Deep Learning with Gaussian Differential Privacy

TL;DR

This paper introduces an $f$-differential privacy framework for deep learning that provides more precise privacy guarantees during training, enabling better model accuracy while maintaining privacy constraints.

Contribution

It applies $f$-differential privacy to neural network training, deriving tractable privacy bounds for SGD and Adam without complex techniques, improving privacy analysis over prior methods.

Findings

Improved privacy guarantees for neural network training.

Enhanced model accuracy by tuning privacy parameters.

Validated results across image, text, and recommender system tasks.

Abstract

Deep learning models are often trained on datasets that contain sensitive information such as individuals' shopping transactions, personal contacts, and medical records. An increasingly important line of work therefore has sought to train neural networks subject to privacy constraints that are specified by differential privacy or its divergence-based relaxations. These privacy definitions, however, have weaknesses in handling certain important primitives (composition and subsampling), thereby giving loose or complicated privacy analyses of training neural networks. In this paper, we consider a recently proposed privacy definition termed \textit{$f$-differential privacy} [18] for a refined privacy analysis of training neural networks. Leveraging the appealing properties of $f$-differential privacy in handling composition and subsampling, this paper derives analytically tractable expressions for the privacy guarantees of both stochastic gradient descent and Adam used in training deep neural networks, without the need of developing sophisticated techniques as [3] did. Our results demonstrate that the $f$-differential privacy framework allows for a new privacy analysis that improves on the prior analysis~[3], which in turn suggests tuning certain parameters of neural networks for a better prediction accuracy without violating the privacy budget. These theoretically derived improvements are confirmed by our experiments in a range of tasks in image classification, text classification, and recommender systems. Python code to calculate the privacy cost for these experiments is publicly available in the \texttt{TensorFlow Privacy} library.