Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
126 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Differentially Private Federated Learning without Noise Addition: When is it Possible? (2405.04551v3)

Published 6 May 2024 in cs.CR and cs.LG

Abstract: Federated Learning (FL) with Secure Aggregation (SA) has gained significant attention as a privacy preserving framework for training machine learning models while preventing the server from learning information about users' data from their individual encrypted model updates. Recent research has extended privacy guarantees of FL with SA by bounding the information leakage through the aggregate model over multiple training rounds thanks to leveraging the "noise" from other users' updates. However, the privacy metric used in that work (mutual information) measures the on-average privacy leakage, without providing any privacy guarantees for worse-case scenarios. To address this, in this work we study the conditions under which FL with SA can provide worst-case differential privacy guarantees. Specifically, we formally identify the necessary condition that SA can provide DP without addition noise. We then prove that when the randomness inside the aggregated model update is Gaussian with non-singular covariance matrix, SA can provide differential privacy guarantees with the level of privacy $\epsilon$ bounded by the reciprocal of the minimum eigenvalue of the covariance matrix. However, we further demonstrate that in practice, these conditions are almost unlikely to hold and hence additional noise added in model updates is still required in order for SA in FL to achieve DP. Lastly, we discuss the potential solution of leveraging inherent randomness inside aggregated model update to reduce the amount of addition noise required for DP guarantee.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (55)
  1. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 308–318.
  2. The skellam mechanism for differentially private federated learning. Advances in Neural Information Processing Systems 34 (2021), 5052–5064.
  3. cpSGD: Communication-efficient and differentially-private distributed SGD. Advances in Neural Information Processing Systems 31 (2018).
  4. A convergence theory for deep learning via over-parameterization. In International Conference on Machine Learning. PMLR, 242–252.
  5. Privacy-preserving deep learning via additively homomorphic encryption. IEEE Transactions on Information Forensics and Security 13, 5 (2017), 1333–1345.
  6. Robert B Ash. 2012. Information theory. Courier Corporation.
  7. Private empirical risk minimization: Efficient algorithms and tight error bounds. In 2014 IEEE 55th Annual Symposium on Foundations of Computer Science. IEEE, 464–473.
  8. Secure single-server aggregation with (poly) logarithmic overhead. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1253–1269.
  9. Practical secure aggregation for privacy-preserving machine learning. In proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 1175–1191.
  10. Composable and versatile privacy via truncated cdp. In Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing. 74–86.
  11. No Free Lunch in" Privacy for Free: How does Dataset Condensation Help Privacy". arXiv preprint arXiv:2209.14987 (2022).
  12. The poisson binomial mechanism for unbiased federated learning with secure aggregation. In International Conference on Machine Learning. PMLR, 3490–3506.
  13. Towards decentralized deep learning with differential privacy. In International Conference on Cloud Computing. Springer, 130–145.
  14. Yuval Dagan and Gil Kur. 2022. A bounded-noise mechanism for differential privacy. In Conference on Learning Theory. PMLR, 625–661.
  15. Blockwise SVD with error in the operator and application to blind deconvolution. (2012).
  16. Privacy for free: How does dataset condensation help privacy?. In International Conference on Machine Learning. PMLR, 5378–5396.
  17. EaSTFLy: Efficient and secure ternary federated learning. Computers & Security 94 (2020), 101824.
  18. Gradient descent provably optimizes over-parameterized neural networks. arXiv preprint arXiv:1810.02054 (2018).
  19. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science 9, 3–4 (2014), 211–407.
  20. Ahmed Roushdy Elkordy and A. Salman Avestimehr. 2022. HeteroSAg: Secure Aggregation with Heterogeneous Quantization in Federated Learning. IEEE Transactions on Communications (2022), 1–1. https://doi.org/10.1109/TCOMM.2022.3151126
  21. How Much Privacy Does Federated Learning with Secure Aggregation Guarantee? arXiv preprint arXiv:2208.02304 (2022).
  22. Inverting Gradients – How easy is it to break privacy in federated learning?. In Advances in Neural Information Processing Systems.
  23. Rényi divergence measures for commonly used univariate continuous distributions. Information Sciences 249 (2013), 124–131.
  24. Shuffled model of differential privacy in federated learning. In International Conference on Artificial Intelligence and Statistics. PMLR, 2521–2529.
  25. Numerical composition of differential privacy. Advances in Neural Information Processing Systems 34 (2021), 11631–11642.
