research, 12(61), 2121–2159. https://jmlr.org/papers/v12/duchi11a.html
Dwork, C., Kenthapadi, K., McSherry, F., Mironov, I., & Naor, M. (2006). Our data, ourselves: Privacy via distributed noise generation. In S. Vaudenay (Ed.), Lecture Notes in Computer Science: Vol. 4004. Advances in Cryptology - EUROCRYPT 2006 (pp. 486–503). https://doi.org/10.1007/11761679_29
Dwork, C., McSherry, F., Nissim, K., & Smith, A. (2006). Calibrating noise to sensitivity in private data analysis. In S. Halevi & T. Rabin (Eds.), Lecture Notes in Computer Science: Vol. 3876. TCC 2006: Theory of Cryptography (pp. 265–284). https://doi.org/10.1007/11681878_14_14
Dwork, C., & Rothblum, G. N. (2016). Concentrated differential privacy. arXiv . https://doi.org/10.48550/arXiv.1603.01887
Dwork, C., Rothblum, G. N., & Vadhan, S. (2010). Boosting and differential privacy. In 2010 IEEE 51st Annual Symposium on Foundations of Computer Science (pp. 51–60). https://doi.org/10.1109/FOCS.2010.12
Erlingsson, Ú., Pihur, V., & Korolova, A. (2014). RAPPOR: Randomized aggregatable privacy-preserving ordinal response. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 1054–1067). https://doi.org/10.1145/2660267.2660348
Gupta, A., Ligett, K., McSherry, F., Roth, A., & Talwar, K. (2010). Differentially private combinatorial optimization. In Proceedings of the Twenty-First Annual ACM-SIAM Symposium on Discrete Algorithms (pp. 1106–1125). https://doi.org/10.1137/1.9781611973075.90
Harper, F. M., & Konstan, J. A. (2016). The movielens datasets: History and context. ACM Transactions on Interactive Intelligent Systems, 5(4), Article 19. https://doi.org/10.1145/2827872
He, X., Liao, L., Zhang, H., Nie, L., Hu, X., & Chua, T.-S. (2017). Neural collaborative filtering. In Proceedings of the 26th International Conference on World Wide Web (pp. 173–182). https://doi.org/10.1145/3038912.3052569
Hochreiter, S., & Schmidhuber, J. (1997). Long short-term memory. Neural Computation, 9(8), 1735–1780. https://doi.org/10.1162/neco.1997.9.8.1735
Hug, N. (2017). Surprise, a Python library for recommender systems. http://surpriselib.com/
Kairouz, P., Oh, S., & Viswanath, P. (2017). The composition theorem for differential privacy. In Proceedings of Machine Learning Research: Vol. 37. Proceedings of the 32nd International Conference on Machine Learning (1376–1385). http://proceedings.mlr.press/v37/kairouz15.html
Kingma, D. P., & Ba, J. (2014). Adam: A method for stochastic optimization. arXiv. https://doi.org/10.48550/arXiv.1412.6980
Kohavi, R., Sommerfield, D., & Dougherty, J. (1996). Data mining using/spl Mscr//spl Lscr//spl Cscr/++ a machine learning library in C++. In Proceedings Eighth IEEE International Conference on Tools with Artificial Intelligence (pp. 234–245). https://doi.org/10.1109/TAI.1996.560457
LeCun, Y., & Cortes, C. (2010). MNIST handwritten digit database. http://yann.lecun.com/exdb/mnist/
Lecuyer, M., Atlidakis, V., Geambasu, R., Hsu, D., & Jana, S. (2019). Certified robustness to adversarial examples with differential privacy. In 2019 IEEE Symposium on Security and Privacy (pp. 656–672). https://doi.org/10.1109/SP.2019.00044
Lee, J., & Kifer, D. (2018). Concentrated differentially private gradient descent with adaptive per-iteration privacy budget. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (pp. 1656–1665). https://doi.org/10.1145/3219819.3220076
Li, N., Qardaji, W., & Su, D. (2012). On sampling, anonymization, and differential privacy or, k-anonymization meets differential privacy. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (pp. 32–33). https://doi.org/10.1145/2414456.2414474
Liu, C., He, X., Chanyaswad, T., Wang, S., & Mittal, P. (2019). Investigating statistical privacy frameworks from the perspective of hypothesis testing. Proceedings on Privacy Enhancing Technologies, 2019(3), 233–254. https://doi.org/10.2478/popets-2019-0045
Maas, A. L., Daly, R. E., Pham, P. T., Huang, D., Ng, A. Y., & Potts, C. (2011). Learning word vectors for sentiment analysis. In Proceedings of the 49th Annual Meeting of the Association for Computational Linguistics: Human Language Technologies (pp. 142–150). https://www.aclweb.org/anthology/P11-1015.pdf
McMahan, B., Andrew, G., Mironov, I., Papernot, N., Kairouz, P., Chien, S., & Erlingsson, Ú. (2018). A general approach to adding differential privacy to iterative training procedures. arXiv. https://doi.org/10.48550/arXiv.1812.06210
McMahan, B., Ramage, D., Talwar, K., & Zhang, L. (2017). Learning differentially private recurrent language models. arXiv. https://doi.org/10.48550/arXiv.1710.06963
Mironov, I. (2017). Rényi differential privacy. In 2017 IEEE 30th Computer Security Foundations Symposium (pp. 263–275). https://doi.org/10.1109/CSF.2017.11
Murtagh, J., & Vadhan, S. (2016). The complexity of computing the optimal composition of differential privacy. In E. Kushilevitz, & T. Malkin (Eds.), Lecture Notes in Computer Science: Vol. 9562. Theory of Cryptography. TCC 2016 (pp. 157–175). https://doi.org/10.1007/978-3-662-49096-9_7
Narayanan, A., & Shmatikov, V. (2008). Robust de-anonymization of large sparse datasets. In 2008 IEEE Symposium on Security and Privacy (pp. 111–125). https://doi.org/10.1109/SP.2008.33
Papernot, N., Abadi, M., Erlingsson, U., Goodfellow, I., & Talwar, K. (2016). Semi-supervised knowledge transfer for deep learning from private training data. arXiv. https://doi.org/10.48550/arXiv.1610.05755
Papernot, N., Song, S., Mironov, I., Raghunathan, A., Talwar, K., & Erlingsson, Ú. (2018). Scalable private learning with PATE. arXiv. https://doi.org/10.48550/arXiv.1802.08908
Pichapati, V., Suresh, A. T., Yu, F. X., Reddi, S. J., & Kumar, S. (2019). AdaCliP: Adaptive clipping for private SGD. arXiv. https://doi.org/10.48550/arXiv.1908.07643
Quinlan, R. (1986). Induction of decision trees. Machine Learning, 1(1), 81–106. https://doi.org/10.1007/BF00116251
Quinlan, R. (2014). C4. 5: Programs for machine learning. Elsevier.
