Privacy Profiles for Private Selection
- URL: http://arxiv.org/abs/2402.06701v1
- Date: Fri, 9 Feb 2024 08:31:46 GMT
- Title: Privacy Profiles for Private Selection
- Authors: Antti Koskela, Rachel Redberg, Yu-Xiang Wang
- Abstract summary: We work out an easy-to-use recipe that bounds privacy profiles of ReportNoisyMax and PrivateTuning using the privacy profiles of the base algorithms they corral.
Our approach improves over all regimes of interest and leads to substantial benefits in end-to-end private learning experiments.
- Score: 21.162924003105484
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Private selection mechanisms (e.g., Report Noisy Max, Sparse Vector) are
fundamental primitives of differentially private (DP) data analysis with wide
applications to private query release, voting, and hyperparameter tuning.
Recent work (Liu and Talwar, 2019; Papernot and Steinke, 2022) has made
significant progress in both generalizing private selection mechanisms and
tightening their privacy analysis using modern numerical privacy accounting
tools, e.g., R\'enyi DP. But R\'enyi DP is known to be lossy when
$(\epsilon,\delta)$-DP is ultimately needed, and there is a trend to close the
gap by directly handling privacy profiles, i.e., $\delta$ as a function of
$\epsilon$ or its equivalent dual form known as $f$-DPs. In this paper, we work
out an easy-to-use recipe that bounds the privacy profiles of ReportNoisyMax
and PrivateTuning using the privacy profiles of the base algorithms they
corral. Numerically, our approach improves over the RDP-based accounting in all
regimes of interest and leads to substantial benefits in end-to-end private
learning experiments. Our analysis also suggests new distributions, e.g.,
binomial distribution for randomizing the number of rounds that leads to more
substantial improvements in certain regimes.
Related papers
- Provable Privacy with Non-Private Pre-Processing [56.770023668379615]
We propose a general framework to evaluate the additional privacy cost incurred by non-private data-dependent pre-processing algorithms.
Our framework establishes upper bounds on the overall privacy guarantees by utilising two new technical notions.
arXiv Detail & Related papers (2024-03-19T17:54:49Z) - Privacy Amplification for the Gaussian Mechanism via Bounded Support [64.86780616066575]
Data-dependent privacy accounting frameworks such as per-instance differential privacy (pDP) and Fisher information loss (FIL) confer fine-grained privacy guarantees for individuals in a fixed training dataset.
We propose simple modifications of the Gaussian mechanism with bounded support, showing that they amplify privacy guarantees under data-dependent accounting.
arXiv Detail & Related papers (2024-03-07T21:22:07Z) - "Private Prediction Strikes Back!'' Private Kernelized Nearest Neighbors
with Individual Renyi Filter [31.970442970375153]
We propose an algorithm named Individualized Nearest Neighbor (Ind-KNN) for private prediction.
Ind-KNN is easily updatable over dataset changes and it allows precise control of the R'enyi at an individual user level.
Our results show that Ind-KNN consistently improves the accuracy over existing private prediction methods for a wide range of $epsilon$ on four vision and language tasks.
arXiv Detail & Related papers (2023-06-12T19:14:45Z) - Analyzing Privacy Leakage in Machine Learning via Multiple Hypothesis
Testing: A Lesson From Fano [83.5933307263932]
We study data reconstruction attacks for discrete data and analyze it under the framework of hypothesis testing.
We show that if the underlying private data takes values from a set of size $M$, then the target privacy parameter $epsilon$ can be $O(log M)$ before the adversary gains significant inferential power.
arXiv Detail & Related papers (2022-10-24T23:50:12Z) - TAN Without a Burn: Scaling Laws of DP-SGD [70.7364032297978]
Differentially Private methods for training Deep Neural Networks (DNNs) have progressed recently.
We decouple privacy analysis and experimental behavior of noisy training to explore the trade-off with minimal computational requirements.
We apply the proposed method on CIFAR-10 and ImageNet and, in particular, strongly improve the state-of-the-art on ImageNet with a +9 points gain in top-1 accuracy.
arXiv Detail & Related papers (2022-10-07T08:44:35Z) - Individual Privacy Accounting for Differentially Private Stochastic Gradient Descent [69.14164921515949]
We characterize privacy guarantees for individual examples when releasing models trained by DP-SGD.
We find that most examples enjoy stronger privacy guarantees than the worst-case bound.
This implies groups that are underserved in terms of model utility simultaneously experience weaker privacy guarantees.
arXiv Detail & Related papers (2022-06-06T13:49:37Z) - Smoothed Differential Privacy [55.415581832037084]
Differential privacy (DP) is a widely-accepted and widely-applied notion of privacy based on worst-case analysis.
In this paper, we propose a natural extension of DP following the worst average-case idea behind the celebrated smoothed analysis.
We prove that any discrete mechanism with sampling procedures is more private than what DP predicts, while many continuous mechanisms with sampling procedures are still non-private under smoothed DP.
arXiv Detail & Related papers (2021-07-04T06:55:45Z) - Optimal Accounting of Differential Privacy via Characteristic Function [25.78065563380023]
We propose a unification of recent advances (Renyi DP, privacy profiles, $f$-DP and the PLD formalism) via the characteristic function ($phi$-function) of a certain worst-case'' privacy loss random variable.
We show that our approach allows natural adaptive composition like Renyi DP, provides exactly tight privacy accounting like PLD, and can be (often losslessly) converted to privacy profile and $f$-DP.
arXiv Detail & Related papers (2021-06-16T06:13:23Z) - Output Perturbation for Differentially Private Convex Optimization with
Improved Population Loss Bounds, Runtimes and Applications to Private
Adversarial Training [12.386462516398469]
Finding efficient, easily implementable differentially private (DP) algorithms that offer strong excess risk bounds is an important problem in modern machine learning.
We provide the tightest known $(epsilon, 0)$-DP population loss bounds and fastest runtimes under the presence of smoothness and strong convexity.
We apply our theory to two learning frameworks: tilted ERM and adversarial learning frameworks.
arXiv Detail & Related papers (2021-02-09T08:47:06Z) - Bounding, Concentrating, and Truncating: Unifying Privacy Loss
Composition for Data Analytics [2.614355818010333]
We provide strong privacy loss bounds when an analyst may select pure DP, bounded range (e.g. exponential mechanisms) or concentrated DP mechanisms in any order.
We also provide optimal privacy loss bounds that apply when an analyst can select pure DP and bounded range mechanisms in a batch.
arXiv Detail & Related papers (2020-04-15T17:33:10Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.