Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

One-shot Empirical Privacy Estimation for Federated Learning

Galen Andrew, Peter Kairouz, Sewoong Oh, Alina Oprea, H. Brendan McMahan, Vinith M. Suriyakumar

TL;DR

This work tackles the problem of efficiently auditing the privacy loss of federated learning models without retraining or task-specific assumptions. It introduces a one-shot auditing framework that inserts random canaries and uses cosine-based test statistics to estimate the DP parameter $\varepsilon$ under the Gaussian mechanism, proving asymptotic correctness in high dimensions. The method extends to FL by injecting canaries as clients and evaluating the final model leakage, demonstrating that final-model privacy can be substantially better than what would be inferred from observing all intermediate updates, while maintaining negligible impact on utility. Empirically, the approach is validated on large-scale FL benchmarks (e.g., StackOverflow and EMNIST), compares favorably to CANIFE, and provides a practical, scalable tool for production FL privacy assessment with broad applicability across architectures and participation patterns.

Abstract

Privacy estimation techniques for differentially private (DP) algorithms are useful for comparing against analytical bounds, or to empirically measure privacy loss in settings where known analytical bounds are not tight. However, existing privacy auditing techniques usually make strong assumptions on the adversary (e.g., knowledge of intermediate model iterates or the training data distribution), are tailored to specific tasks, model architectures, or DP algorithm, and/or require retraining the model many times (typically on the order of thousands). These shortcomings make deploying such techniques at scale difficult in practice, especially in federated settings where model training can take days or weeks. In this work, we present a novel "one-shot" approach that can systematically address these challenges, allowing efficient auditing or estimation of the privacy loss of a model during the same, single training run used to fit model parameters, and without requiring any a priori knowledge about the model architecture, task, or DP training algorithm. We show that our method provides provably correct estimates for the privacy loss under the Gaussian mechanism, and we demonstrate its performance on well-established FL benchmark datasets under several adversarial threat models.

One-shot Empirical Privacy Estimation for Federated Learning

TL;DR

This work tackles the problem of efficiently auditing the privacy loss of federated learning models without retraining or task-specific assumptions. It introduces a one-shot auditing framework that inserts random canaries and uses cosine-based test statistics to estimate the DP parameter under the Gaussian mechanism, proving asymptotic correctness in high dimensions. The method extends to FL by injecting canaries as clients and evaluating the final model leakage, demonstrating that final-model privacy can be substantially better than what would be inferred from observing all intermediate updates, while maintaining negligible impact on utility. Empirically, the approach is validated on large-scale FL benchmarks (e.g., StackOverflow and EMNIST), compares favorably to CANIFE, and provides a practical, scalable tool for production FL privacy assessment with broad applicability across architectures and participation patterns.

Abstract

Privacy estimation techniques for differentially private (DP) algorithms are useful for comparing against analytical bounds, or to empirically measure privacy loss in settings where known analytical bounds are not tight. However, existing privacy auditing techniques usually make strong assumptions on the adversary (e.g., knowledge of intermediate model iterates or the training data distribution), are tailored to specific tasks, model architectures, or DP algorithm, and/or require retraining the model many times (typically on the order of thousands). These shortcomings make deploying such techniques at scale difficult in practice, especially in federated settings where model training can take days or weeks. In this work, we present a novel "one-shot" approach that can systematically address these challenges, allowing efficient auditing or estimation of the privacy loss of a model during the same, single training run used to fit model parameters, and without requiring any a priori knowledge about the model architecture, task, or DP training algorithm. We show that our method provides provably correct estimates for the privacy loss under the Gaussian mechanism, and we demonstrate its performance on well-established FL benchmark datasets under several adversarial threat models.
Paper Structure (19 sections, 8 theorems, 28 equations, 4 figures, 7 tables, 3 algorithms)

This paper contains 19 sections, 8 theorems, 28 equations, 4 figures, 7 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background and related work
  3. Differential privacy.
  4. Private federated fearning.
  5. Privacy auditing.
  6. One-shot privacy estimation for the Gaussian mechanism
  7. One-shot privacy estimation for FL with random canaries
  8. Experiments
  9. Experiments on EMNIST
  10. Experiments with multiple canary presentations
  11. Empirical comparison with CANIFE
  12. Conclusion
  13. Acknowledgements
  14. Algorithm for exact computation of epsilon comparing two Gaussian distributions
  15. Proofs of results from the main text
  16. ...and 4 more sections

Key Result

Proposition 3.0

For $d \in \mathbb{N}, d \geq 2$, let $c$ be sampled uniformly from $\mathbb{S}^{d-1}$, and let $\tau_d = \langle c, v \rangle/\|v\| \in [-1, 1]$ be the cosine similarity between $c$ and some arbitrary independent nonzero vector $v$. Then, the probability density function of $\tau_d$ is

Figures (4)

  • Figure 1: Density plots of cosine values of Stackoverflow models with four values of noise corresponding to analytical epsilons ($\infty$, 300, 100, 30) and four values of canary repetitions (1, 2, 4, 8). The black curve in each plot is the pdf of the null distribution ${\mathcal{N}}(0, 1/d)$. With no noise ($\varepsilon=\infty$), the distributions are easily separable, with increasing separation for more canary repetitions. At higher levels of noise, distributions are less separable, even with several repetitions.
  • Figure 2: Comparing Stackoverflow models with different numbers of canary repetitions. Blue bars are our $\varepsilon_\text{est}$ and red ticks are the $\varepsilon_\text{lo}$ 95%-confidence lower bound for four values of noise corresponding to analytical epsilons ($\infty$, 300, 100, 30) and four values of canary repetitions (1, 2, 4, 8). Note the difference of y-axis scales in each plot. Our estimate of epsilon increases sharply with the number of canary repetitions, confirming that limiting client participation improves privacy.
  • Figure 3: Comparing EMNIST models with different numbers of canary repetitions. Blue bars are our $\varepsilon_\text{est}$ and red ticks are the $\varepsilon_\text{lo}$ 95%-confidence lower bound for three noise multipliers (0.16, 0.18, 0.195) and four numbers of canary repetitions. Our estimate of epsilon increases sharply with the number of canary repetitions, confirming that limiting client participation improves privacy.
  • Figure 4: Quantiles of $\hat{\varepsilon}$ over fifty experiments using either one run with 1000 canaries or ten runs with 100 canaries each. For both noise multipliers, the distributions are very close.

Theorems & Definitions (14)

  • Definition 2.1
  • Proposition 3.0
  • Proposition 3.0
  • Theorem 3.1
  • Proposition B.0
  • proof
  • Proposition B.0
  • proof
  • Lemma B.1
  • proof
  • ...and 4 more