filmov
tv
DP-SGD Privacy Analysis is Tight!
Показать описание
A Google TechTalk, presented by Milad Nasr, 2020/08/21
ABSTRACT: Differentially private stochastic gradient descent (DP-SGD) provides a method to train
a machine learning model on private data without revealing anything specific to that particular dataset. As a tool, differential privacy places upper bounds on the maximum amount of information that could be leaked through the training process.
This is formalized as a game where an adversary guesses whether a model was trained on a dataset D or a dataset D' that differs in just one example. If the probability the adversary succeeds at this game is sufficiently low, the training algorithm is said to satisfy differential privacy.
In our work we instantiate this hypothetical adversary who plays the distinguishing game in order to understand how the various assumptions that are made or could be made impact the empirically observed privacy. In comparison with the proofs of privacy, our adversary provides a concrete lower bound on the probability that this distinguishing game can be won.
When our adversary is given the complete capabilities assumed in the DP-SGD analysis, our lower bound is tight and matches the theoretical upper bound. However, we show that in practical settings that do not use many of the (unrealistic) adversary capabilities, our lower bound is substantially weaker than the theoretical upper bound.
ABSTRACT: Differentially private stochastic gradient descent (DP-SGD) provides a method to train
a machine learning model on private data without revealing anything specific to that particular dataset. As a tool, differential privacy places upper bounds on the maximum amount of information that could be leaked through the training process.
This is formalized as a game where an adversary guesses whether a model was trained on a dataset D or a dataset D' that differs in just one example. If the probability the adversary succeeds at this game is sufficiently low, the training algorithm is said to satisfy differential privacy.
In our work we instantiate this hypothetical adversary who plays the distinguishing game in order to understand how the various assumptions that are made or could be made impact the empirically observed privacy. In comparison with the proofs of privacy, our adversary provides a concrete lower bound on the probability that this distinguishing game can be won.
When our adversary is given the complete capabilities assumed in the DP-SGD analysis, our lower bound is tight and matches the theoretical upper bound. However, we show that in practical settings that do not use many of the (unrealistic) adversary capabilities, our lower bound is substantially weaker than the theoretical upper bound.
0:48:20
0:19:40
0:13:05
0:38:18
0:53:48
0:10:58
0:13:13
0:14:10
0:04:52
0:03:07
0:47:24
1:14:36
0:44:15
0:40:47
0:46:06
1:01:25
0:57:37
1:36:45
0:54:14
1:04:21
0:20:55
0:09:17
0:12:37
0:52:41