Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Convergent Differential Privacy Analysis for General Federated Learning: the $f$-DP Perspective

Yan Sun, Li Shen, Dacheng Tao

TL;DR

This paper comprehensively evaluates the worst privacy of two classical methods under the non-convex and smooth objectives based on the $f$-DP analysis and successfully proves that privacy in {\ttfamily Noisy-FedAvg} has a tight convergent bound.

Abstract

Federated learning (FL) is an efficient collaborative training paradigm extensively developed with a focus on local privacy, and differential privacy (DP) is a classical approach to capture and ensure the reliability of private security. Their powerful cooperation provides a promising paradigm for the large-scale private clients. As a predominant implementation, the noisy perturbation has been widely studied, being theoretically proven to offer significant protections. However, existing analyses in FL-DP mostly rely on the composition theorem and cannot tightly quantify the privacy leakage challenges, which is tight for a few communication rounds but yields an arbitrarily loose and divergent bound eventually. This also implies a counterintuitive judgment, suggesting that FL-DP may not provide adequate privacy support during long-term training. To further investigate the convergent privacy and reliability of the FL-DP framework, in this paper, we comprehensively evaluate the worst privacy of two classical methods under the non-convex and smooth objectives based on the $f$-DP analysis. With the aid of the shifted interpolation technique, we successfully prove that privacy in {\ttfamily Noisy-FedAvg} has a tight convergent bound. Moreover, with the regularization of the proxy term, privacy in {\ttfamily Noisy-FedProx} has a stable constant lower bound. Our analysis further demonstrates a solid theoretical foundation for the reliability of privacy in FL-DP. Meanwhile, our conclusions can also be losslessly converted to other classical DP analytical frameworks, e.g. $(ε,δ)$-DP and R$\acute{\text{e}}$nyi-DP (RDP).

Convergent Differential Privacy Analysis for General Federated Learning: the $f$-DP Perspective

TL;DR

This paper comprehensively evaluates the worst privacy of two classical methods under the non-convex and smooth objectives based on the -DP analysis and successfully proves that privacy in {\ttfamily Noisy-FedAvg} has a tight convergent bound.

Abstract

Federated learning (FL) is an efficient collaborative training paradigm extensively developed with a focus on local privacy, and differential privacy (DP) is a classical approach to capture and ensure the reliability of private security. Their powerful cooperation provides a promising paradigm for the large-scale private clients. As a predominant implementation, the noisy perturbation has been widely studied, being theoretically proven to offer significant protections. However, existing analyses in FL-DP mostly rely on the composition theorem and cannot tightly quantify the privacy leakage challenges, which is tight for a few communication rounds but yields an arbitrarily loose and divergent bound eventually. This also implies a counterintuitive judgment, suggesting that FL-DP may not provide adequate privacy support during long-term training. To further investigate the convergent privacy and reliability of the FL-DP framework, in this paper, we comprehensively evaluate the worst privacy of two classical methods under the non-convex and smooth objectives based on the -DP analysis. With the aid of the shifted interpolation technique, we successfully prove that privacy in {\ttfamily Noisy-FedAvg} has a tight convergent bound. Moreover, with the regularization of the proxy term, privacy in {\ttfamily Noisy-FedProx} has a stable constant lower bound. Our analysis further demonstrates a solid theoretical foundation for the reliability of privacy in FL-DP. Meanwhile, our conclusions can also be losslessly converted to other classical DP analytical frameworks, e.g. -DP and Rnyi-DP (RDP).
Paper Structure (24 sections, 15 theorems, 69 equations, 3 figures, 7 tables, 1 algorithm)

This paper contains 24 sections, 15 theorems, 69 equations, 3 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Notation definitions
  4. General FL-DP framework
  5. $f$-DP and its fundamental properties
  6. Convergent Privacy
  7. Privacy under shifted interpolation
  8. Sensitivity under splitting operators
  9. Selection on the observation point $t_0$
  10. Convergent privacy
  11. Related Work
  12. Federated Learning.
  13. Differential Privacy.
  14. FL-DP.
  15. Experiments
  16. ...and 9 more sections

Key Result

Lemma 5

If a randomized mechanism $\mathcal{M}$ is $f$-DP, any post processing mechanism based on $\mathcal{M}$ is still at least $f$-DP, i.e. $T(P';Q')\geq T(P;Q)$ for any post-processing mapping which leads to $P\rightarrow P'$ and $Q\rightarrow Q'$.

Figures (3)

  • Figure 1: The illustrative diagram of the splitting operators. We denote $\varepsilon$ as the data of $\phi(\cdot)$ process and $\varepsilon'$ as the data of $\phi'(\cdot)$. The green points show the auxiliary sequence.
  • Figure 2: Sensitivity studies on Noisy-FedAvg and Noisy-FedProx. The general setups are $m=20$, $K=5$, and $V=10$. In each group, we only change the variable in the legend, keeping all other parameters fixed to ensure fairness.
  • Figure 3: Four general setups of learning rate adopted in the federated learning community. From left to right, they are: Constant learning rates, Cyclically decaying learning rates, Stage-wise decaying learning rate, and Continuously decaying learning rate.

Theorems & Definitions (22)

  • Definition 1
  • Definition 2
  • Definition 3: Trade-off function
  • Definition 4: $f$-DP and GDP
  • Lemma 5: Post-processing
  • Lemma 6: Composition
  • Lemma 7: GDP $\rightarrow$ $(\epsilon,\delta)$-DP
  • Lemma 8: GDP $\rightarrow$ RDP
  • Theorem 10
  • Remark 11
  • ...and 12 more