Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

DP-Auditorium: a Large Scale Library for Auditing Differential Privacy (2307.05608v2)

Published 10 Jul 2023 in cs.CR

Abstract: New regulations and increased awareness of data privacy have led to the deployment of new and more efficient differentially private mechanisms across public institutions and industries. Ensuring the correctness of these mechanisms is therefore crucial to ensure the proper protection of data. However, since differential privacy is a property of the mechanism itself, and not of an individual output, testing whether a mechanism is differentially private is not a trivial task. While ad hoc testing techniques exist under specific assumptions, no concerted effort has been made by the research community to develop a flexible and extendable tool for testing differentially private mechanisms. This paper introduces DP-Auditorium as a step advancing research in this direction. DP-Auditorium abstracts the problem of testing differential privacy into two steps: (1) measuring the distance between distributions, and (2) finding neighboring datasets where a mechanism generates output distributions maximizing such distance. From a technical point of view, we propose three new algorithms for evaluating the distance between distributions. While these algorithms are well-established in the statistics community, we provide new estimation guarantees that exploit the fact that we are only interested in verifying whether a mechanism is differentially private, and not in obtaining an exact estimate of the distance between two distributions. DP-Auditorium is easily extensible, as demonstrated in this paper by implementing a well-known approximate differential privacy testing algorithm into our library. We provide an extensive comparison to date of multiple testers across varying sample sizes and differential privacy parameters, demonstrating that there is no single tester that dominates all others, and that a combination of different techniques is required to ensure proper testing of mechanisms.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (33)
  1. A. C. Gilbert and A. McMillan, “Property testing for differential privacy,” in Allerton Conference on Communication, Control, and Computing, 2018.
  2. B. Bichsel, S. Steffen, I. Bogunovic, and M. Vechev, “Dp-sniper: Black-box discovery of differential privacy violations using classifiers,” in Symposium on Security and Privacy (SP).   IEEE, 2021.
  3. X. Nguyen, M. J. Wainwright, and M. I. Jordan, “Estimating divergence functionals and the likelihood ratio by convex risk minimization,” IEEE Transactions on Information Theory, vol. 56, no. 11, 2010.
  4. P. Zhao and L. Lai, “Minimax optimal estimation of kl divergence for continuous distributions,” IEEE Trans. Inf. Theor., vol. 66, no. 12, p. 7787–7811, dec 2020.
  5. B. K. Sriperumbudur, K. Fukumizu, A. Gretton, B. Schölkopf, and G. R. Lanckriet, “On the empirical estimation of integral probability metrics,” Electronic Journal of Statistics, vol. 6, pp. 1550–1599, 2012.
  6. J. Birrell, P. Dupuis, M. A. Katsoulakis, L. Rey-Bellet, and J. Wang, “Variational representations and neural network estimation of Rényi divergences,” SIAM Journal on Mathematics of Data Science, 2021.
  7. C. Domingo-Enrich and Y. Mroueh, “Auditing differential privacy in high dimensions with the kernel quantum Rényi divergence,” arXiv preprint arXiv:2205.13941, 2022.
  8. V. Doroshenko, B. Ghazi, P. Kamath, R. Kumar, and P. Manurangsi, “Connect the dots: Tighter discrete approximations of privacy loss distributions,” Proceedings on Privacy Enhancing Technologies, 2022.
  9. K. Dixit, M. Jha, S. Raskhodnikova, and A. Thakurta, “Testing the Lipschitz property over product distributions with applications to data privacy,” in Theory of Cryptography Conference (TCC, 2013.
  10. Z. Ding, Y. Wang, G. Wang, D. Zhang, and D. Kifer, “Detecting violations of differential privacy,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.   Association for Computing Machinery, 2018, p. 475–489.