Rockafellar, R. T. (1970). Convex analysis (Vol. 28). Princeton University Press.
Sarwar, B. M., Karypis, G., Konstan, J. A., & Riedl, J. (2001). Item-based collaborative filtering recommendation algorithms. In Proceedings of the 10th international conference on World Wide Web: Vol 1 (pp. 285–295). Association for Computing Machinery. https://doi.org/10.1145/371920.372071
Shokri, R., & Shmatikov, V. (2015). Privacy-preserving deep learning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 1310–1321). Association for Computing Machinery. https://doi.org/10.1145/2810103.2813687
Sommer, D., Meiser, S., & Mohammadi, E. (2018). Privacy loss classes: The Central Limit Theorem in differential privacy. Proceedings on Privacy Enhancing Technologies, 2019(2), 245–269. https://doi.org/10.2478/popets-2019-0029
Song, S., Chaudhuri, K., & Sarwate, A. D. (2013). Stochastic gradient descent with differentially private updates. In 2013 IEEE Global Conference on Signal and Information Processing (pp. 245–248). https://doi.org/10.1109/GlobalSIP.2013.6736861
Sweeney, L. (1997). Weaving technology and policy together to maintain confidentiality. The Journal of Law, Medicine & Ethics, 25(2–3), 98–110. https://doi.org/10.1111/j.1748-720X.1997.tb01885.x
Tensorflow. (2019). Tensorflow privacy library. GitHub. http://github.com/tensorflow/privacy
Wang, Y.-X., Balle, B., & Kasiviswanathan, S. P. (2019). Subsampled Renyi differential privacy and analytical moments accountant. In Proceedings of Machine Learning Research: Vol. 89. The 22nd International Conference on Artificial Intelligence and Statistics (pp. 1226–1235). http://proceedings.mlr.press/v89/wang19b.html
Wasserman, L., & Zhou, S. (2010). A statistical framework for differential privacy. Journal of the American Statistical Association, 105(489), 375–389. https://doi.org/10.1198/jasa.2009.tm08651
Xiang, L., Yang, J., & Li, B. (2019). Differentially-private deep learning from an optimization perspective. In IEEE INFOCOM 2019-IEEE Conference on Computer Communications (pp. 559–567). https://doi.org/10.1109/INFOCOM.2019.8737494
Xu, Z., Shi, S., Liu, A. X., Zhao, J., & Chen, L. (2019). An adaptive and fast convergent approach to differentially private deep learning. arXiv. https://doi.org/10.48550/arXiv.1912.09150
Zhang, J., Zheng, K., Mou, W., & Wang, L. (2017). Efficient private ERM for smooth objectives. In Proceedings of the 26th International Joint Conference on Artificial Intelligence (pp. 3922–3928). https://doi.org/10.24963/ijcai.2017/548
We present the inequality (2.3) as the following proposition, which is given in Section 2 but not in the foundational work of Dong, Roth, et al. (2019).
Proposition A.1. If is -DP, and , then
Proof of Proposition A.1. We first write the two distributions and as mixtures.
Without loss of generality, we can assume and . An outcome of the process when applied to is a bit string . Bit depends on whether is selected into the subsample. We use to denote the subsample determined by . When each is sampled from a Bernoulli distribution independently, can be identified with . Let be the probability that appears. More specifically, if out of entries of is one, then . With this notation, can be written as the following mixture:
Similarly, can also be written as a mixture, with an additional bit indicating the presence of . Alternatively, we can divide the components into two groups: one with present, and the other with absent. Namely,
Note that and are neighbors, i.e, is the mixture of neighboring distributions. The following lemma is the perfect tool to deal with it.
Lemma A.2. Let be an index set. For all , and are distributions that reside on a common sample space. is a collection of non-negative numbers that sums to 1. If is a trade-off function and for all then
To apply the lemma, let the index be , be and be . Condition is a consequence of being -DP. The conclusion simply translates to
which is what we want. The proof is complete.
Proof of Lemma A.2. Let and . Suppose satisfies . That is,
It is easy to see that
We know that . Hence and so
Since is convex, Jensen’s inequality implies
Next we use a figure to justify the claim we made in Section 2.2 that “CLT
approximation works well for SGD”. Recall that we argued in Section 3 that Algorithms 1 and 2 are -DP where
This function converges to with as provided . In the following figure, we numerically compute (blue dashed) and compare it with the predicted limit (red solid). More specifically, the configuration is designed to illustrate the fast convergence in the setting of the second line of Table 1, i.e., noise scale