Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mi Jung Park (Technical University of Denmark, Denmark) Privacy-preserving Data Generation in the Era of Foundation Models: Generative Transfer Learning with Differential Privacy

Jia-Jie Zhu
March 27, 2024
0
31

Mi Jung Park (Technical University of Denmark, Denmark) Privacy-preserving Data Generation in the Era of Foundation Models: Generative Transfer Learning with Differential Privacy

WORKSHOP ON OPTIMAL TRANSPORT
FROM THEORY TO APPLICATIONS
INTERFACING DYNAMICAL SYSTEMS, OPTIMIZATION, AND MACHINE LEARNING
Venue: Humboldt University of Berlin, Dorotheenstraße 24

Berlin, Germany. March 11th - 15th, 2024

Jia-Jie Zhu

March 27, 2024
Tweet

More Decks by Jia-Jie Zhu

See All by Jia-Jie Zhu
Oliver Tse (Eindhoven University of Technology, Netherlands) Variational Acceleration Methods in the Space of Probability Measures
jjzhu
0
69
Olga Mula (Eindhoven University of Technology, Netherlands) Reduced Models in Wasserstein Spaces for Forward and Inverse Problems
jjzhu
0
42
Julie Delon (Université Paris-Cité, France) Optimal Transport with Invariances between Gaussian Mixture Models
jjzhu
0
34
Wuchen Li (University of South Carolina, Columbia, USA) Information Gamma Calculus: Convexity Analysis for Stochastic Differential Equations
jjzhu
0
150
Taiji Suzuki (University of Tokyo, Japan) Convergence of mean field Langevin dynamics and its application to neural network feature learning
jjzhu
0
180
Xue-Mei Li (École Polytechnique Fédérale de Lausanne, Switzerland) Coarse Extrinsic Curvature
jjzhu
0
84
Gabriel Peyré (CNRS & ENS, Paris, France) Sparsistency for Inverse Optimal Transport
jjzhu
0
33
Virginie Ehrlacher (ENPC & INRIA, Paris, France) Sparse Approximation of Multi-marginal Quantum Optimal Transport Problems with Moment Constraints: Application to Quantum Chemistry
jjzhu
0
45
Guillaume Carlier (Université Paris Dauphine - PSL, France) Displacement Smoothness of Entropic Optimal Transport and Applications to some Evolution Equations and Systems
jjzhu
0
33

Featured

See All Featured
Facilitating Awesome Meetings
lara
43
5.6k
How to train your dragon (web standard)
notwaldorf
75
5.2k
Music & Morning Musume
bryan
41
5.6k
Thoughts on Productivity
jonyablonski
60
3.9k
jQuery: Nuts, Bolts and Bling
dougneiner
60
7.2k
Building an army of robots
kneath
300
41k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
79
44k
BBQ
matthewcrist
80
8.8k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k
Debugging Ruby Performance
tmm1
70
11k
Happy Clients
brianwarren
92
6.4k

Transcript

  1. Confidential Customized for Lorem Ipsum LLC Version 1.0 Privacy-preserving data

    generation in the era of foundation models Mi Jung Park Applied Mathematics & Computer Science, Danmarks Tekniske Universitet (DTU) OT Workshop, Berlin March 15, 2024 1

  2. Confidential Customized for Lorem Ipsum LLC Version 1.0 Students &

    Collaborator 2 Frederik Harder Saiyue Lyu Michael Lui Margarita Vinaroz Kamil Adamczewski Danica J Sutherland Milad Jalali

  3. Data as a new kind of natural resource! 3 Data

    philanthropy “--- think of big data as a new kind of natural resource – infinitely renewable, increasingly ubiquitous – …Data has a social opportunity – and we have a social responsibility – … data reaches the people who need it most.”

