Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the Query Complexity of Training Data Reconstruction in Private Learning

Prateeti Mukherjee, Satya Lokam

TL;DR

The paper addresses training data reconstruction attacks by quantifying how many queries a whitebox adversary must make to reconstruct training samples when the learner is differentially private, Rényi-DP, or metric-DP. It develops non-asymptotic, minimax-optimal lower bounds on the adversary's query complexity across DP settings for arbitrary compact metric spaces and extends to Rényi DP and Metric DP on locally compact spaces, revealing explicit dependence on privacy parameters, target reconstruction tolerance, and geometric complexity. The results show tight bounds, nearly matching upper bounds achieved by classical privacy mechanisms, and they generalize beyond bounded Euclidean domains to unbounded metric spaces with dimension-like terms governing the difficulty of reconstruction. Practically, this work provides a principled auditing framework for private learners and clarifies how privacy parameters constrain reconstruction risks in a broad range of data domains and learning paradigms.

Abstract

We analyze the number of queries that a whitebox adversary needs to make to a private learner in order to reconstruct its training data. For $(ε, δ)$ DP learners with training data drawn from any arbitrary compact metric space, we provide the \emph{first known lower bounds on the adversary's query complexity} as a function of the learner's privacy parameters. \emph{Our results are minimax optimal for every $ε\geq 0, δ\in [0, 1]$, covering both $ε$-DP and $(0, δ)$ DP as corollaries}. Beyond this, we obtain query complexity lower bounds for $(α, ε)$ Rényi DP learners that are valid for any $α> 1, ε\geq 0$. Finally, we analyze data reconstruction attacks on locally compact metric spaces via the framework of Metric DP, a generalization of DP that accounts for the underlying metric structure of the data. In this setting, we provide the first known analysis of data reconstruction in unbounded, high dimensional spaces and obtain query complexity lower bounds that are nearly tight modulo logarithmic factors.

On the Query Complexity of Training Data Reconstruction in Private Learning

TL;DR

The paper addresses training data reconstruction attacks by quantifying how many queries a whitebox adversary must make to reconstruct training samples when the learner is differentially private, Rényi-DP, or metric-DP. It develops non-asymptotic, minimax-optimal lower bounds on the adversary's query complexity across DP settings for arbitrary compact metric spaces and extends to Rényi DP and Metric DP on locally compact spaces, revealing explicit dependence on privacy parameters, target reconstruction tolerance, and geometric complexity. The results show tight bounds, nearly matching upper bounds achieved by classical privacy mechanisms, and they generalize beyond bounded Euclidean domains to unbounded metric spaces with dimension-like terms governing the difficulty of reconstruction. Practically, this work provides a principled auditing framework for private learners and clarifies how privacy parameters constrain reconstruction risks in a broad range of data domains and learning paradigms.

Abstract

We analyze the number of queries that a whitebox adversary needs to make to a private learner in order to reconstruct its training data. For DP learners with training data drawn from any arbitrary compact metric space, we provide the \emph{first known lower bounds on the adversary's query complexity} as a function of the learner's privacy parameters. \emph{Our results are minimax optimal for every , covering both -DP and DP as corollaries}. Beyond this, we obtain query complexity lower bounds for Rényi DP learners that are valid for any . Finally, we analyze data reconstruction attacks on locally compact metric spaces via the framework of Metric DP, a generalization of DP that accounts for the underlying metric structure of the data. In this setting, we provide the first known analysis of data reconstruction in unbounded, high dimensional spaces and obtain query complexity lower bounds that are nearly tight modulo logarithmic factors.
Paper Structure (41 sections, 20 theorems, 79 equations, 1 algorithm)

This paper contains 41 sections, 20 theorems, 79 equations, 1 algorithm.

Table of Contents

  1. Introduction
  2. Contributions
  3. Reconstruction Attacks on $(\epsilon, \delta)$ Differentially Private Learners
  4. Reconstruction Attacks on $(\alpha, \epsilon)$-Rényi DP Learners
  5. Metric Differential Privacy and Reconstruction Attacks on Locally Compact Spaces
  6. Notation and Preliminaries
  7. Differential Privacy
  8. Metric Differential Privacy
  9. Formalizing Data Reconstruction Attacks as a Privacy Game
  10. Data Reconstruction Attacks against Differentially Private Learners
  11. Applicability and Minimax Optimality
  12. Bounded Domain Assumption
  13. Comparison to Prior Work
  14. Invalid Lower Bound
  15. Restriction to compact subsets of $\mathbb{R}^d$
  16. ...and 26 more sections

Key Result

Theorem 1

Let $\mathcal{M}$ be an $(\epsilon, \delta)$-DP learning algorithm whose training data is supported on a compact metric space $(\mathcal{Z}, \rho)$. Then, any data reconstruction adversary $\mathcal{A}$ needs to make at least $\Omega(\tfrac{\ln(\mathsf{diam}(\mathcal{Z})^2/\beta^2)}{\ln(\tfrac{e^\ep

Theorems & Definitions (33)

  • Theorem 1: DRAs on DP Learners (Informal)
  • Theorem 2: DRAs on Metric DP Learners (Informal)
  • Definition 3: Packing Number (Wainwright2019)
  • Definition 4: Pure Differential Privacy (Dwork2017)
  • Definition 5: Rényi Differential Privacy (Mironov2017)
  • Definition 6: Approximate Differential Privacy(dwork2006approx)
  • Definition 7: Metric Differential Privacy (Chatzikokolakis2013)
  • Remark 8
  • Theorem 9: Query Complexity Lower Bounds for $(\epsilon, \delta)$-DP Learners
  • Theorem 10: Upper Bound for $(\epsilon, \delta)$-DP Learners
  • ...and 23 more