Privacy Auditing with One (1) Training Run
Keywords: Differential privacy, membership inference attacks, privacy auditing
TL;DR: We show how to compute lower bounds on the privacy parameters of an algorithm with only one run of that algorithm.
Abstract: We propose a scheme for auditing differentially private machine learning systems with a single training run. This exploits the parallelism of being able to add or remove multiple training examples independently. We analyze this using the connection between differential privacy and statistical generalization, which avoids the cost of group privacy. Our auditing scheme requires minimal assumptions about the algorithm and can be applied in the black-box or white-box setting. We demonstrate the effectiveness of our framework by applying it to DP-SGD, where we can achieve meaningful empirical privacy lower bounds by training only one model. In contrast, standard methods would require training hundreds of models.
Supplementary Material: pdf
Submission Number: 22
Loading