When Does Differentially Private Learning Not Suffer in High Dimensions?
Keywords: Differential Privacy, fine-tuning, DP convex optimization, pretrained models
TL;DR: We present new theoretical and empirical insights explaining the recent success of DP-SGD for fine-tuning large deep learning models.
Abstract: Large pretrained models can be fine-tuned with differential privacy to achieve performance approaching that of non-private models. A common theme in these results is the surprising observation that high-dimensional models can achieve favorable privacy-utility trade-offs. This seemingly contradicts known results on the model-size dependence of differentially private convex learning and raises the following research question: When does the performance of differentially private learning not degrade with increasing model size? We identify that the magnitudes of gradients projected onto subspaces is a key factor that determines performance. To precisely characterize this for private convex learning, we introduce a condition on the objective that we term restricted Lipschitz continuity and derive improved bounds for the excess empirical and population risks that are dimension- independent under additional conditions. We empirically show that in private fine-tuning of large language models, gradients obtained during fine-tuning are mostly controlled by a few principal components. This behavior is similar to conditions under which we obtain dimension-independent bounds in convex settings. Our theoretical and empirical results together provide a possible explanation for the recent success of large-scale private fine-tuning. Code to reproduce our results can be found at https://github.com/lxuechen/private-transformers/tree/main/examples/classification/spectral_analysis.
Supplementary Material: pdf
Community Implementations: [ 1 code implementation](https://www.catalyzex.com/paper/arxiv:2207.00160/code)
13 Replies
Loading