  11. B. Bichsel, S. Steffen, I. Bogunovic, and M. Vechev, “Dp-sniper: Black-box discovery of differential privacy violations using classifiers,” in 2021 IEEE Symposium on Security and Privacy (SP).   IEEE, 2021, pp. 391–409.
  12. M. Jagielski, J. Ullman, and A. Oprea, “Auditing differentially private machine learning: How private is private sgd?” Advances in Neural Information Processing Systems, 2020.
  13. B. Jayaraman and D. Evans, “Evaluating differentially private machine learning in practice,” in USENIX Security Symposium, 2019.
  14. S. Rahimian, T. Orekondy, and M. Fritz, “Differential privacy defenses and sampling attacks for membership inference,” in ACM Workshop on Artificial Intelligence and Security, 2021.
  15. D. Chen, N. Yu, Y. Zhang, and M. Fritz, “Gan-leaks: A taxonomy of membership inference attacks against generative models,” in ACM SIGSAC Conference on Computer and Communications Security, 2020.
  16. C. Guo, B. Karrer, K. Chaudhuri, and L. van der Maaten, “Bounding training data reconstruction in private (deep) learning,” in International Conference on Machine Learning (ICML).   PMLR, 2022.
  17. B. Balle, G. Cherubin, and J. Hayes, “Reconstructing training data with informed adversaries,” in 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, May 22-26, 2022.   IEEE, 2022, pp. 1138–1156.
  18. F. Lu, J. Munoz, M. Fuchs, T. LeBlond, E. V. Zaresky-Williams, E. Raff, F. Ferraro, and B. Testa, “A general framework for auditing differentially private machine learning,” in Advances in Neural Information Processing Systems, 2022.
  19. M. Nasr, S. Songi, A. Thakurta, N. Papernot, and N. Carlin, “Adversary instantiation: Lower bounds for differentially private machine learning,” in 2021 IEEE Symposium on security and privacy (SP), 2021.
  20. M. Nasr, J. Hayes, T. Steinke, B. Balle, F. Tramèr, M. Jagielski, N. Carlini, and A. Terzis, “Tight auditing of differentially private machine learning,” arXiv preprint arXiv:2302.07956, 2023.
  21. M. Jagielski, J. Ullman, and A. Oprea, “Auditing differentially private machine learning: How private is private sgd?” Advances in Neural Information Processing Systems, vol. 33, pp. 22 205–22 216, 2020.
  22. G. Andrew, P. Kairouz, S. Oh, A. Oprea, H. B. McMahan, and V. Suriyakumar, “One-shot empirical privacy estimation for federated learning,” arXiv preprint arXiv:2302.03098, 2023.
  23. A. Krishnamurthy, K. Kandasamy, B. Poczos, and L. Wasserman, “Nonparametric estimation of renyi divergence and friends,” in International Conference on Machine Learning.   PMLR, 2014.
  24. I. Mironov, “Rényi differential privacy,” in IEEE computer security foundations symposium (CSF), 2017.
  25. Y. Zhu, J. Dong, and Y.-X. Wang, “Optimal accounting of differential privacy via characteristic function,” in International Conference on Artificial Intelligence and Statistics (AISTATS, 2022.
  26. G. Barthe and F. Olmedo, “Beyond differential privacy: Composition theorems and relational logic for f-divergences between probabilistic programs,” in International Colloquium on Automata, Languages, and Programming.   Springer, 2013.
  27. A. Gretton, K. M. Borgwardt, M. J. Rasch, B. Schölkopf, and A. Smola, “A kernel two-sample test,” The Journal of Machine Learning Research, vol. 13, no. 1, pp. 723–773, 2012.
  28. A. Maurer and M. Pontil, “Empirical bernstein bounds and sample variance penalization,” 2009.
  29. T. Desautels, A. Krause, and J. W. Burdick, “Parallelizing exploration-exploitation tradeoffs in gaussian process bandit optimization,” Journal of Machine Learning Research, 2014.
  30. D. Golovin, B. Solnik, S. Moitra, G. Kochanski, J. Karro, and D. Sculley, “Google vizier: A service for black-box optimization,” in Proceedings of the 23rd ACM SIGKDD international conference on knowledge discovery and data mining, 2017.
  31. M. Lyu, D. Su, and N. Li, “Understanding the sparse vector technique for differential privacy,” arXiv preprint arXiv:1603.01699, 2016.
  32. M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang, “Deep learning with differential privacy,” in ACM SIGSAC conference on computer and communications security, 2016.
  33. Y. Polyanskiy and Y. Wu, “Information theory: From coding to learning,” Book draft, 2022.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now