Verifiable and Provably Secure Machine Unlearning
- URL: http://arxiv.org/abs/2210.09126v2
- Date: Mon, 20 Mar 2023 19:22:58 GMT
- Title: Verifiable and Provably Secure Machine Unlearning
- Authors: Thorsten Eisenhofer, Doreen Riepel, Varun Chandrasekaran, Esha Ghosh,
Olga Ohrimenko, Nicolas Papernot
- Abstract summary: Machine unlearning aims to remove points from the training dataset of a machine learning model after training.
We present the first cryptographic definition of verifiable unlearning to capture the guarantees of a machine unlearning system.
We implement the protocol for three different unlearning techniques to validate its feasibility for linear regression, logistic regression, and neural networks.
- Score: 37.353982787321385
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Machine unlearning aims to remove points from the training dataset of a
machine learning model after training; for example when a user requests their
data to be deleted. While many machine unlearning methods have been proposed,
none of them enable users to audit the procedure. Furthermore, recent work
shows a user is unable to verify if their data was unlearnt from an inspection
of the model alone. Rather than reasoning about model parameters, we propose to
view verifiable unlearning as a security problem. To this end, we present the
first cryptographic definition of verifiable unlearning to formally capture the
guarantees of a machine unlearning system. In this framework, the server first
computes a proof that the model was trained on a dataset $D$. Given a user data
point $d$ requested to be deleted, the server updates the model using an
unlearning algorithm. It then provides a proof of the correct execution of
unlearning and that $d \notin D'$, where $D'$ is the new training dataset. Our
framework is generally applicable to different unlearning techniques that we
abstract as admissible functions. We instantiate the framework, based on
cryptographic assumptions, using SNARKs and hash chains. Finally, we implement
the protocol for three different unlearning techniques (retraining-based,
amnesiac, and optimization-based) to validate its feasibility for linear
regression, logistic regression, and neural networks.
Related papers
- RESTOR: Knowledge Recovery through Machine Unlearning [71.75834077528305]
Large language models trained on web-scale corpora can memorize undesirable datapoints.
Many machine unlearning methods have been proposed that aim to 'erase' these datapoints from trained models.
We propose the RESTOR framework for machine unlearning based on the following dimensions.
arXiv Detail & Related papers (2024-10-31T20:54:35Z) - Attribute-to-Delete: Machine Unlearning via Datamodel Matching [65.13151619119782]
Machine unlearning -- efficiently removing a small "forget set" training data on a pre-divertrained machine learning model -- has recently attracted interest.
Recent research shows that machine unlearning techniques do not hold up in such a challenging setting.
arXiv Detail & Related papers (2024-10-30T17:20:10Z) - Can Membership Inferencing be Refuted? [31.31060116447964]
We study the reliability of membership inference attacks in practice.
We show that a model owner can plausibly refute the result of a membership inference test on a data point $x$ by constructing a proof of repudiation.
Our results call for a re-evaluation of the implications of membership inference attacks in practice.
arXiv Detail & Related papers (2023-03-07T04:36:35Z) - Learning to Unlearn: Instance-wise Unlearning for Pre-trained
Classifiers [71.70205894168039]
We consider instance-wise unlearning, of which the goal is to delete information on a set of instances from a pre-trained model.
We propose two methods that reduce forgetting on the remaining data: 1) utilizing adversarial examples to overcome forgetting at the representation-level and 2) leveraging weight importance metrics to pinpoint network parameters guilty of propagating unwanted information.
arXiv Detail & Related papers (2023-01-27T07:53:50Z) - Zero-Shot Machine Unlearning [6.884272840652062]
Modern privacy regulations grant citizens the right to be forgotten by products, services and companies.
No data related to the training process or training samples may be accessible for the unlearning purpose.
We propose two novel solutions for zero-shot machine unlearning based on (a) error minimizing-maximizing noise and (b) gated knowledge transfer.
arXiv Detail & Related papers (2022-01-14T19:16:09Z) - On the Necessity of Auditable Algorithmic Definitions for Machine
Unlearning [13.149070833843133]
Machine unlearning, i.e. having a model forget about some of its training data, has become increasingly important as privacy legislation promotes variants of the right-to-be-forgotten.
We first show that the definition that underlies approximate unlearning, which seeks to prove the approximately unlearned model is close to an exactly retrained model, is incorrect because one can obtain the same model using different datasets.
We then turn to exact unlearning approaches and ask how to verify their claims of unlearning.
arXiv Detail & Related papers (2021-10-22T16:16:56Z) - Machine Unlearning of Features and Labels [72.81914952849334]
We propose first scenarios for unlearning and labels in machine learning models.
Our approach builds on the concept of influence functions and realizes unlearning through closed-form updates of model parameters.
arXiv Detail & Related papers (2021-08-26T04:42:24Z) - SSSE: Efficiently Erasing Samples from Trained Machine Learning Models [103.43466657962242]
We propose an efficient and effective algorithm, SSSE, for samples erasure.
In certain cases SSSE can erase samples almost as well as the optimal, yet impractical, gold standard of training a new model from scratch with only the permitted data.
arXiv Detail & Related papers (2021-07-08T14:17:24Z) - Supervised Machine Learning with Plausible Deniability [1.685485565763117]
We study the question of how well machine learning (ML) models trained on a certain data set provide privacy for the training data.
We show that one can take a set of purely random training data, and from this define a suitable learning rule'' that will produce a ML model that is exactly $f$.
arXiv Detail & Related papers (2021-06-08T11:54:51Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.