Bringing Differential Private SGD to Practice: On the Independence of Gaussian Noise and the Number of Training Rounds

Different from existing Differential Privacy (DP) accountants, we introduce pro-active DP. Existing DP accountants keep track of how privacy budget has been spent while pro-active DP is a scheme that allows one to {\it a-priori} select parameters of DP-SGD based on a fixed privacy budget (in terms of $\epsilon$ and $\delta$) in such a way to optimize the anticipated utility (test accuracy) the most. To implement this idea, we show how to convert the classical DP moment accountant to a pro-active DP by exploiting the fact that it has a simple close form for computing spent privacy budget for a given interaction round. The DP moment accountant is introduced in context of DP-SGD and has the following property which is the key ingredient to build pro-active DP. In DP-SGD each round communicates a local SGD update which leaks some new information about the underlying local data set to the outside world. In order to provide privacy, Gaussian noise with standard deviation $\sigma$ is added to local SGD updates after performing a clipping operation and normalizing with the clipping constant. We show that for attaining $(\epsilon,\delta)$-differential privacy $\sigma$ can be chosen equal to $\sqrt{2(\epsilon +\ln(1/\delta))/\epsilon}$ for $\epsilon=\Omega(T/N^2)$, where $T$ is the total number of rounds and $N$ is equal to the size of the local data set. In many existing machine learning problems, $N$ is always large and $T=O(N)$. Hence, $\sigma$ becomes ``independent'' of any $T=O(N)$ choice with $\epsilon=\Omega(1/N)$. This means that our {\em $\sigma$ only depends on $N$ rather than $T$}. We show how this differential privacy characterization allows us to convert DP moment accountant to a pro-active DP.