Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Closed-Form Bounds for DP-SGD against Record-level Inference

Giovanni Cherubin, Boris Köpf, Andrew Paverd, Shruti Tople, Lukas Wutschitz, Santiago Zanella-Béguelin

TL;DR

This work introduces a threat-specific privacy analysis for DP-SGD by framing it as an information-theoretic channel and deriving closed-form Bayes-security bounds against membership and attribute inference. By approximating intermediate gradients as Gaussian and reducing to two worst-case challenge points, the authors obtain a tractable bound: $\beta^*(P_{O|S}) \ge 1 - \mathrm{erf}\left( p\,\Delta_f /(2\sqrt{2}\,\sigma\,C)\right) - O\left(\sqrt{pT}/\sigma\right)$, with $\Delta_f$ capturing gradient sensitivity across secrets. They specialize this bound to MIA (yielding $\beta^* \ge 1 - \mathrm{erf}( p\sqrt{T}/(\sqrt{2}\,\sigma) ) - O(\sqrt{pT}/\sigma)$) and AI (data-dependent bounds using the gradient-sensitivity vector $R$), compare against DP-accountants, and demonstrate efficiency, tightness, and utility implications on Adult and Purchase datasets. The results show AI is substantially more secure than MIA in many settings and enable interactive parameter tuning, while revealing potential privacy-utility gains when weaker threats are acceptable. The framework also discusses inference-time attackers and future directions for improving bounds with influence-function-based and taint-analysis approaches.

Abstract

Machine learning models trained with differentially-private (DP) algorithms such as DP-SGD enjoy resilience against a wide range of privacy attacks. Although it is possible to derive bounds for some attacks based solely on an $(\varepsilon,δ)$-DP guarantee, meaningful bounds require a small enough privacy budget (i.e., injecting a large amount of noise), which results in a large loss in utility. This paper presents a new approach to evaluate the privacy of machine learning models against specific record-level threats, such as membership and attribute inference, without the indirection through DP. We focus on the popular DP-SGD algorithm, and derive simple closed-form bounds. Our proofs model DP-SGD as an information theoretic channel whose inputs are the secrets that an attacker wants to infer (e.g., membership of a data record) and whose outputs are the intermediate model parameters produced by iterative optimization. We obtain bounds for membership inference that match state-of-the-art techniques, whilst being orders of magnitude faster to compute. Additionally, we present a novel data-dependent bound against attribute inference. Our results provide a direct, interpretable, and practical way to evaluate the privacy of trained models against specific inference threats without sacrificing utility.

Closed-Form Bounds for DP-SGD against Record-level Inference

TL;DR

This work introduces a threat-specific privacy analysis for DP-SGD by framing it as an information-theoretic channel and deriving closed-form Bayes-security bounds against membership and attribute inference. By approximating intermediate gradients as Gaussian and reducing to two worst-case challenge points, the authors obtain a tractable bound: , with capturing gradient sensitivity across secrets. They specialize this bound to MIA (yielding ) and AI (data-dependent bounds using the gradient-sensitivity vector ), compare against DP-accountants, and demonstrate efficiency, tightness, and utility implications on Adult and Purchase datasets. The results show AI is substantially more secure than MIA in many settings and enable interactive parameter tuning, while revealing potential privacy-utility gains when weaker threats are acceptable. The framework also discusses inference-time attackers and future directions for improving bounds with influence-function-based and taint-analysis approaches.

