Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Relative Gaussian Mechanism and its Application to Private Gradient Descent

Hadrien Hendrikx, Paul Mangold, Aurélien Bellet

TL;DR

This work introduces the Relative Gaussian Mechanism (RGM), in which the variance of the noise depends on the norm of the output, and proves tight bounds on the RDP parameters under relative L2 sensitivity, and characterize the privacy loss incurred by using output-dependent noise.

Abstract

The Gaussian Mechanism (GM), which consists in adding Gaussian noise to a vector-valued query before releasing it, is a standard privacy protection mechanism. In particular, given that the query respects some L2 sensitivity property (the L2 distance between outputs on any two neighboring inputs is bounded), GM guarantees Rényi Differential Privacy (RDP). Unfortunately, precisely bounding the L2 sensitivity can be hard, thus leading to loose privacy bounds. In this work, we consider a Relative L2 sensitivity assumption, in which the bound on the distance between two query outputs may also depend on their norm. Leveraging this assumption, we introduce the Relative Gaussian Mechanism (RGM), in which the variance of the noise depends on the norm of the output. We prove tight bounds on the RDP parameters under relative L2 sensitivity, and characterize the privacy loss incurred by using output-dependent noise. In particular, we show that RGM naturally adapts to a latent variable that would control the norm of the output. Finally, we instantiate our framework to show tight guarantees for Private Gradient Descent, a problem that naturally fits our relative L2 sensitivity assumption.

The Relative Gaussian Mechanism and its Application to Private Gradient Descent

TL;DR

This work introduces the Relative Gaussian Mechanism (RGM), in which the variance of the noise depends on the norm of the output, and proves tight bounds on the RDP parameters under relative L2 sensitivity, and characterize the privacy loss incurred by using output-dependent noise.

Abstract

The Gaussian Mechanism (GM), which consists in adding Gaussian noise to a vector-valued query before releasing it, is a standard privacy protection mechanism. In particular, given that the query respects some L2 sensitivity property (the L2 distance between outputs on any two neighboring inputs is bounded), GM guarantees Rényi Differential Privacy (RDP). Unfortunately, precisely bounding the L2 sensitivity can be hard, thus leading to loose privacy bounds. In this work, we consider a Relative L2 sensitivity assumption, in which the bound on the distance between two query outputs may also depend on their norm. Leveraging this assumption, we introduce the Relative Gaussian Mechanism (RGM), in which the variance of the noise depends on the norm of the output. We prove tight bounds on the RDP parameters under relative L2 sensitivity, and characterize the privacy loss incurred by using output-dependent noise. In particular, we show that RGM naturally adapts to a latent variable that would control the norm of the output. Finally, we instantiate our framework to show tight guarantees for Private Gradient Descent, a problem that naturally fits our relative L2 sensitivity assumption.
Paper Structure (42 sections, 10 theorems, 83 equations, 2 figures)

This paper contains 42 sections, 10 theorems, 83 equations, 2 figures.

Table of Contents

  1. INTRODUCTION
  2. RELATED WORK
  3. RELATIVE L2 SENSITIVITY
  4. Examples.
  5. Links to local sensitivity.
  6. THE RELATIVE GAUSSIAN MECHANISM
  7. Mechanism and privacy guarantees
  8. Truncated Concentrated DP (tCDP).
  9. Scale of the noise.
  10. Arbitrary privacy guarantees cannot be achieved.
  11. Conversion to $(\epsilon,\delta)$-DP.
  12. Subsampling.
  13. Privacy Loss and Comparison with GM
  14. Standard vs. Relative Gaussian Mechanism.
  15. Tightness.
  16. ...and 27 more sections

Key Result

Theorem 1

Let $\mathcal{R}: \mathcal{D} \rightarrow \mathbb{R}^d$ be a query that verifies $(\eta, R_{\rm rel})$-relative L2 sensitivity (Definition def:generalized_L2) for some $\eta > 0$ and $R_{\rm rel} \ge 0$. Then for $1 \leq \alpha < (1 + \eta)^2 / (2\eta + \eta^2)$, and $\sigma^2 \geq \gamma \eta^{-2}

Figures (2)

  • Figure 1: Utility of several private gradient descent algorithms with equivalent RDP guarantees. (Left): 'Random', (Middle): 'label', (Right): 'bias'. Shaded areas are min/max values over 3 runs.
  • Figure 2: Left: HIGGS dataset, $\varepsilon=10^{-2}$, Right: ijcnn1 dataset, $\varepsilon=10^{-3}$

Theorems & Definitions (18)

  • Definition 1: Rényi Differential Privacy
  • Definition 2: Relative L2 sensitivity
  • Definition 3: Relative Gaussian Mechanism
  • Theorem 1: Privacy guarantees of ${\rm RGM}_{\gamma, \sigma}$
  • Corollary 1: Conversion to $(\epsilon,\delta)$-DP
  • Theorem 2
  • Proposition 1: Clipping
  • Proposition 2
  • Proposition 3
  • Lemma 1
  • ...and 8 more