Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Private Language Models via Truncated Laplacian Mechanism

Tianhao Huang, Tao Yang, Ivan Habernal, Lijie Hu, Di Wang

TL;DR

This paper proposes a novel private embedding method called the high dimensional truncated Laplacian mechanism, which is a non-trivial extension of the truncated Laplacian mechanism, which was previously only investigated in one-dimensional space cases.

Abstract

Deep learning models for NLP tasks are prone to variants of privacy attacks. To prevent privacy leakage, researchers have investigated word-level perturbations, relying on the formal guarantees of differential privacy (DP) in the embedding space. However, many existing approaches either achieve unsatisfactory performance in the high privacy regime when using the Laplacian or Gaussian mechanism, or resort to weaker relaxations of DP that are inferior to the canonical DP in terms of privacy strength. This raises the question of whether a new method for private word embedding can be designed to overcome these limitations. In this paper, we propose a novel private embedding method called the high dimensional truncated Laplacian mechanism. Specifically, we introduce a non-trivial extension of the truncated Laplacian mechanism, which was previously only investigated in one-dimensional space cases. Theoretically, we show that our method has a lower variance compared to the previous private word embedding methods. To further validate its effectiveness, we conduct comprehensive experiments on private embedding and downstream tasks using three datasets. Remarkably, even in the high privacy regime, our approach only incurs a slight decrease in utility compared to the non-private scenario.

Private Language Models via Truncated Laplacian Mechanism

TL;DR

This paper proposes a novel private embedding method called the high dimensional truncated Laplacian mechanism, which is a non-trivial extension of the truncated Laplacian mechanism, which was previously only investigated in one-dimensional space cases.

Abstract

Deep learning models for NLP tasks are prone to variants of privacy attacks. To prevent privacy leakage, researchers have investigated word-level perturbations, relying on the formal guarantees of differential privacy (DP) in the embedding space. However, many existing approaches either achieve unsatisfactory performance in the high privacy regime when using the Laplacian or Gaussian mechanism, or resort to weaker relaxations of DP that are inferior to the canonical DP in terms of privacy strength. This raises the question of whether a new method for private word embedding can be designed to overcome these limitations. In this paper, we propose a novel private embedding method called the high dimensional truncated Laplacian mechanism. Specifically, we introduce a non-trivial extension of the truncated Laplacian mechanism, which was previously only investigated in one-dimensional space cases. Theoretically, we show that our method has a lower variance compared to the previous private word embedding methods. To further validate its effectiveness, we conduct comprehensive experiments on private embedding and downstream tasks using three datasets. Remarkably, even in the high privacy regime, our approach only incurs a slight decrease in utility compared to the non-private scenario.

Paper Structure

This paper contains 20 sections, 4 theorems, 17 equations, 6 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Private Embedding via Truncated Laplacian Mechanism
  5. Theoretical Sensitivity Analysis
  6. Experiments
  7. Experimental Setup
  8. Datasets.
  9. Baseline.
  10. Evaluation Metrics.
  11. Implementation Details.
  12. Privacy Experiment on Embedding
  13. Utility of Private Fine-tuning
  14. Conclusions
  15. Limitations
  16. ...and 5 more sections

Key Result

Theorem 1

Suppose $\operatorname{CLIPEmb}(\mathbf{w}) \in \mathbb{R}^d$ denote the clipped embedding vector with threshold $C$. Then the mechanism $\mathcal{A}_{lap}(w)=\operatorname{CLIPEmb}(w)+\eta_1$ is $\epsilon$-DP, where $\eta_1=(\eta_{1,1},\cdots, \eta_{1, d})$ and $\eta_{i,j}$ is drawn from a Laplacia

Figures (6)

  • Figure 1: An example of (private) text re-write for different mechanisms with $\epsilon=0.1$.
  • Figure 2: Privacy Test. Curves of the value $N_w$ with privacy budget $\epsilon$ for Yelp dataset.
  • Figure 3: Privacy-Utility Test. Curves of Loss, Rouge1 and BERTScore with different privacy budget $\epsilon$ for Yelp (Upper) and Yahoo (Lower) datasets.
  • Figure 4: Classification accuracy for all experimental settings. Each set of data is the average result of five experiments. We have included the baseline accuracy in parentheses in the subtitle of each subfigure.
  • Figure 5: Privacy Test. Curves of $N_w$ value w.r.t. privacy budget $\epsilon$ for Yahoo dataset.
  • ...and 1 more figures

Theorems & Definitions (9)

  • Definition 1
  • Definition 2
  • Theorem 1: Laplacian Mechanism
  • Theorem 2: Gaussian Mechanism
  • Remark 1
  • Theorem 3
  • Theorem 4
  • Proof 1: Proof of Theorem \ref{['thm:1']}
  • Proof 2: Proof of Theorem \ref{['thm:2']}