-
Beyond the Calibration Point: Mechanism Comparison in Differential Privacy
Authors:
Georgios Kaissis,
Stefan Kolek,
Borja Balle,
Jamie Hayes,
Daniel Rueckert
Abstract:
In differentially private (DP) machine learning, the privacy guarantees of DP mechanisms are often reported and compared on the basis of a single $(\varepsilon, δ)$-pair. This practice overlooks that DP guarantees can vary substantially \emph{even between mechanisms sharing a given $(\varepsilon, δ)$}, and potentially introduces privacy vulnerabilities which can remain undetected. This motivates t…
▽ More
In differentially private (DP) machine learning, the privacy guarantees of DP mechanisms are often reported and compared on the basis of a single $(\varepsilon, δ)$-pair. This practice overlooks that DP guarantees can vary substantially \emph{even between mechanisms sharing a given $(\varepsilon, δ)$}, and potentially introduces privacy vulnerabilities which can remain undetected. This motivates the need for robust, rigorous methods for comparing DP guarantees in such cases. Here, we introduce the $Δ$-divergence between mechanisms which quantifies the worst-case excess privacy vulnerability of choosing one mechanism over another in terms of $(\varepsilon, δ)$, $f$-DP and in terms of a newly presented Bayesian interpretation. Moreover, as a generalisation of the Blackwell theorem, it is endowed with strong decision-theoretic foundations. Through application examples, we show that our techniques can facilitate informed decision-making and reveal gaps in the current understanding of privacy risks, as current practices in DP-SGD often result in choosing mechanisms with high excess privacy vulnerabilities.
△ Less
Submitted 13 June, 2024;
originally announced June 2024.
-
Privacy Amplification by Mixing and Diffusion Mechanisms
Authors:
Borja Balle,
Gilles Barthe,
Marco Gaboardi,
Joseph Geumlek
Abstract:
A fundamental result in differential privacy states that the privacy guarantees of a mechanism are preserved by any post-processing of its output. In this paper we investigate under what conditions stochastic post-processing can amplify the privacy of a mechanism. By interpreting post-processing as the application of a Markov operator, we first give a series of amplification results in terms of un…
▽ More
A fundamental result in differential privacy states that the privacy guarantees of a mechanism are preserved by any post-processing of its output. In this paper we investigate under what conditions stochastic post-processing can amplify the privacy of a mechanism. By interpreting post-processing as the application of a Markov operator, we first give a series of amplification results in terms of uniform mixing properties of the Markov process defined by said operator. Next we provide amplification bounds in terms of coupling arguments which can be applied in cases where uniform mixing is not available. Finally, we introduce a new family of mechanisms based on diffusion processes which are closed under post-processing, and analyze their privacy via a novel heat flow argument. On the applied side, we generalize the analysis of "privacy amplification by iteration" in Noisy SGD and show it admits an exponential improvement in the strongly convex case, and study a mechanism based on the Ornstein-Uhlenbeck diffusion process which contains the Gaussian mechanism with optimal post-processing on bounded inputs as a special case.
△ Less
Submitted 27 October, 2019; v1 submitted 29 May, 2019;
originally announced May 2019.
-
Diameter and Stationary Distribution of Random $r$-out Digraphs
Authors:
Louigi Addario-Berry,
Borja Balle,
Guillem Perarnau
Abstract:
Let $D(n,r)$ be a random $r$-out regular directed multigraph on the set of vertices $\{1,\ldots,n\}$. In this work, we establish that for every $r \ge 2$, there exists $η_r>0$ such that $\text{diam}(D(n,r))=(1+η_r+o(1))\log_r{n}$. Our techniques also allow us to bound some extremal quantities related to the stationary distribution of a simple random walk on $D(n,r)$. In particular, we determine th…
▽ More
Let $D(n,r)$ be a random $r$-out regular directed multigraph on the set of vertices $\{1,\ldots,n\}$. In this work, we establish that for every $r \ge 2$, there exists $η_r>0$ such that $\text{diam}(D(n,r))=(1+η_r+o(1))\log_r{n}$. Our techniques also allow us to bound some extremal quantities related to the stationary distribution of a simple random walk on $D(n,r)$. In particular, we determine the asymptotic behaviour of $π_{\max}$ and $π_{\min}$, the maximum and the minimum values of the stationary distribution. We show that with high probability $π_{\max} = n^{-1+o(1)}$ and $π_{\min}=n^{-(1+η_r)+o(1)}$. Our proof shows that the vertices with $π(v)$ near to $π_{\min}$ lie at the top of "narrow, slippery towers", such vertices are also responsible for increasing the diameter from $(1+o(1))\log_r n$ to $(1+η_r+o(1))\log_r{n}$.
△ Less
Submitted 26 April, 2015;
originally announced April 2015.