Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A General Approach to Adding Differential Privacy to Iterative Training Procedures

H. Brendan McMahan, Galen Andrew, Ulfar Erlingsson, Steve Chien, Ilya Mironov, Nicolas Papernot, Peter Kairouz

TL;DR

This work addresses the challenge of adding differential privacy to iterative training on privacy-sensitive data by introducing a modular framework that decouples training, privacy mechanism configuration, and accounting. It generalizes the Gaussian mechanism and the Moments Accountant to handle multiple heterogeneous vector groups with either separate or joint clipping, and introduces a privacy ledger to enable post hoc, robust DP accounting. Key contributions include two vector-group DP mechanisms (separate and joint clipping), a composition method transforming multiple groups into a single Gaussian sum query, hyperparameter and sampling-policy strategies, and an integration path via TensorFlow Privacy. The approach enables practical, flexible, and provable privacy guarantees for complex training procedures, including federated settings, by preserving modularity and allowing reprocessing as tighter DP bounds are discovered.

Abstract

In this work we address the practical challenges of training machine learning models on privacy-sensitive datasets by introducing a modular approach that minimizes changes to training algorithms, provides a variety of configuration strategies for the privacy mechanism, and then isolates and simplifies the critical logic that computes the final privacy guarantees. A key challenge is that training algorithms often require estimating many different quantities (vectors) from the same set of examples --- for example, gradients of different layers in a deep learning architecture, as well as metrics and batch normalization parameters. Each of these may have different properties like dimensionality, magnitude, and tolerance to noise. By extending previous work on the Moments Accountant for the subsampled Gaussian mechanism, we can provide privacy for such heterogeneous sets of vectors, while also structuring the approach to minimize software engineering challenges.

A General Approach to Adding Differential Privacy to Iterative Training Procedures

TL;DR

This work addresses the challenge of adding differential privacy to iterative training on privacy-sensitive data by introducing a modular framework that decouples training, privacy mechanism configuration, and accounting. It generalizes the Gaussian mechanism and the Moments Accountant to handle multiple heterogeneous vector groups with either separate or joint clipping, and introduces a privacy ledger to enable post hoc, robust DP accounting. Key contributions include two vector-group DP mechanisms (separate and joint clipping), a composition method transforming multiple groups into a single Gaussian sum query, hyperparameter and sampling-policy strategies, and an integration path via TensorFlow Privacy. The approach enables practical, flexible, and provable privacy guarantees for complex training procedures, including federated settings, by preserving modularity and allowing reprocessing as tighter DP bounds are discovered.

Abstract

In this work we address the practical challenges of training machine learning models on privacy-sensitive datasets by introducing a modular approach that minimizes changes to training algorithms, provides a variety of configuration strategies for the privacy mechanism, and then isolates and simplifies the critical logic that computes the final privacy guarantees. A key challenge is that training algorithms often require estimating many different quantities (vectors) from the same set of examples --- for example, gradients of different layers in a deep learning architecture, as well as metrics and batch normalization parameters. Each of these may have different properties like dimensionality, magnitude, and tolerance to noise. By extending previous work on the Moments Accountant for the subsampled Gaussian mechanism, we can provide privacy for such heterogeneous sets of vectors, while also structuring the approach to minimize software engineering challenges.

Paper Structure

This paper contains 18 sections, 4 equations, 1 table.

Table of Contents

  1. Introduction
  2. Privacy mechanisms for a group of vectors
  3. Separate clipping and noise parameters.
  4. Joint clipping.
  5. Composing privacy guarantees for multiple vector groups
  6. Hyperparameter selection strategies
  7. Choosing $\sigma_g$ and $S_g$.
  8. Sampling policies
  9. Minibatches are i.i.d. samples.
  10. Minibatches are equally sized and independent.
  11. Minibatches are equally sized and disjoint.
  12. Privacy ledger
  13. TensorFlow Privacy
  14. Floating-point arithmetic and randomness source
  15. Floating-point arithmetic.
  16. ...and 3 more sections

Theorems & Definitions (1)

  • Definition 1