On the Privacy Properties of GAN-generated Samples

TL;DR

This paper explores the inherent privacy guarantees of GAN-generated samples, demonstrating they satisfy weak differential privacy under certain conditions and analyzing their robustness against membership inference attacks.

Contribution

It establishes theoretical privacy bounds for GANs based on their generalization properties and models their vulnerability to membership inference attacks.

Findings

GAN samples are (epsilon, delta)-differentially-private with delta scaling as O(n/m)

Under certain conditions, the privacy bounds are tight

Membership inference attack success scales as O(m^{-1/4})

Abstract

The privacy implications of generative adversarial networks (GANs) are a topic of great interest, leading to several recent algorithms for training GANs with privacy guarantees. By drawing connections to the generalization properties of GANs, we prove that under some assumptions, GAN-generated samples inherently satisfy some (weak) privacy guarantees. First, we show that if a GAN is trained on m samples and used to generate n samples, the generated samples are (epsilon, delta)-differentially-private for (epsilon, delta) pairs where delta scales as O(n/m). We show that under some special conditions, this upper bound is tight. Next, we study the robustness of GAN-generated samples to membership inference attacks. We model membership inference as a hypothesis test in which the adversary must determine whether a given sample was drawn from the training dataset or from the underlying data distribution. We show that this adversary can achieve an area under the ROC curve that scales no better than O(m^{-1/4}).