Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Efficient Public Verification of Private ML via Regularization

Zoë Ruha Bell, Anvith Thudi, Olive Franzese-McLaughlin, Nicolas Papernot, Shafi Goldwasser

TL;DR

This work addresses the problem of publicly verifying differential privacy guarantees for models trained on private data, showing that black-box auditing can be unreliable due to backdoors. It introduces a near-optimal DP-SCO algorithm whose privacy guarantees can be certified with substantially less computation than training, by modifying phased empirical risk minimization and relying on standard DP composition. The authors prove a DP verification protocol requiring only $n$ gradients and $d ig ceil ext{log}_2(n) ig floor$ Gaussian random variable commitments, and they demonstrate practical verification costs and an extension to convex unlearning. The results offer a feasible path to public DP verification on large datasets and may influence verification approaches for DP-like guarantees beyond the studied setting.

Abstract

Training with differential privacy (DP) provides a guarantee to members in a dataset that they cannot be identified by users of the released model. However, those data providers, and, in general, the public, lack methods to efficiently verify that models trained on their data satisfy DP guarantees. The amount of compute needed to verify DP guarantees for current algorithms scales with the amount of compute required to train the model. In this paper we design the first DP algorithm with near optimal privacy-utility trade-offs but whose DP guarantees can be verified cheaper than training. We focus on DP stochastic convex optimization (DP-SCO), where optimal privacy-utility trade-offs are known. Here we show we can obtain tight privacy-utility trade-offs by privately minimizing a series of regularized objectives and only using the standard DP composition bound. Crucially, this method can be verified with much less compute than training. This leads to the first known DP-SCO algorithm with near optimal privacy-utility whose DP verification scales better than training cost, significantly reducing verification costs on large datasets.

Efficient Public Verification of Private ML via Regularization

TL;DR

This work addresses the problem of publicly verifying differential privacy guarantees for models trained on private data, showing that black-box auditing can be unreliable due to backdoors. It introduces a near-optimal DP-SCO algorithm whose privacy guarantees can be certified with substantially less computation than training, by modifying phased empirical risk minimization and relying on standard DP composition. The authors prove a DP verification protocol requiring only gradients and Gaussian random variable commitments, and they demonstrate practical verification costs and an extension to convex unlearning. The results offer a feasible path to public DP verification on large datasets and may influence verification approaches for DP-like guarantees beyond the studied setting.

Abstract

Training with differential privacy (DP) provides a guarantee to members in a dataset that they cannot be identified by users of the released model. However, those data providers, and, in general, the public, lack methods to efficiently verify that models trained on their data satisfy DP guarantees. The amount of compute needed to verify DP guarantees for current algorithms scales with the amount of compute required to train the model. In this paper we design the first DP algorithm with near optimal privacy-utility trade-offs but whose DP guarantees can be verified cheaper than training. We focus on DP stochastic convex optimization (DP-SCO), where optimal privacy-utility trade-offs are known. Here we show we can obtain tight privacy-utility trade-offs by privately minimizing a series of regularized objectives and only using the standard DP composition bound. Crucially, this method can be verified with much less compute than training. This leads to the first known DP-SCO algorithm with near optimal privacy-utility whose DP verification scales better than training cost, significantly reducing verification costs on large datasets.

Paper Structure

This paper contains 31 sections, 9 theorems, 3 equations, 1 figure, 2 tables, 6 algorithms.

Table of Contents

  1. Introduction
  2. Related Works
  3. Auditing Differentially Private ML
  4. Certifying DP
  5. Preliminaries
  6. Black-Box Backdoors in DP Training
  7. Backdoored DP Training API
  8. DP Convex Optimization that is Efficient to Publicly Verify
  9. Certification in $n$ Gradients
  10. Convex Unlearning Algorithms that are Efficient to Verify
  11. Experiments: What Dominates Verification Runtime in Practice?
  12. Implementation Details:
  13. Faster MNIST Scale Verification
  14. Verifying Gradients Dominates Runtime across Feature and Dataset Size
  15. Low Communication Overhead
  16. ...and 16 more sections

Key Result

Theorem 1.1

Under the assumption that digital signatures exist, for any $(\epsilon,\delta)$-DP algorithm See Definition def:approx_dp.$T$ there exists an algorithm $T'$ which is computationally indistinguishable from $T$ when queried post-training, but reveals the dataset to privileged entities who know the bac

Figures (1)

  • Figure 1: Across both the number of features ($d$) and the dataset size ($n$), the cost of verifying the $n$ gradients in Algorithm \ref{['alg:phased_erm_verifier']} dominate the cost to verify the $d \cdot \lceil \log_2(n) \rceil$ Gaussian RVs. We assume default MNIST parameters ($d = 784, n= 60000$) and vary one of the parameters. The Gaussian RV runtimes are reported assuming an average $\sigma = 1$ across phases.

Theorems & Definitions (22)

  • Theorem 1.1: Undetectable DP Backdoor (Informal)
  • Theorem 1.2: Faster Convex DP Certification (Informal)
  • Definition 1: $(\epsilon,\delta)$-DP
  • Definition 2: Digital Signature Schemes
  • Definition 3: Certified Differential Privacy (informal, see BGKW-Certified-Probabilistic-Mechanisms-2024)
  • Theorem 3.1
  • Theorem 4.1
  • Theorem 4.2: Theorem 4.8 in feldman2020private
  • Lemma 4.1
  • Definition 4: $(\epsilon,\delta)$-Unlearning
  • ...and 12 more