PAC Privacy Preserving Diffusion Models
Abstract: Data privacy protection is garnering increased attention among researchers. Diffusion models (DMs), particularly with strict differential privacy, can potentially produce images with both high privacy and visual quality. However, challenges arise such as in ensuring robust protection in privatizing specific data attributes, areas where current models often fall short. To address these challenges, we introduce the PAC Privacy Preserving Diffusion Model, a model leverages diffusion principles and ensure Probably Approximately Correct (PAC) privacy. We enhance privacy protection by integrating a private classifier guidance into the Langevin Sampling Process. Additionally, recognizing the gap in measuring the privacy of models, we have developed a novel metric to gauge privacy levels. Our model, assessed with this new metric and supported by Gaussian matrix computations for the PAC bound, has shown superior performance in privacy protection over existing leading private generative models according to benchmark tests.
Submission Length: Regular submission (no more than 12 pages of main content)
Previous TMLR Submission Url: https://openreview.net/forum?id=jjQTE2ayrX&referrer=%5BAuthor%20Console%5D(%2Fgroup%3Fid%3DTMLR%2FAuthors%23your-submissions)
Changes Since Last Submission: We sincerely appreciate the thorough comments and suggestions provided by all the reviewers. Based on your feedback, we have revised our paper thoroughly.
The major changes are as follows:
1. Provided stronger justifications for favoring PAC privacy over DP in the Introduction.
2. Added PAC Privacy properties in the Section 3.2, "PAC Privacy".
3. Revised and replaced the non-DP parameter with $\xi$ and $\tau$ in Table 1, "Estimated Level of Noise $B$ to Approximately Ensure PAC Privacy", where $\xi$ indicates the model is PAC private, and $\tau$ indicates the model is neither PAC private nor DP.
4. Strengthened the reasoning in Section 4.1, "Conditional Private Langevin Sampling," for better substantiation.
5. Added an additional baseline model, "DP-MEPF," to our empirical analysis.
6. Clarified the statement of PAC privacy in Section 3.2 and explained previously undefined symbols in Sections 3.2 and 3.3, "Conditional Diffusion Models."
7. Expanded the explanation of the random response mechanism and Gaussian mechanism, including parameter settings and combination steps, in Section 4.
8. Completed the proof of PAC privacy in Sections 3.2 and 4.4, "PAC Privacy Proof of Our Model."
We have also made several minor adjustments to address other issues raised by the reviewers.
Assigned Action Editor: ~Jonathan_Ullman1
Submission Number: 3352
Loading