Bounding training data reconstruction in DP-SGD
Authors: Jamie Hayes, Borja Balle, Saeed Mahloujifar
NeurIPS 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We now evaluate both our upper bounds for reconstruction success and our empirical privacy attacks (which gives us lower bounds on reconstruction success). We show that our attack has a success probability nearly identical to the bound given by our theory. |
| Researcher Affiliation | Collaboration | Jamie Hayes Google Deep Mind jamhay@google.com Saeed Mahloujifar Meta AI saeedm@meta.com Borja Balle Google Deep Mind bballe@google.com |
| Pseudocode | Yes | Algorithm 1 Estimating γ; Algorithm 2 Prior-aware attack; Algorithm 3 Improved prior-aware attack |
| Open Source Code | No | The paper does not provide an explicit statement or link indicating that the source code for the described methodology is publicly available. |
| Open Datasets | Yes | We now compare the success of model-based and gradient-based reconstruction attacks against classification models trained with DP-SGD on MNIST and CIFAR-10. |
| Dataset Splits | No | The paper specifies training dataset sizes ('training set size is |D{z }| = 1, 000' for MNIST and 'training set size is |D{z }| = 500' for CIFAR-10) but does not provide explicit training, validation, and test splits (e.g., percentages or sample counts for each split). |
| Hardware Specification | Yes | Setting T = 1 and using a 2.3 GHz 8-Core Intel Core i9 CPU it takes 0.002s to estimate with 10,000 samples. |
| Software Dependencies | No | The paper mentions using ML models like 'MLP' and 'Wide Res Net model' but does not specify software dependencies with version numbers (e.g., 'PyTorch 1.9' or 'TensorFlow 2.x'). |
| Experiment Setup | Yes | We refer to Appendix A for experimental details. For each ϵ, we select the learning rate by sweeping over a range of values between 0.001 and 100; we do not use any momentum in optimization. We set C = 0.1, δ = 10 5 and adjust the noise scale σ for a given target ϵ. Appendix A includes Table 1: Hyperparameter settings for each experiment. |