The Normal Distributions Indistinguishability Spectrum and its Application to Privacy-Preserving Machine Learning

TL;DR

This paper introduces the Normal Distributions Indistinguishability Spectrum (NDIS), a closed-form method to analyze privacy guarantees of Gaussian-output algorithms, enabling tighter privacy bounds and auditing tools.

Contribution

The authors develop NDIS, a novel analytical framework for computing privacy parameters of Gaussian-output algorithms, improving privacy proofs and mechanisms in machine learning.

Findings

Derived a closed-form hockey-stick divergence for Gaussian distributions.

Proved tighter privacy bounds for random projection algorithms.

Provided a practical auditing tool for Gaussian-output algorithms.

Abstract

We investigate the privacy of {\em any} algorithm whose outputs have Gaussian distribution. This work is motivated by the prevalence of such algorithms in several useful (ML) applications, and the comparatively little research that focuses on privacy-preserving learning outside of adding Gaussian noise to the data (such as DP-SGD). {\em What is the DP of any algorithm with multivariate Gaussian output?} We answer the above research question with a general lemma which we call {\em Normal Distributions Indistinguishability Spectrum} (NDIS), a closed-form analytic computation of the hockey-stick divergence $\delta$ between an arbitrary pair of multivariate Gaussians, parameterized by privacy parameter $\epsilon$. To show its practical implications, we prove several properties of our NDIS lemma. These properties form a {\em toolbox} of results which lead to potentially {\em easier} privacy proofs for any Gaussian-output algorithm. As an example application of our toolbox, we prove a tighter parametrisation of the privacy of {\em random projection (RP)}, and obtaining from it a more noise-frugal DP mechanism. Beyond random projection, NDIS can be used to lift {\em any} Gaussian-output algorithm with a `sensitivity' (which we define) to a Gaussian-output DP mechanism. The mechanism boosts the existing randomness in the algorithm, so that one can describe the mechanism's privacy as the IS between a single pair of Gaussians, which can then be analyzed via NDIS. Lastly, we leverage the connections between NDIS and the CDF of the generalized $\chi^2$ distribution (which have efficient empirical estimators) to present a tool for white-box auditing of Gaussian-output algorithms.