ExpM+NF Tractable Exponential Mechanism via Normalizing Flow, A Path through the Accuracy-Privacy Ceiling Constraining Differentially Private ML

The Exponential Mechanism (ExpM), a differentially private optimization method, promises many advantages over Differentially Private Stochastic Gradient Descent (DPSGD), the state-of-the-art (SOTA) and de facto method for differentially private machine learning (ML). Yet, ExpM has been historically stymied from differentially private training of modern ML algorithms by two obstructions: ExpM requires a sensitivity bound for the given loss function; ExpM requires sampling from a historically intractable density. We prove a sensitivity bound for $\ell(2)$ loss, and investigate using Normalizing Flows (NFs), deep networks furnishing approximate sampling from the otherwise intractable ExpM distribution. We prove that as the NF output converges to ExpM distribution, the privacy ($\varepsilon$) of an NF sample converges to that of the ExpM distribution. Under the assumption that the NF output distribution is the ExpM distribution, we empirically test ExpM+NF against DPSGD using the SOTA implementation (Opacus \cite{opacus} with PRV accounting) in multiple classification tasks on the Adult Dataset (census data) and MIMIC-III Dataset (healthcare records) using Logistic Regression and GRU-D, a deep learning recurrent neural network with \smallsim 20K-100K parameters. In all experiments we find ExpM+NF achieves greater than 94\% of the non-private training accuracy (AUC) with $\varepsilon$-DP for $\varepsilon$ a low as $1\mathrm{e}{-3}$ -- three orders of magnitude stronger privacy with similar accuracy. Further, performance results show ExpM+NF training time is comparable to (slightly less) than DPSGD. Limitations and future directions are provided; notably, research on NF approximation accuracy and its effect on privacy are a promising avenue to substantially advancing the field. Code for these experiments \hl{will be provided after review}.