  4. Data as a new kind of natural resource! 3 Data

    philanthropy “--- think of big data as a new kind of natural resource – infinitely renewable, increasingly ubiquitous – …Data has a social opportunity – and we have a social responsibility – … data reaches the people who need it most.” •Great idea, but currently, a few large corporations can take advantage of data

  5. Data as a new kind of natural resource! 3 Data

    philanthropy “--- think of big data as a new kind of natural resource – infinitely renewable, increasingly ubiquitous – …Data has a social opportunity – and we have a social responsibility – … data reaches the people who need it most.” •Great idea, but currently, a few large corporations can take advantage of data High-quality data locked in data servers

  6. Data as a new kind of natural resource! 3 Data

    philanthropy “--- think of big data as a new kind of natural resource – infinitely renewable, increasingly ubiquitous – …Data has a social opportunity – and we have a social responsibility – … data reaches the people who need it most.” •Great idea, but currently, a few large corporations can take advantage of data High-quality data locked in data servers Privacy Regulations!

  7. Synthetic Data 4 • Synthetic datasets are promised to preserve

    the statistical properties of the original data but “contain no personal data” • Why Useful : promote data sharing, debiasing, data augmentation, creating more “fair” datasets • Foundation models (e.g., Stable Diffusion, LLMs) for multi-modal synthetic data generation [Rajotte et al, iScience 22]

  8. Synthetic data is not privacy-preserving! 5 • Memorising training data

    [Stadler et al., CSS 22] • Synthetic data is vulnerable to linkage attacks (link a synthetic data point to a single record in the original data) [Carlini et al., CSS 23]

  9. Synthetic data is not privacy-preserving! 5 • Memorising training data

    [Stadler et al., CSS 22] • Synthetic data is vulnerable to linkage attacks (link a synthetic data point to a single record in the original data) [Carlini et al., CSS 23]

  10. 6 Privacy-preserving Algorithm Privacy-Sensitive Data Generated Data Release! How to

    create privacy-preserving synthetic data by utilizing pretrained large models?

  11. 6 Privacy-preserving Algorithm Privacy-Sensitive Data Generated Data Release! How to

    create privacy-preserving synthetic data by utilizing pretrained large models? Pre-trained Large Models

  12. 7 Privacy Definition

  13. [Dwork 06] 8 D1 <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit>

    <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> D2 <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> A <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> Differential Privacy

  14. [Dwork 06] 8 D1 <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit>

    <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> D2 <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> A <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> Differential Privacy • Privacy loss

  15. [Dwork 06] 8 D1 <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit>

    <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> D2 <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> A <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> Differential Privacy • Privacy loss how well we can distinguish two datasets

  16. [Dwork 06] 8 D1 <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit>

    <latexit sha1_base64="q69qAC9QCbzeFL5i4zpxpEWkU9k=">AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+</latexit> D2 <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> <latexit sha1_base64="kkMnEJJTL4WoIFiQkDJLkJ60BFg=">AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/</latexit> A <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> <latexit sha1_base64="BAeVOBC5ObWqGCFk52KlP7hcwRg=">AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ==</latexit> Differential Privacy • Privacy loss for all o and all pairs of datasets A is epsilon-DP if how well we can distinguish two datasets

  17. Differential Privacy (continued) [Dwork 06] 9 • Approximate DP: A

    is (epsilon, delta)-DP if

  18. Differential Privacy (continued) [Dwork 06] 9 DP holds w.p. •

    Approximate DP: A is (epsilon, delta)-DP if

  19. Differential Privacy (continued) [Dwork 06] 9 DP holds w.p. noise

    variance • Approximate DP: A is (epsilon, delta)-DP if

  20. Differential Privacy (continued) [Dwork 06] 9 DP holds w.p. noise

    variance sensitivity maximum over all pairs of datasets • Approximate DP: A is (epsilon, delta)-DP if

  21. Differential Privacy (continued) [Dwork 06] 9 DP holds w.p. noise

    variance sensitivity maximum over all pairs of datasets • Privacy & Accuracy Trade-off: • Approximate DP: A is (epsilon, delta)-DP if

  22. Properties of DP: Post-processing invariance 10 • Differential privacy is

    immune to post-processing: Sensitive Data epsilon-DP Algorithm

  23. Properties of DP: Post-processing invariance 10 • Differential privacy is

    immune to post-processing: Sensitive Data epsilon-DP Algorithm Output Algorithm

  24. Properties of DP: Post-processing invariance 10 • Differential privacy is

    immune to post-processing: Sensitive Data epsilon-DP Algorithm Output Algorithm epsilon-DP, With respect to Sensitive data!

