Certification for Differentially Private Prediction in Gradient-Based Training

Matthew Robert Wicker; Philip Sosnin; Igor Shilov; Adrianna Janik; Mark Niklas Mueller; Yves-Alexandre de Montjoye; Adrian Weller; Calvin Tsay

Certification for Differentially Private Prediction in Gradient-Based Training

Matthew Robert Wicker, Philip Sosnin, Igor Shilov, Adrianna Janik, Mark Niklas Mueller, Yves-Alexandre de Montjoye, Adrian Weller, Calvin Tsay

Published: 01 May 2025, Last Modified: 23 Jul 2025ICML 2025 posterEveryoneRevisionsBibTeXCC BY 4.0

TL;DR: We utilize novel bound propagation algorithms to upper-bound local sensitivity of machine learning predictions and leverage this bound for improved private prediction.

Abstract: We study private prediction where differential privacy is achieved by adding noise to the outputs of a non-private model. Existing methods rely on noise proportional to the global sensitivity of the model, often resulting in sub-optimal privacy-utility trade-offs compared to private training. We introduce a novel approach for computing dataset-specific upper bounds on prediction sensitivity by leveraging convex relaxation and bound propagation techniques. By combining these bounds with the smooth sensitivity mechanism, we significantly improve the privacy analysis of private prediction compared to global sensitivity-based approaches. Experimental results across real-world datasets in medical image classification and natural language processing demonstrate that our sensitivity bounds are can be orders of magnitude tighter than global sensitivity. Our approach provides a strong basis for the development of novel privacy preserving technologies.

Lay Summary: Protecting users' private data when using machine learning models is a growing concern, especially in sensitive areas like healthcare and natural language processing. One way to ensure privacy is by adding random noise to a model’s predictions; however, current methods often add more noise than is necessary, reducing model performance. Our research presents a new way to compute the right amount of noise, by better understanding how sensitive a model's predictions are to changes in the data. Specifically, instead of using a global estimate, we develop a way to compute (or at least bound) more precise, data-specific estimates. Our method is demonstrated on real-world tasks, including medical image analysis and text processing, and we found that it significantly outperforms existing techniques.

Primary Area: Social Aspects->Privacy

Keywords: Differential Privacy, Convex Optimization, Deep Learning

Submission Number: 16097

Loading