Membership Inference Risks in Quantized Models: A Theoretical and Empirical Study

TL;DR

This work analyzes how quantization affects membership inference risk in machine learning, deriving asymptotic MIS bounds for fixed and size-adaptive quantizers and proposing a scalable metric, $r_{\mathcal{Q}}^n$, to rank quantizers by privacy. The authors provide a practical estimation framework and validate it through synthetic data and molecular-property tasks, showing that higher sparsity can improve privacy but may degrade performance, especially in regression. The results offer a principled, asymptotically grounded approach to privacy-aware quantization design and highlight trade-offs that matter for deploying quantized models on privacy-sensitive data. Overall, the framework enables robust privacy benchmarking of PTQ techniques with tangible implications for secure model sharing and deployment.

Abstract

Quantizing machine learning models has demonstrated its effectiveness in lowering memory and inference costs while maintaining performance levels comparable to the original models. In this work, we investigate the impact of quantization procedures on the privacy of data-driven models, specifically focusing on their vulnerability to membership inference attacks. We derive an asymptotic theoretical analysis of Membership Inference Security (MIS), characterizing the privacy implications of quantized algorithm weights against the most powerful (and possibly unknown) attacks. Building on these theoretical insights, we propose a novel methodology to empirically assess and rank the privacy levels of various quantization procedures. Using synthetic datasets, we demonstrate the effectiveness of our approach in assessing the MIS of different quantizers. Furthermore, we explore the trade-off between privacy and performance using real-world data and models in the context of molecular modeling.

Figures (10)

• Figure 1: Stability of Privacy rankings. To obtain reliable estimates of $r_{{\mathcal{Q}}}^n$, we average its value over multiple runs $k_{\textrm{run}}$ (number of classifiers trained). The central plot illustrates how the rankings of quantizers, based on $r_{{\mathcal{Q}}}^n$, evolve with the number of runs. Each column of pie charts represents the proportion of quantizers predicted at each rank (across 100 different subsets of $k_{\textrm{run}}$ runs) with connecting lines showing shifts in predicted rankings. As the number of runs increases, the rankings stabilize, and when averaged over 50 runs, each quantizer is ranked at its final position 90% of the time (except for the 2 bits and 1.58b 33% quantizers). The top figure shows the evolution of the average Spearman correlation between $r_{{\mathcal{Q}}}^n$ (resp. the baseline's estimation of the MIS) when evaluated over $k_{\textrm{run}}\leq 100$ and $k_{\textrm{run}} =300$. The confusion matrices on the right compare rankings estimated using 300 runs to those obtained with 20 and 50 runs.
• Figure 2: Relationship between $r_{{\mathcal{Q}}}^n$ and the MIS. Each sub-plot displays the estimated values of $r_{{\mathcal{Q}}}^n$ and the MIS for each quantizer under varying experimental configurations, with their corresponding Spearman correlation ($\rho_{sp}$). The strong correlations confirm that our method enables the comparison of different quantization techniques' security.
• Figure 3: Impact of quantization on classification tasks. Evolution of the privacy of each downstream model $r_{{\mathcal{Q}}}^n$ along with relative performances of the quantized models compared to the original on classification task.
• Figure 4: Impact of quantization on regression tasks. Evolution of the privacy of each downstream model $r_{{\mathcal{Q}}}^n$ along with relative performances of the quantized models compared to the original on regression task.
• Figure 5: Illustration of the quantization functions used on the interval $[-1, 1]$.

Theorems & Definitions (24)

• Example 2.1
• Example 2.2: Binarized Neural Networks wang2023bitnet.
• Example 2.3: Vector Quantization
• Definition 2.4: Membership Inference Attack - MIA
• Definition 2.5: Accuracy of a given MIA
• Definition 2.6: MIS
• Remark 2.7
• Theorem 3.1
• Example 3.2: Scaling Architecture
• Theorem 3.3