Spectral-DP: Differentially Private Deep Learning through Spectral Perturbation and Filtering

TL;DR

Spectral-DP introduces a spectral domain perturbation and filtering technique for differentially private deep learning, achieving better utility than traditional DP-SGD by reducing noise scale while maintaining privacy guarantees.

Contribution

The paper proposes Spectral-DP, a novel approach combining spectral domain perturbation and filtering to improve utility in differentially private deep learning models.

Findings

Spectral-DP outperforms DP-SGD in utility across benchmark datasets.

Spectral-DP achieves comparable privacy guarantees with lower noise.

The method is effective for both convolutional and fully connected layers.

Abstract

Differential privacy is a widely accepted measure of privacy in the context of deep learning algorithms, and achieving it relies on a noisy training approach known as differentially private stochastic gradient descent (DP-SGD). DP-SGD requires direct noise addition to every gradient in a dense neural network, the privacy is achieved at a significant utility cost. In this work, we present Spectral-DP, a new differentially private learning approach which combines gradient perturbation in the spectral domain with spectral filtering to achieve a desired privacy guarantee with a lower noise scale and thus better utility. We develop differentially private deep learning methods based on Spectral-DP for architectures that contain both convolution and fully connected layers. In particular, for fully connected layers, we combine a block-circulant based spatial restructuring with Spectral-DP to achieve better utility. Through comprehensive experiments, we study and provide guidelines to implement Spectral-DP deep learning on benchmark datasets. In comparison with state-of-the-art DP-SGD based approaches, Spectral-DP is shown to have uniformly better utility performance in both training from scratch and transfer learning settings.