Do not Let Privacy Overbill Utility: Gradient Embedding Perturbation for Private Learning
Keywords: privacy preserving machine learning, differentially private deep learning, gradient redundancy
Abstract: The privacy leakage of the model about the training data can be bounded in the differential privacy mechanism. However, for meaningful privacy parameters, a differentially private model degrades the utility drastically when the model comprises a large number of trainable parameters. In this paper, we propose an algorithm \emph{Gradient Embedding Perturbation (GEP)} towards training differentially private deep models with decent accuracy. Specifically, in each gradient descent step, GEP first projects individual private gradient into a non-sensitive anchor subspace, producing a low-dimensional gradient embedding and a small-norm residual gradient. Then, GEP perturbs the low-dimensional embedding and the residual gradient separately according to the privacy budget. Such a decomposition permits a small perturbation variance, which greatly helps to break the dimensional barrier of private learning. With GEP, we achieve decent accuracy with low computational cost and modest privacy guarantee for deep models. Especially, with privacy bound $\epsilon=8$, we achieve $74.9\%$ test accuracy on CIFAR10 and $95.1\%$ test accuracy on SVHN, significantly improving over existing results.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
One-sentence Summary: A new algorithm for differentially private learning that advances state-of-the-art performance on several benchmark datasets. Code: https://github.com/dayu11/Gradient-Embedding-Perturbation
Supplementary Material: zip
Code: [ dayu11/Differentially-Private-Deep-Learning](https://github.com/dayu11/Differentially-Private-Deep-Learning) + [ 1 community implementation](https://paperswithcode.com/paper/?openreview=7aogOj_VYO0)
18 Replies
Loading