  26. Gradient descent happens in a tiny subspace. arXiv preprint arXiv:1812.04754 (2018).
  27. The bounded laplace mechanism in differential privacy. arXiv preprint arXiv:1808.10410 (2018).
  28. Fastsecagg: Scalable secure aggregation for privacy-preserving federated learning. arXiv preprint arXiv:2009.11248 (2020).
  29. The distributed discrete gaussian mechanism for federated learning with secure aggregation. arXiv preprint arXiv:2102.06387 (2021).
  30. Advances and Open Problems in Federated Learning. preprint arXiv:1912.04977 (2019). arXiv:1912.04977
  31. The composition theorem for differential privacy. In International conference on machine learning. PMLR, 1376–1385.
  32. Fang Liu. 2018. Generalized gaussian mechanism for differential privacy. IEEE Transactions on Knowledge and Data Engineering 31, 4 (2018), 747–756.
  33. Wei Liu. 2014. Additive white Gaussian noise level estimation based on block SVD. In 2014 IEEE Workshop on Electronics, Computer and Applications. IEEE, 960–963.
  34. Communication-Efficient Learning of Deep Networks from Decentralized Data. In Proceedings of the 20th International Conference on Artificial Intelligence and Statistics (Proceedings of Machine Learning Research, Vol. 54), Aarti Singh and Jerry Zhu (Eds.). 1273–1282.
  35. Communication-efficient learning of deep networks from decentralized data. In Artificial intelligence and statistics. PMLR, 1273–1282.
  36. Ilya Mironov. 2017. Rényi differential privacy. In 2017 IEEE 30th computer security foundations symposium (CSF). IEEE, 263–275.
  37. Leon Mirsky. 1975. A trace inequality of John von Neumann. Monatshefte für mathematik 79, 4 (1975), 303–306.
  38. Smpai: Secure multi-party computation for federated learning. In Proceedings of the NeurIPS 2019 Workshop on Robust AI in Financial Services.
  39. Differentially private federated learning on heterogeneous data. In International Conference on Artificial Intelligence and Statistics. PMLR, 10110–10145.
  40. Eluding secure aggregation in federated learning via model inconsistency. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2429–2443.
  41. Securing secure aggregation: Mitigating multi-round privacy leakage in federated learning. arXiv preprint arXiv:2106.03328 (2021).
  42. Turbo-aggregate: Breaking the quadratic aggregation barrier in secure federated learning. IEEE Journal on Selected Areas in Information Theory 2, 1 (2021), 479–489.
  43. Lightsecagg: a lightweight and versatile design for secure aggregation in federated learning. Proceedings of Machine Learning and Systems 4 (2022), 694–720.
  44. LDP-FL: Practical private aggregation in federated learning with local differential privacy. arXiv preprint arXiv:2007.15789 (2020).
  45. A Christoper Tamilmathi and PL Chithra. 2022. Tensor block-wise singular value decomposition for 3D point cloud compression. Multimedia Tools and Applications 81, 26 (2022), 37917–37938.
  46. A hybrid approach to privacy-preserving federated learning. In Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security. 1–11.
  47. Privacy for free: Posterior sampling and stochastic gradient monte carlo. In International Conference on Machine Learning. PMLR, 2493–2502.
  48. Federated learning with differential privacy: Algorithms and performance analysis. IEEE Transactions on Information Forensics and Security 15 (2020), 3454–3469.
  49. On the noisy gradient descent that generalizes as sgd. In International Conference on Machine Learning. PMLR, 10367–10376.
  50. Hybridalpha: An efficient approach for privacy-preserving federated learning. In Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security. 13–23.
  51. {{\{{PrivateFL}}\}}: Accurate, Differentially Private Federated Learning via Personalized Data Transformation. In 32nd USENIX Security Symposium (USENIX Security 23). 1595–1612.
  52. See through Gradients: Image Batch Recovery via GradInversion. arXiv,2104.07586 (2021).
  53. Lagrange coded computing: Optimal design for resiliency, security, and privacy. In The 22nd International Conference on Artificial Intelligence and Statistics. PMLR, 1215–1225.
  54. Yizhou Zhao and Hua Sun. 2021. Information theoretic secure aggregation with user dropouts. In 2021 IEEE International Symposium on Information Theory (ISIT). IEEE, 1124–1129.
  55. Deep Leakage from Gradients. In Advances in Neural Information Processing Systems, Vol. 32.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now