  25. Properties of DP: Composability 11 Sensitive Data epsilon1-DP Algorithm epsilon2-DP

    Algorithm Output1 Output2 • Union of output 1 & output 2 is (epsilon1+epsilon2)-DP!

  26. Properties of DP: Composability 11 Sensitive Data epsilon1-DP Algorithm epsilon2-DP

    Algorithm Output1 Output2 • Union of output 1 & output 2 is (epsilon1+epsilon2)-DP! • More re fi ned composition methods, e.g., Moments accountant [Abadi et al,16]

  27. 12 DP Data Generation with Deep Learning

  28. DP-fying GANs (Generative Adversarial Networks) [Park et al., 2018;Torkzadehmahani et

    al., 2019; Xie et al., 2018; Frigerio et al., 2019].

  29. DP-fying GANs (Generative Adversarial Networks) [Park et al., 2018;Torkzadehmahani et

    al., 2019; Xie et al., 2018; Frigerio et al., 2019]. Random Input Generator (G) Generated Data Sample

  30. DP-fying GANs (Generative Adversarial Networks) [Park et al., 2018;Torkzadehmahani et

    al., 2019; Xie et al., 2018; Frigerio et al., 2019]. Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

  31. DP-fying GANs (Generative Adversarial Networks) Loss [Park et al., 2018;Torkzadehmahani

    et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

  32. DP-fying GANs (Generative Adversarial Networks) Loss Only Discriminator sees Data.

    Perturb gradients of D [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

  33. DP-fying GANs (Generative Adversarial Networks) Loss Only Discriminator sees Data.

    Perturb gradients of D [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. If D is DP, G: data-independent! Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

  34. DP-fying GANs (Generative Adversarial Networks) Loss Only Discriminator sees Data.

    Perturb gradients of D [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. If D is DP, G: data-independent! DP-Generator by post-processing invariance of DP Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

