Fine-grained Private Knowledge Distillation

TL;DR

This paper introduces a record-level private knowledge distillation method using reverse k-NN labeling, significantly improving privacy-utility trade-offs in privacy-preserving machine learning.

Contribution

It proposes a model-free reverse k-NN labeling approach for record-level differential privacy, with theoretical error bounds and state-of-the-art experimental results.

Findings

Achieves 82.1% accuracy on CIFAR-10 with privacy budget 1.0

Attains 99.1%/95.6% accuracy on MNIST/SVHN with budget 0.1

First deep learning model with differential privacy reaching comparable accuracy with reasonable privacy levels

Abstract

Knowledge distillation has emerged as a scalable and effective way for privacy-preserving machine learning. One remaining drawback is that it consumes privacy in a model-level (i.e., client-level) manner, every distillation query incurs privacy loss of one client's all records. In order to attain fine-grained privacy accountant and improve utility, this work proposes a model-free reverse $k$-NN labeling method towards record-level private knowledge distillation, where each record is employed for labeling at most $k$ queries. Theoretically, we provide bounds of labeling error rate under the centralized/local/shuffle model of differential privacy (w.r.t. the number of records per query, privacy budgets). Experimentally, we demonstrate that it achieves new state-of-the-art accuracy with one order of magnitude lower of privacy loss. Specifically, on the CIFAR-$10$ dataset, it reaches $82.1\%$ test accuracy with centralized privacy budget $1.0$; on the MNIST/SVHN dataset, it reaches $99.1\%$/$95.6\%$ accuracy respectively with budget $0.1$. It is the first time deep learning with differential privacy achieve comparable accuracy with reasonable data privacy protection (i.e., $\exp(\epsilon)\leq 1.5$). Our code is available at https://github.com/liyuntong9/rknn.