Privacy Auditing with One (1) Training Run

Published: 19 Jun 2023, Last Modified: 21 Jul 2023FL-ICML 2023EveryoneRevisionsBibTeX
Keywords: differential privacy, auditing
TL;DR: We show how to compute empirical lower bounds on the privacy parameters of an algorithm with only one run of that algorithm, where prior work requires hundreds of runs..
Abstract: We propose a scheme for auditing differentially private machine learning systems with a single training run. This exploits the parallelism of being able to add or remove multiple training examples independently. We analyze this using the connection between differential privacy and statistical generalization, which avoids the cost of group privacy. Our auditing scheme requires minimal assumptions about the algorithm and can be applied in the black-box (i.e., central DP) or white-box (i.e., federated learning) setting. We demonstrate the effectiveness of our framework by applying it to DP-SGD, where we can achieve meaningful empirical privacy lower bounds by training only *one model*, where standard methods would require training hundreds of models.
Submission Number: 17