An Improved Privacy-Preserving Stochastic Gradient Descent Algorithm

Abstract

Deep learning techniques based on neural network have made significant achievements in various fields of Artificial Intelligence. However, model training requires large-scale datasets, these datasets are crowd-sourced and model parameters will contain the encoding of private information, resulting in the risk of privacy leakage. With the trend towards sharing pre-trained models, the risk of stealing training datasets through member inference attack and model inversion attack is further heightened. To tackle this problem, we propose an improved Differential Privacy Stochastic Gradient Descent algorithm, using simulated annealing algorithm and denoising mechanism to optimize the allocation method of privacy loss and improve model accuracy. We also analyze privacy cost under random shuffle data batch processing methods in detail within the framework of Subsampled Rényi Differential Privacy. Compared with existing methods, our experiments show that we can train deep neural networks with non-convex objective function more efficiently with moderate privacy budgets.

Appendix. Proof of Theorem 1

Theorem 1.Suppose that a mechanism \(\mathcal {M}\) consists of a sequence of k adaptive mechanisms, \(\mathcal {M}_1\),...,\(\mathcal {M}_k\), where each \(\mathcal {M}_i: \prod _{j=1}^{i-1} \mathcal {R}_j\times D\rightarrow R_i\) and \(\mathcal {M}_i\) satisfies (\(\alpha ,\epsilon _i\))-RDP\((1\le i\le k)\). Let \(\mathbb {D}_1,\mathbb {D}_2,...,\mathbb {D}_k\) be the result of a randomized partitioning of the input domain \(\mathbb {D}\). The mechanism \(\mathcal {M}(D)=(\mathcal {M}_1(D\cap \mathbb {D}_1),...,\mathcal {M}_k(D\cap \mathbb {D}_k))\) satisfies

$$\begin{aligned} {\left\{ \begin{array}{ll} (\alpha ,\epsilon )-RDP, &{} \text{ if } \epsilon _i=\epsilon , \forall i \\ \underset{i}{max}(\alpha ,\epsilon _i)-RDP, &{} \text{ if } \epsilon _i\ne \epsilon _j, \text{ for } \text{ some } \text{ i,j } \end{array}\right. } \end{aligned}$$

(12)

Proof

Suppose two neighboring datasets D and \(D'\). Without loss of generality, assume that D contains one more element \(d_e\) than \(D'\). Let \(D_i=D\cap \mathbb {D}_i\) and \(D_i'= D'\cap \mathbb {D}_i\). Accordingly, there exists j such that \(D_j\) contains one more element than \(D_j'\), and for any \(i\ne j\), \(D_i= D_i'\). Consider any sequence of outcomes \(o=(o_1,...,o_k)\) of \(\mathcal {M}_1(D_1),...,\mathcal {M}_k(D_k)\).

Because only \(D_j\) is different from \(D_j'\), for any \(i\ne j\), we have \(Pr[M_i(D_i) = o_i|M_{i-1}(D_{i-1}) = o_{i-1},...,M_1(D_1) = o_1]\) equal to \(Pr[M_i(D_i') = o_i|M_{i-1}(D_{i-1}') = o_{i-1}, ... ,M_1(D_1') = o_1]\)

Then, we have

\(Z_j^{(o)}\triangleq \frac{Pr(\mathcal {M}(D)=o)}{Pr(\mathcal {M}(D')=o)}\)

\(=\frac{\prod _{i\in [n]} Pr[\mathcal {M}_i(D_i)=o_i|\mathcal {M}_{i-1}(D_{i-1})=o_{i-1},...,\mathcal {M}_1(D_1)=o_1]}{\prod _{i\in [n]}Pr[\mathcal {M}_i(D_i')=o_i|\mathcal {M}_{i-1}(D_{i-1}')=o_{i-1},...,\mathcal {M}_1(D_1')=o_1]}\)

\(=\frac{Pr[\mathcal {M}_j(D_j)=o_j|\mathcal {M}_{j-1}(D_{j-1})=o_{j-1},...,\mathcal {M}_1(D_1)=o_1]}{Pr[\mathcal {M}_j(D_j')=o_j|\mathcal {M}_{j-1}(D_{j-1}')=o_{j-1},...,\mathcal {M}_1(D_1')=o_1]}\)

\(\triangleq c_j(o_j;o_1,...,o_{j-1})\)

Once the prefix \((o_1,...,o_{j-1})\) is fixed, \(Z_j\triangleq c_j(o_j;o_1,...,o_{j-1})=\frac{Pr(\mathcal {M}_j(D_j)=o_j)}{Pr(\mathcal {M}_j(D_j')=o_j)}\)

By the \((\alpha ,\epsilon _j)\)-RDP property of \(\mathcal {M}_j\), \(D_{\alpha }\triangleq \frac{1}{\alpha -1}log\mathbb {E}[Z_j^{\alpha }]\le \epsilon \).

Because of randomized partition of the input domain \(\mathbb {D}\), the extra element \(d_e\) of D is randomly mapped to k partitions. Therefore, j is uniformly distributed over \(\{1,...,k\}\), and thus the random variable \(Z^{(o)}\) under random data partition is the mixture of independent random variables \(Z_1^{(o)},..., Z_k^{(o)}\),

\(f(Z^{(o)})=\frac{1}{k}f(Z_1^{(o)})+...+\frac{1}{k}f(Z_k^{(o)})\)

where f(X) is the probability distribution function of X.

We have

\(D_{\alpha }=\frac{1}{\alpha -1}log\mathbb {E}[(Z^{(o)})^{\alpha }]=\frac{1}{k}\sum _{j=1}^k \frac{1}{\alpha -1}log\mathbb {E}[(Z_j^{(o)})^{\alpha }]\)

Because \(Z_j^{(o)}\) satisfies RDP, by (5) then we have \(D_{\alpha }\le \frac{1}{k}\sum _{j=1}^k \epsilon _j\). If \(\forall j\ \epsilon _j=\epsilon \), we have \(D_{\alpha }\le \epsilon \), and thus the mechanism \(\mathcal {M}(D)\) satisfies \((\alpha ,\epsilon )\)-RDP.

If not all \(\epsilon _j\) are the same, we replace each \(\epsilon _j\) with \(\underset{j}{max}\epsilon _j\), we have \(D_{\alpha }=\frac{1}{\alpha -1}log\mathbb {E}[(Z^{(o)})^{\alpha }]\le \underset{j}{max}\epsilon _j\), and the mechanism \(\mathcal {M}(D)\) satisfies \((\alpha ,\underset{j}{max}\epsilon _j)\)-RDP.