15,167 research outputs found
On the Interaction Between Differential Privacy and Gradient Compression in Deep Learning
While differential privacy and gradient compression are separately
well-researched topics in machine learning, the study of interaction between
these two topics is still relatively new. We perform a detailed empirical study
on how the Gaussian mechanism for differential privacy and gradient compression
jointly impact test accuracy in deep learning. The existing literature in
gradient compression mostly evaluates compression in the absence of
differential privacy guarantees, and demonstrate that sufficiently high
compression rates reduce accuracy. Similarly, existing literature in
differential privacy evaluates privacy mechanisms in the absence of
compression, and demonstrates that sufficiently strong privacy guarantees
reduce accuracy. In this work, we observe while gradient compression generally
has a negative impact on test accuracy in non-private training, it can
sometimes improve test accuracy in differentially private training.
Specifically, we observe that when employing aggressive sparsification or rank
reduction to the gradients, test accuracy is less affected by the Gaussian
noise added for differential privacy. These observations are explained through
an analysis how differential privacy and compression effects the bias and
variance in estimating the average gradient. We follow this study with a
recommendation on how to improve test accuracy under the context of
differentially private deep learning and gradient compression. We evaluate this
proposal and find that it can reduce the negative impact of noise added by
differential privacy mechanisms on test accuracy by up to 24.6%, and reduce the
negative impact of gradient sparsification on test accuracy by up to 15.1%
Private Model Compression via Knowledge Distillation
The soaring demand for intelligent mobile applications calls for deploying
powerful deep neural networks (DNNs) on mobile devices. However, the
outstanding performance of DNNs notoriously relies on increasingly complex
models, which in turn is associated with an increase in computational expense
far surpassing mobile devices' capacity. What is worse, app service providers
need to collect and utilize a large volume of users' data, which contain
sensitive information, to build the sophisticated DNN models. Directly
deploying these models on public mobile devices presents prohibitive privacy
risk. To benefit from the on-device deep learning without the capacity and
privacy concerns, we design a private model compression framework RONA.
Following the knowledge distillation paradigm, we jointly use hint learning,
distillation learning, and self learning to train a compact and fast neural
network. The knowledge distilled from the cumbersome model is adaptively
bounded and carefully perturbed to enforce differential privacy. We further
propose an elegant query sample selection method to reduce the number of
queries and control the privacy loss. A series of empirical evaluations as well
as the implementation on an Android mobile device show that RONA can not only
compress cumbersome models efficiently but also provide a strong privacy
guarantee. For example, on SVHN, when a meaningful
-differential privacy is guaranteed, the compact model trained
by RONA can obtain 20 compression ratio and 19 speed-up with
merely 0.97% accuracy loss.Comment: Conference version accepted by AAAI'1
Differential Privacy, Linguistic Fairness, and Training Data Influence: Impossibility and Possibility Theorems for Multilingual Language Models
Language models such as mBERT, XLM-R, and BLOOM aim to achieve multilingual
generalization or compression to facilitate transfer to a large number of
(potentially unseen) languages. However, these models should ideally also be
private, linguistically fair, and transparent, by relating their predictions to
training data. Can these requirements be simultaneously satisfied? We show that
multilingual compression and linguistic fairness are compatible with
differential privacy, but that differential privacy is at odds with training
data influence sparsity, an objective for transparency. We further present a
series of experiments on two common NLP tasks and evaluate multilingual
compression and training data influence sparsity under different privacy
guarantees, exploring these trade-offs in more detail. Our results suggest that
we need to develop ways to jointly optimize for these objectives in order to
find practical trade-offs.Comment: ICML 202
Breaking the Communication-Privacy-Accuracy Tradeoff with -Differential Privacy
We consider a federated data analytics problem in which a server coordinates
the collaborative data analysis of multiple users with privacy concerns and
limited communication capability. The commonly adopted compression schemes
introduce information loss into local data while improving communication
efficiency, and it remains an open problem whether such discrete-valued
mechanisms provide any privacy protection. In this paper, we study the local
differential privacy guarantees of discrete-valued mechanisms with finite
output space through the lens of -differential privacy (DP). More
specifically, we advance the existing literature by deriving tight -DP
guarantees for a variety of discrete-valued mechanisms, including the binomial
noise and the binomial mechanisms that are proposed for privacy preservation,
and the sign-based methods that are proposed for data compression, in
closed-form expressions. We further investigate the amplification in privacy by
sparsification and propose a ternary stochastic compressor. By leveraging
compression for privacy amplification, we improve the existing methods by
removing the dependency of accuracy (in terms of mean square error) on
communication cost in the popular use case of distributed mean estimation,
therefore breaking the three-way tradeoff between privacy, communication, and
accuracy. Finally, we discuss the Byzantine resilience of the proposed
mechanism and its application in federated learning
Private Federated Learning with Autotuned Compression
We propose new techniques for reducing communication in private federated
learning without the need for setting or tuning compression rates. Our
on-the-fly methods automatically adjust the compression rate based on the error
induced during training, while maintaining provable privacy guarantees through
the use of secure aggregation and differential privacy. Our techniques are
provably instance-optimal for mean estimation, meaning that they can adapt to
the ``hardness of the problem" with minimal interactivity. We demonstrate the
effectiveness of our approach on real-world datasets by achieving favorable
compression rates without the need for tuning.Comment: Accepted to ICML 202
Compression with Exact Error Distribution for Federated Learning
Compression schemes have been extensively used in Federated Learning (FL) to
reduce the communication cost of distributed learning. While most approaches
rely on a bounded variance assumption of the noise produced by the compressor,
this paper investigates the use of compression and aggregation schemes that
produce a specific error distribution, e.g., Gaussian or Laplace, on the
aggregated data. We present and analyze different aggregation schemes based on
layered quantizers achieving exact error distribution. We provide different
methods to leverage the proposed compression schemes to obtain
compression-for-free in differential privacy applications. Our general
compression methods can recover and improve standard FL schemes with Gaussian
perturbations such as Langevin dynamics and randomized smoothing
Understanding Compressive Adversarial Privacy
Designing a data sharing mechanism without sacrificing too much privacy can
be considered as a game between data holders and malicious attackers. This
paper describes a compressive adversarial privacy framework that captures the
trade-off between the data privacy and utility. We characterize the optimal
data releasing mechanism through convex optimization when assuming that both
the data holder and attacker can only modify the data using linear
transformations. We then build a more realistic data releasing mechanism that
can rely on a nonlinear compression model while the attacker uses a neural
network. We demonstrate in a series of empirical applications that this
framework, consisting of compressive adversarial privacy, can preserve
sensitive information
Compressive Privacy for a Linear Dynamical System
We consider a linear dynamical system in which the state vector consists of
both public and private states. One or more sensors make measurements of the
state vector and sends information to a fusion center, which performs the final
state estimation. To achieve an optimal tradeoff between the utility of
estimating the public states and protection of the private states, the
measurements at each time step are linearly compressed into a lower dimensional
space. Under the centralized setting where all measurements are collected by a
single sensor, we propose an optimization problem and an algorithm to find the
best compression matrix. Under the decentralized setting where measurements are
made separately at multiple sensors, each sensor optimizes its own local
compression matrix. We propose methods to separate the overall optimization
problem into multiple sub-problems that can be solved locally at each sensor.
We consider the cases where there is no message exchange between the sensors;
and where each sensor takes turns to transmit messages to the other sensors.
Simulations and empirical experiments demonstrate the efficiency of our
proposed approach in allowing the fusion center to estimate the public states
with good accuracy while preventing it from estimating the private states
accurately
- …