Deep Learning with Gaussian Differential Privacy

Bu, Zhiqi; Dong, Jinshuo; Long, Qi; Su, Weijie

doi:10.48550/arxiv.1911.11607

Cited by 15 publications

(29 citation statements)

References 44 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We now introduce the DP optimizers [2,1] to train the DP neural networks. One popular optimizer is the DP-SGD [55,16,3,9] in Algorithm 1 and more optimizers such as DP-Adam can be found in Appendix F. In contrast to the standard SGD, the DP-SGD has two unique steps: the per-sample clipping (to guarantee the sensitivity of per-sample gradients) and the random noise addition (to guarantee the privacy of models), both discussed in details via the Gaussian mechanism in Lemma 5.2.…”

Section: Differentially Private Gradient Methodsmentioning

confidence: 99%

“…For the same differentially private mechanism, different privacy accountants (e.g., Moments accountant [3,13], Gaussian differential privacy (GDP) [24,9], Fourier accountant [38], each based on a different composition theory) accumulate the privacy risk (σ, n, p, δ, T ) differently over T iterations. The next result shows that DP optimizers with global clipping is as private as those with local clipping, independent of the choice of the privacy accountant.…”

Section: Dp Optimizers Privacy Analysismentioning

confidence: 99%

“…These optimizers are supported in Opacus and Tensorflow Privacy libraries. The original form of DP-Adam can be found in [9].…”

Section: F4 Applying Global Clipping To Dp Optimization Algorithmsmentioning

confidence: 99%

“…To achieve this gold standard of privacy guarantee, since the seminal work [3], DP optimizers are applied to train the neural networks while preserving the accuracy of prediction. To name a few, researchers have proposed DP-SGD [3,8], DP-Adam [9], DP-SGLD [56,40], DP-FTRL [36], and DP-FedAvg [42].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

On the Convergence and Calibration of Deep Learning with Differential Privacy

Bu¹,

Wang²,

Long³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

In deep learning with differential privacy (DP), the neural network achieves the privacy usually at the cost of slower convergence (and thus lower performance) than its non-private counterpart. This work gives the first convergence analysis of the DP deep learning, through the lens of training dynamics and the neural tangent kernel (NTK). Our convergence theory successfully characterizes the effects of two key components in the DP training: the per-sample clipping (flat or layerwise) and the noise addition. Our analysis not only initiates a general principled framework to understand the DP deep learning with any network architecture and loss function, but also motivates a new clipping method -the global clipping, that significantly improves the convergence while preserving the same privacy guarantee as the existing local clipping.In terms of theoretical results, we establish the precise connection between the per-sample clipping and NTK matrix. We show that in the gradient flow, i.e., with infinitesimal learning rate, the noise level of DP optimizers does not affect the convergence. We prove that DP gradient descent (GD) with global clipping guarantees the monotone convergence to zero loss, which can be violated by the existing DP-GD with local clipping. Notably, our analysis framework easily extends to other optimizers, e.g., DP-Adam. Empirically speaking, DP optimizers equipped with global clipping perform strongly on a wide range of classification and regression tasks. In particular, our global clipping is surprisingly effective at learning calibrated classifiers, in contrast to the existing DP classifiers which are oftentimes over-confident and unreliable. Implementation-wise, the new clipping can be realized by adding one line of code into the Opacus library.

show abstract

Section: Differentially Private Gradient Methodsmentioning

confidence: 99%

Section: Dp Optimizers Privacy Analysismentioning

confidence: 99%

“…These optimizers are supported in Opacus and Tensorflow Privacy libraries. The original form of DP-Adam can be found in [9].…”

Section: F4 Applying Global Clipping To Dp Optimization Algorithmsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On the Convergence and Calibration of Deep Learning with Differential Privacy

Bu¹,

Wang²,

Long³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, there may exist strategic users who can manipulate this process to achieve their own interests, e.g., by uploading a fake model update xi = x i where x i is the true model update (omitting subscript t for notation simplicity). We account for two main types of strategic user behaviors in FL: 1) free riding [6], which generates random model parameters without actually training to save training costs, such as computing power and storage; and 2) overly privacy-preserving, which adds excessive noises to the model parameters for privacy protection [11]- [13]).…”

Section: B Undesirable User Strategiesmentioning

confidence: 99%

Data-Free Evaluation of User Contributions in Federated Learning

Lv¹,

Zheng²,

Luo³

et al. 2021

Preprint

View full text Add to dashboard Cite

Federated learning (FL) trains a machine learning model on mobile devices in a distributed manner using each device's private data and computing resources. A critical issues is to evaluate individual users' contributions so that (1) users' effort in model training can be compensated with proper incentives and (2) malicious and low-quality users can be detected and removed. The state-of-the-art solutions require a representative test dataset for the evaluation purpose, but such a dataset is often unavailable and hard to synthesize. In this paper, we propose a method called Pairwise Correlated Agreement (PCA) based on the idea of peer prediction to evaluate user contribution in FL without a test dataset. PCA achieves this using the statistical correlation of the model parameters uploaded by users. We then apply PCA to designing (1) a new federated learning algorithm called Fed-PCA, and (2) a new incentive mechanism that guarantees truthfulness. We evaluate the performance of PCA and Fed-PCA using the MNIST dataset and a large industrial product recommendation dataset. The results demonstrate that our Fed-PCA outperforms the canonical FedAvg algorithm and other baseline methods in accuracy, and at the same time, PCA effectively incentivizes users to behave truthfully.

show abstract

Christine P. Chai's Contribution to the Discussion of ‘Gaussian Differential Privacy’ by Donget al.

Chai

2021

Journal of the Royal Statistical Society Series B: Statistical Methodology

View full text Add to dashboard Cite

show abstract

Deep Learning with Gaussian Differential Privacy

Cited by 15 publications

References 44 publications

On the Convergence and Calibration of Deep Learning with Differential Privacy

On the Convergence and Calibration of Deep Learning with Differential Privacy

Data-Free Evaluation of User Contributions in Federated Learning

Christine P. Chai's Contribution to the Discussion of ‘Gaussian Differential Privacy’ by Donget al.

Contact Info

Product

Resources

About