Abstract

Machine learning models trained with differentially-private (DP) algorithms such as DP-SGD enjoy resilience against a wide range of privacy attacks. Although it is possible to derive bounds for some attacks based solely on an -DP guarantee, meaningful bounds require a small enough privacy budget (i.e., injecting a large amount of noise), which results in a large loss in utility. This paper presents a new approach to evaluate the privacy of machine learning models against specific record-level threats, such as membership and attribute inference, without the indirection through DP. We focus on the popular DP-SGD algorithm, and derive simple closed-form bounds. Our proofs model DP-SGD as an information theoretic channel whose inputs are the secrets that an attacker wants to infer (e.g., membership of a data record) and whose outputs are the intermediate model parameters produced by iterative optimization. We obtain bounds for membership inference that match state-of-the-art techniques, whilst being orders of magnitude faster to compute. Additionally, we present a novel data-dependent bound against attribute inference. Our results provide a direct, interpretable, and practical way to evaluate the privacy of trained models against specific inference threats without sacrificing utility.
Paper Structure (41 sections, 15 theorems, 39 equations, 10 figures, 1 table, 4 algorithms)

This paper contains 41 sections, 15 theorems, 39 equations, 10 figures, 1 table, 4 algorithms.

Table of Contents

  1. Introduction
  2. Threat-agnostic.
  3. Implementation challenges.
  4. Our approach.
  5. Background and Preliminaries
  6. DP-SGD
  7. Threat Models
  8. The Bayes security metric
  9. Bayes Security.
  10. Proof Strategy and Main Result
  11. All You Need Is Two Points ...
  12. ... and Intermediate Gradients
  13. Bayes Security of DP-SGD
  14. The total variation between two Gaussians.
  15. Main result.
  16. ...and 26 more sections

Key Result

Theorem 1

Bayes security is achieved on (equivalently, the generalized advantage is maximized on) a uniform prior on two secrets: where $u_{s_0, s_1}$ is a uniform prior on two secrets $s_0, s_1 \in \mathbb{S}\xspace$, i.e., $Pr[S=s_0] = Pr[S=s_1] = 1/2$, and $Pr[S=s] = 0$$\forall s \neq s_0, s_1$.

Figures (10)

  • Figure 1: Bayes Security ($\beta^*$) of DP-SGD against MIA and AI on the Adult and Purchase datasets, w.r.t. the accuracy of the model; a higher $\beta^*$ means a more secure model. When possible, picking the weaker AI threat model enables achieving a better privacy-utility trade-off. For reference, we report the corresponding $(\varepsilon, \delta)$-DP (dashed green line), for $\delta=3.8\times 10^{-6}$ (Adult) and $\delta=4\times 10^{-7}$ (Purchase).
  • Figure 2: We compare the error induced by approximating a mixture of Gaussians with a Gaussian (\ref{['thm:small-approximation-error']}). The error, measured as the total variation between the original and approximate distributions, is computed via numerical integration for a fixed $T=1$. A small ratio between the sampling rate $p\xspace$ and the noise parameter $\sigma$ ensure the error is negligible.
  • Figure 3: Bayes security against MIA: picking the noise and sampling rate to achieve a desired level of security ($T=5k$).
  • Figure 4: Approximation error between our bound (\ref{['thm:mia']}) and the PLD accountant, w.r.t. the noise level $\sigma$ and the number of epochs ($p\xspace T$), with a sample rate $p\xspace = 0.001$. The error is measured as the absolute difference between the two estimates. A label for the error is shown only if it is $\geq 0.01$.
  • Figure 5: Computational cost of our bound (\ref{['thm:mia']}) and the PLD accountant, w.r.t. the number of epochs, with a sample rate $p\xspace = 0.001$. The time is measured in seconds.
  • ...and 5 more figures

Theorems & Definitions (20)

  • Theorem 1: Bayes security and advantage chatzikokolakis2020bayes
  • Corollary 2: Consequence of Theorem 4 in chatzikokolakis2020bayes
  • Proposition 3: Bayes security and total variation chatzikokolakis2020bayes
  • Proposition 3
  • Corollary 4: From Barsov:1987, Theorem 1
  • Theorem 5
  • Corollary 5
  • Proposition 6: Bayes security and $(0, \delta)$-LDP chatzikokolakis2020bayes
  • Proposition 6
  • Corollary 6
  • ...and 10 more