Bits for Privacy: Evaluating Post-Training Quantization via Membership Inference

TL;DR

This paper systematically investigates how post-training quantization of neural networks impacts privacy leakage, revealing that lower bit-widths can significantly reduce membership inference vulnerability at some utility cost.

Contribution

It is the first comprehensive study analyzing the privacy-utility trade-off in post-training quantization using membership inference attacks across multiple algorithms and datasets.

Findings

Lower-precision PTQs reduce privacy leakage significantly.

Quantizing only the last layer offers fine control over privacy-utility balance.

Lower-precision models show up to tenfold reduction in membership inference vulnerability.

Abstract

Deep neural networks are widely deployed with quantization techniques to reduce memory and computational costs by lowering the numerical precision of their parameters. While quantization alters model parameters and their outputs, existing privacy analyses primarily focus on full-precision models, leaving a gap in understanding how bit-width reduction can affect privacy leakage. We present the first systematic study of the privacy-utility relationship in post-training quantization (PTQ), a versatile family of methods that can be applied to pretrained models without further training. Using membership inference attacks as our evaluation framework, we analyze three popular PTQ algorithms-AdaRound, BRECQ, and OBC-across multiple precision levels (4-bit, 2-bit, and 1.58-bit) on CIFAR-10, CIFAR-100, and TinyImageNet datasets. Our findings consistently show that low-precision PTQs can reduce privacy leakage. In particular, lower-precision models demonstrate up to an order of magnitude reduction in membership inference vulnerability compared to their full-precision counterparts, albeit at the cost of decreased utility. Additional ablation studies on the 1.58-bit quantization level show that quantizing only the last layer at higher precision enables fine-grained control over the privacy-utility trade-off. These results offer actionable insights for practitioners to balance efficiency, utility, and privacy protection in real-world deployments.