Differentially Private Diffusion Models

TL;DR

The paper tackles privacy-preserving generative modeling by marrying diffusion models with differential privacy using DP-SGD, introducing DPDMs. It identifies diffusion-model parameterization and sampling as crucial in the DP setting and proposes noise multiplicity to reduce gradient variance without increasing privacy cost. Empirical results show DPDMs achieve state-of-the-art DP image synthesis on standard benchmarks and that classifiers trained on DPDM-generated data can match or exceed performance of DP-SGD-trained discriminators on real data. This work suggests DPDMs are a practical and scalable approach for private data sharing and downstream learning across privacy regimes.

Abstract

While modern machine learning models rely on increasingly large training datasets, data is often limited in privacy-sensitive domains. Generative models trained with differential privacy (DP) on sensitive data can sidestep this challenge, providing access to synthetic data instead. We build on the recent success of diffusion models (DMs) and introduce Differentially Private Diffusion Models (DPDMs), which enforce privacy using differentially private stochastic gradient descent (DP-SGD). We investigate the DM parameterization and the sampling algorithm, which turn out to be crucial ingredients in DPDMs, and propose noise multiplicity, a powerful modification of DP-SGD tailored to the training of DMs. We validate our novel DPDMs on image generation benchmarks and achieve state-of-the-art performance in all experiments. Moreover, on standard benchmarks, classifiers trained on DPDM-generated synthetic data perform on par with task-specific DP-SGD-trained classifiers, which has not been demonstrated before for DP generative models. Project page and code: https://nv-tlabs.github.io/DPDM.

Figures (19)

• Figure 1: Information flow during training in our Differentially Private Diffusion Model (DPDM) for a single training sample in green (i.e. batchsize $B{=}1$, another sample shown in blue). We rely on DP-SGD to guarantee privacy and use noise multiplicity; here, $K{=}3$. The diffusion is visualized for a one-dim. toy distribution (marginal probabilities in purple); our main experiments use high-dim. images. Note that for brevity in the visualization we dropped the index $i$, which indicates the minibatch element in \ref{['eq:noisy_objective', 'eq:noise_mult']}.
• Figure 2: Frobenius norm of the Jacobian ${\mathcal{J}}_F(\sigma)$ of the denoiser $D(\cdot, \sigma)$ and constant Frobenius norms of the Jacobians ${\mathcal{J}}_F$ of the sampling functions defined by the DM and a GAN. \ref{['sec:toy_experiments']} for experiment details.
• Figure 3: Increasing $K$ in noise multiplicity leads to significant variance reduction of parameter gradient estimates during training (note logarithmic axis in inset). Enlarged version in \ref{['fig:variance_reduction']}.
• Figure 4: Noise level sampling for different DM configs; see \ref{['sec:diffusion_backbones']}.
• Figure 5: Fashion-MNIST images generated by, from top to bottom, DP-CGAN torkzadehmahani2019dp, DP-MERF harder2022differentially, Datalens wang2021datalens, G-PATE long2019scalable, GS-WGAN chen2020gs, DP-Sinkhorn cao2021don, PEARL liew2022pearl, DPGANr bie2022private (all above bar), and our DPDM (below bar) using the privacy budget $\varepsilon{=}10$. See \ref{['sec:extended_qualitative_results']} for more samples.

Theorems & Definitions (12)

• Definition 2.1
• Theorem 1
• Theorem 2
• Definition A.1
• Theorem 3
• Theorem 4
• proof
• Definition B.1
• Definition B.2
• Definition B.3