Improving the Privacy and Practicality of Objective Perturbation for Differentially Private Linear Learners

TL;DR

This paper addresses the privacy-utility trade-off in differentially private learning for convex generalized linear models by reviving objective perturbation with two tight privacy analyses: a privacy-profiles-based $(\epsilon, \delta)$-DP bound and a Rényi differential privacy bound. It also extends Approximate Minima Perturbation to unbounded gradient losses via gradient clipping, links the approach to SVRG for fast optimization, and establishes a subquadratic $O(n \log n)$ computational guarantee. The authors show that, when accounting for the privacy cost of hyperparameter tuning, objective perturbation can be competitive with DP-SGD on GLMs, supported by empirical results on standard datasets. Overall, the work broadens the practical applicability of objective perturbation and provides tighter, modern privacy accounting tools for private learning.

Abstract

In the arena of privacy-preserving machine learning, differentially private stochastic gradient descent (DP-SGD) has outstripped the objective perturbation mechanism in popularity and interest. Though unrivaled in versatility, DP-SGD requires a non-trivial privacy overhead (for privately tuning the model's hyperparameters) and a computational complexity which might be extravagant for simple models such as linear and logistic regression. This paper revamps the objective perturbation mechanism with tighter privacy analyses and new computational tools that boost it to perform competitively with DP-SGD on unconstrained convex generalized linear problems.

Figures (5)

• Figure 1: Comparison of different $(\epsilon,\delta)$-bounds for objective perturbation: the $(\epsilon,\delta)$-bound by kifer2012private given in Thm. \ref{['thm:objpert_kifer_privacy']}, the RDP bound of Thm. \ref{['thm:rdp_objpert']}, the approximate DP bound of Thm. \ref{['thm:analytic_objpert_hs']} using the hockey-stick divergence and the approximate DP lower bound obtained using the hockey-stick divergence and Cor. \ref{['cor:gaussian_lower_bound']}. Left: $\sigma=5$, $\beta=1$ and $\lambda=20$. Right: $\sigma=10$, $\beta=1$ and $\lambda=5$.
• Figure 2: Comparison of Algorithm \ref{['alg:comp_objpert']} against honest and dishonest DP-SGD baselines, varying $\epsilon \in \{0.025,0.05, 0.1, 0.25, 0.5, 1.0, 2.0,4.0, 8.0\}$ and fixing $\delta=10^{-5}$. On all three methods, we train the model for each learning rate on its grid (see Table \ref{['table:parameters']}) and report the test accuracy for the best learning rate on the grid. Results are averaged over 10 trials and the error bars on both sides of the mean values depict 1.96 times the standard error, giving the asymptotic 95% coverage.
• Figure 3:
• Figure 4: Comparison of our RDP bound (implied $(\epsilon,\delta)$-DP bound) and our numerical PLRV bound \ref{['eq:omega_compositions']} for different numbers of compositions $k$, when $\sigma=8.0$, $\beta=1.0$ and $\lambda=10.0$.
• Figure 5: RDP curves of objective perturbation and DP-SGD.

Theorems & Definitions (57)

• Definition 2.1: Differential privacy
• Definition 2.2: Hockey-stick divergence
• Definition 2.3: Privacy profiles balle2018subsampling
• Lemma 2.4: zhu2021optimal
• Definition 2.5: zhu2021optimal
• Definition 2.6
• Definition 2.7: Rényi differential privacy
• Theorem 2.8: DP guarantees of objective perturbation kifer2012private
• Theorem 3.1: Approximate DP guarantees of objective perturbation for GLMs
• Theorem 3.2: RDP guarantees of objective perturbation for GLMs