Auditing mechanisms for differential privacy use probabilistic means to empirically estimate the privacy level of an algorithm. For private machine learning, existing auditing mechanisms are tight: the empirical privacy estimate (nearly) matches the algorithm's provable privacy guarantee. But these auditing techniques suffer from two limitations. First, they only give tight estimates under implausible worst-case assumptions (e.g., a fully adversarial dataset). Second, they require thousands or millions of training runs to produce non-trivial statistical estimates of the privacy leakage. This work addresses both issues. We design an improved auditing scheme that yields tight privacy estimates for natural (not adversarially crafted) datasets -- if the adversary can see all model updates during training. Prior auditing works rely on the same assumption, which is permitted under the standard differential privacy threat model. This threat model is also applicable, e.g., in federated learning settings. Moreover, our auditing scheme requires only two training runs (instead of thousands) to produce tight privacy estimates, by adapting recent advances in tight composition theorems for differential privacy. We demonstrate the utility of our improved auditing schemes by surfacing implementation bugs in private machine learning code that eluded prior auditing techniques.
翻译:差异隐私审计机制使用概率性手段对算法的隐私水平进行实证估计。对于私人机器学习,现有的审计机制是紧凑的:实证隐私估计(近些时候)与算法的可证实的隐私保障相匹配。但这些审计技术有两种限制。首先,它们仅根据难以置信的最坏假设(例如完全对立的数据集)给出了严格的估计。第二,它们需要数千或数百万次培训,以得出隐私渗漏的非三重统计估计。这项工作解决了这两个问题。我们设计了一个改进的审计计划,为自然(而不是对抗性)数据集得出严格的隐私估计 -- -- 如果对手在培训期间能够看到所有模型更新。先前的审计工作依赖同样的假设,这是标准差异隐私威胁模型所允许的。这种威胁模型还适用,例如,在饱和的学习环境中。此外,我们的审计计划只需要两次培训(而不是数千次)才能得出严格的隐私估计,通过调整最近严密构成的理论来调整差异隐私权。我们展示了我们改进过的审计方法的效用,即通过浏览机器法的改进过式审计方法,从而改进了对私隐私隐私法的实施。