Download presentation
Presentation is loading. Please wait.
1
Privacy-preserving Prediction
Vitaly Feldman Brain with Cynthia Dwork
2
Privacy-preserving learning
Input: dataset π=( π₯ 1 , π¦ 1 ),β¦,( π₯ π , π¦ π ) Goal: given π₯ predict π¦ π Differentially private learning algorithm π΄ Model β π΄(π) π΄(πβ²)
3
Trade-offs Linear regression in β π
With π-DP needs factor Ξ© π π more data [Bassily,Smith,Thakurta 14] Learning a linear classifier over {0,1} π Needs factor Ξ© π π more data [Feldman,Xiao 13] MNIST accuracy βππ% with small π, πΏ vs 99.8% without privacy [AbadiCGMMTZ 16]
4
Prediction π Users need predictions not models
Fits many existing systems π 1 βπ Prediction API π π£ 2 π 2 π£ 2 π π‘ π£ π‘ Users Given that many existing applications DP
5
Attacks Black-box membership inference with high accuracy
[Shokri,Stronati,Song,Shmatikov 17; LongBWBWTGC 18; SalemZFHB 18]
6
Learning with DP prediction
Accuracy-privacy trade-off Single prediction query Differentially private prediction : π: πΓπ π Γπβπ is π-DP prediction algorithm if for every π₯βπ, π(π,π₯) is π-DP private w.r.t. π
7
Differentially private aggregation
Label aggregation [HCB 16; PAEGT 17; PSMRTE 18; BTT 18] π π 1 π 2 π 3 β― π π π=ππ β― π΄ β 1 β 2 β 3 β πβ2 β πβ1 β π β― (non-DP) learning algo π΄ π₯ β 1 (π₯) β 2 (π₯) β 3 (π₯) β πβ2 (π₯) β πβ1 (π₯) β π (π₯) Differentially private aggregation π¦ e.g. exponential mechanism π¦β π π | π β π π₯ =π¦}|/2
8
Classification via aggregation
PAC model: Let πΆ be a class of function over π For all distributions π over πΓ{0,1} output β such that w.h.p. ππ« (π₯,π¦)βΌπ β π₯ β π¦ β€Op t π πΆ +πΌ Non-private π-DP prediction π-DP model Ξ VCdim πΆ π Ξ VCdim πΆ ππ Ξ Rdim πΆ ππ πΌ Realizable case: Ξ VCdim πΆ π π VCdim πΆ ππ 1/3 + Ξ Rdim πΆ ππ Agnostic: Representation dimension [Beimel,Nissim,Stemmer 13] VCdim πΆ β€ Rdim πΆ β€ VCdim πΆ β
logβ‘|π| [KLNRS 08] For many classes Rdim πΆ =Ξ©( VCdim πΆ β
log π ) [F.,Xiao 13]
9
Prediction stability Γ la [Bousquet,Elisseeff 02]:
π΄: πΓπ π Γπββ is uniformly πΎ-stable algorithm if for every, neighboring π,πβ² and π₯βπ, π΄ π,π₯ βπ΄ π β² ,π₯ β€πΎ Convex regression: given πΉ= π π€,π₯ π€βπΎ For π over πΓπ, minimize: β π π€ = π (π₯,π¦)βΌπ [β(π π€,π₯ ,π¦)] over convex πΎβ β π , where β(π π€,π₯ ,π¦) is convex in π€ for all π₯,π¦ Convex 1-Lipschitz regression over β 2 ball of radius 1: Non-private π-DP prediction π-DP model Ξ 1 π π 1 ππ Ξ© 1 π + π ππ Excess loss:
![Prediction stability Γ la [Bousquet,Elisseeff 02]:](http://slideplayer.com./slide/15515275/93/images/9/Prediction+stability+%C3%80+la+%5BBousquet%2CElisseeff+02%5D%3A.jpg "π΄: πΓπ π Γπββ is uniformly πΎ-stable algorithm if for every, neighboring π,πβ² and π₯βπ, π΄ π,π₯ βπ΄ π β² ,π₯ β€πΎ. Convex regression: given πΉ= π π€,π₯ π€βπΎ. For π over πΓπ, minimize: β π π€ = π (π₯,π¦)βΌπ [β(π π€,π₯ ,π¦)] over convex πΎβ β π , where β(π π€,π₯ ,π¦) is convex in π€ for all π₯,π¦. Convex 1-Lipschitz regression over β 2 ball of radius 1: Non-private. π-DP prediction. π-DP model. Ξ 1 π. π 1 ππ. Ξ© 1 π + π ππ. Excess loss:")
10
DP prediction implies generalization
Beyond aggregation Threshold functions on a line 1 π Excess error for agnostic learning Non-private π-DP prediction π-DP model Ξ 1 π Ξ π + 1 ππ Ξ 1 π + log π ππ DP prediction implies generalization
11
Conclusions Natural setting for learning with privacy
Better accuracy-privacy trade-off Paper (COLT 2018): Open problems: General agnostic learning Other general approaches Handling of multiple queries [BTT 18]
Similar presentations
![Distributed Machine Learning: Communication, Efficiency, and Privacy Avrim Blum [RaviKannan60] Joint work with Maria-Florina Balcan, Shai Fine, and Yishay.](/13/3869291/big_thumb.jpg "Distributed Machine Learning: Communication, Efficiency, and Privacy Avrim Blum [RaviKannan60] Joint work with Maria-Florina Balcan, Shai Fine, and Yishay.>")
