Summary of Tighter Privacy Auditing Of Dp-sgd in the Hidden State Threat Model, by Tudor Cebere et al.
Tighter Privacy Auditing of DP-SGD in the Hidden State Threat Model
by Tudor Cebere, Aurélien Bellet, Nicolas Papernot
First submitted to arxiv on: 23 May 2024
Categories
- Main: Machine Learning (cs.LG)
- Secondary: Cryptography and Security (cs.CR)
GrooveSquid.com Paper Summaries
GrooveSquid.com’s goal is to make artificial intelligence research accessible by summarizing AI papers in simpler terms. Each summary below covers the same AI paper, written at different levels of difficulty. The medium difficulty and low difficulty versions are original summaries written by GrooveSquid.com, while the high difficulty version is the paper’s original abstract. Feel free to learn from the version that suits you best!
| Summary difficulty | Written by | Summary |
|---|---|---|
| High | Paper authors | High Difficulty Summary Read the original abstract here |
| Medium | GrooveSquid.com (original content) | Medium Difficulty Summary The proposed work challenges the significant gap between empirical privacy auditing and theoretical upper bounds for differentially private optimizers like DP-SGD, focusing on a hidden state threat model where the adversary has access only to the final model. To address this gap, the authors propose auditing the model by crafting gradient sequences designed to maximize the privacy loss without relying on intermediate updates. The experiments show that this approach outperforms previous attempts and advances our understanding of achievable privacy guarantees within this threat model. Specifically, concealing intermediate model updates in DP-SGD does not amplify privacy when the crafted gradient is inserted at every optimization step. However, the auditing lower bound matches the privacy upper bound only for an adversarially-chosen loss landscape and a sufficiently large batch size. |
| Low | GrooveSquid.com (original content) | Low Difficulty Summary The researchers want to make sure that machine learning models are private, which means they don’t reveal personal information about people. They’re using special algorithms called differentially private optimizers, like DP-SGD, to do this. The problem is that there’s a big gap between what we think the privacy guarantees should be and what we actually get when we test them. To fix this, the authors came up with a new way to test the model by creating fake gradient sequences that try to make the model reveal more information than it should. They found that their method works better than previous methods and helps us understand how private our models can really be. |
Keywords
» Artificial intelligence » Machine learning » Optimization
