Privacy for Free in the Overparameterized Regime

TL;DR

This paper demonstrates that in over-parameterized models, differential privacy can be achieved without sacrificing performance, especially in the random features model with quadratic loss, challenging previous beliefs about privacy and model size.

Contribution

It provides theoretical evidence that over-parameterization can enable privacy for free in certain models, even under strong privacy constraints.

Findings

Privacy can be achieved for free in over-parameterized regimes.

Over-parameterization does not necessarily degrade private learning performance.

Results hold for both constant and strongly private settings.

Abstract

Differentially private gradient descent (DP-GD) is a popular algorithm to train deep learning models with provable guarantees on the privacy of the training data. In the last decade, the problem of understanding its performance cost with respect to standard GD has received remarkable attention from the research community, which formally derived upper bounds on the excess population risk $R_{P}$ in different learning settings. However, existing bounds typically degrade with over-parameterization, i.e., as the number of parameters $p$ gets larger than the number of training samples $n$ -- a regime which is ubiquitous in current deep-learning practice. As a result, the lack of theoretical insights leaves practitioners without clear guidance, leading some to reduce the effective number of trainable parameters to improve performance, while others use larger models to achieve better results through scale. In this work, we show that in the popular random features model with quadratic loss, for any sufficiently large $p$, privacy can be obtained for free, i.e., $\left|R_{P} \right| = o(1)$, not only when the privacy parameter $\varepsilon$ has constant order, but also in the strongly private setting $\varepsilon = o(1)$. This challenges the common wisdom that over-parameterization inherently hinders performance in private learning.