  35. Differentially Private Stochastic Gradient Descent (DP-SGD) DP-Discriminator using DP-SGD :

    gt(xi) r✓t L(✓t, xi) <latexit sha1_base64="Wj2fmDVvInwzS/0GPbPvL4KHeTQ=">AAACM3icbVDBattAFFylTZO6Sau0x16WmoILwUih0B5DciklhwRiO2AZ8bR+shevVmL3Ka0R+qdc+iM9FEoODSHX/kNXtgOt04GFYWYe+94khZKWguCnt/Ho8eaTre2nrWc7u89f+Hsv+zYvjcCeyFVuLhKwqKTGHklSeFEYhCxROEhmx40/uERjZa7PaV7gKIOJlqkUQE6K/c88yoCmSVpN6pg6X2P5jkcKUwJj8i880pAoiKuIpkgQU72MC1DVSd25V/d5Mxf77aAbLMAfknBF2myF09j/Ho1zUWaoSSiwdhgGBY0qMCSFwroVlRYLEDOY4NBRDRnaUbW4ueZvnTLmaW7c08QX6t8TFWTWzrPEJZuN7brXiP/zhiWlH0eV1EVJqMXyo7RUnHLeFMjH0qAgNXcEhJFuVy6mYECQq7nlSgjXT35I+gfdMOiGZ+/bh0erOrbZa/aGdVjIPrBD9omdsh4T7Ir9YL/YjffNu/ZuvbtldMNbzbxi/8D7/Qd58qtk</latexit> <latexit sha1_base64="Wj2fmDVvInwzS/0GPbPvL4KHeTQ=">AAACM3icbVDBattAFFylTZO6Sau0x16WmoILwUih0B5DciklhwRiO2AZ8bR+shevVmL3Ka0R+qdc+iM9FEoODSHX/kNXtgOt04GFYWYe+94khZKWguCnt/Ho8eaTre2nrWc7u89f+Hsv+zYvjcCeyFVuLhKwqKTGHklSeFEYhCxROEhmx40/uERjZa7PaV7gKIOJlqkUQE6K/c88yoCmSVpN6pg6X2P5jkcKUwJj8i880pAoiKuIpkgQU72MC1DVSd25V/d5Mxf77aAbLMAfknBF2myF09j/Ho1zUWaoSSiwdhgGBY0qMCSFwroVlRYLEDOY4NBRDRnaUbW4ueZvnTLmaW7c08QX6t8TFWTWzrPEJZuN7brXiP/zhiWlH0eV1EVJqMXyo7RUnHLeFMjH0qAgNXcEhJFuVy6mYECQq7nlSgjXT35I+gfdMOiGZ+/bh0erOrbZa/aGdVjIPrBD9omdsh4T7Ir9YL/YjffNu/ZuvbtldMNbzbxi/8D7/Qd58qtk</latexit> <latexit sha1_base64="Wj2fmDVvInwzS/0GPbPvL4KHeTQ=">AAACM3icbVDBattAFFylTZO6Sau0x16WmoILwUih0B5DciklhwRiO2AZ8bR+shevVmL3Ka0R+qdc+iM9FEoODSHX/kNXtgOt04GFYWYe+94khZKWguCnt/Ho8eaTre2nrWc7u89f+Hsv+zYvjcCeyFVuLhKwqKTGHklSeFEYhCxROEhmx40/uERjZa7PaV7gKIOJlqkUQE6K/c88yoCmSVpN6pg6X2P5jkcKUwJj8i880pAoiKuIpkgQU72MC1DVSd25V/d5Mxf77aAbLMAfknBF2myF09j/Ho1zUWaoSSiwdhgGBY0qMCSFwroVlRYLEDOY4NBRDRnaUbW4ueZvnTLmaW7c08QX6t8TFWTWzrPEJZuN7brXiP/zhiWlH0eV1EVJqMXyo7RUnHLeFMjH0qAgNXcEhJFuVy6mYECQq7nlSgjXT35I+gfdMOiGZ+/bh0erOrbZa/aGdVjIPrBD9omdsh4T7Ir9YL/YjffNu/ZuvbtldMNbzbxi/8D7/Qd58qtk</latexit> <latexit sha1_base64="Wj2fmDVvInwzS/0GPbPvL4KHeTQ=">AAACM3icbVDBattAFFylTZO6Sau0x16WmoILwUih0B5DciklhwRiO2AZ8bR+shevVmL3Ka0R+qdc+iM9FEoODSHX/kNXtgOt04GFYWYe+94khZKWguCnt/Ho8eaTre2nrWc7u89f+Hsv+zYvjcCeyFVuLhKwqKTGHklSeFEYhCxROEhmx40/uERjZa7PaV7gKIOJlqkUQE6K/c88yoCmSVpN6pg6X2P5jkcKUwJj8i880pAoiKuIpkgQU72MC1DVSd25V/d5Mxf77aAbLMAfknBF2myF09j/Ho1zUWaoSSiwdhgGBY0qMCSFwroVlRYLEDOY4NBRDRnaUbW4ueZvnTLmaW7c08QX6t8TFWTWzrPEJZuN7brXiP/zhiWlH0eV1EVJqMXyo7RUnHLeFMjH0qAgNXcEhJFuVy6mYECQq7nlSgjXT35I+gfdMOiGZ+/bh0erOrbZa/aGdVjIPrBD9omdsh4T7Ir9YL/YjffNu/ZuvbtldMNbzbxi/8D7/Qd58qtk</latexit> ¯ gt gt(xi) max(1, kgt(xi)k2/C) <latexit sha1_base64="+X0CDIcomi6ErAy21dx+wJeCuqc=">AAACS3icbVBNTxsxFPSmBUL4SumRi0WEFCQUdhESPSJy6TFIBCJlo9Wz4w0W3vXKfksTbff/ceHSW/9ELz0UVT3gfBwC6UiWRjPz9J6HZUpa9P2fXuXDx7X1jepmbWt7Z3ev/mn/1urccNHlWmnTY2CFkqnookQlepkRkDAl7thDe+rfPQpjpU5vcJKJQQKjVMaSAzopqrOQgSnCBPCexcWoLCOkoRIxgjH6Gw1jA3zJjrA5juRx6SSmx0UC47IZnNDwO13JODE6O20fl1G94bf8GegqCRakQRboRPUf4VDzPBEpcgXW9gM/w0EBBiVXoqyFuRUZ8AcYib6jKSTCDopZFyU9csqQxtq4lyKdqcsTBSTWThLmktOL7XtvKv7P6+cYfxkUMs1yFCmfL4pzRVHTabF0KI3gqCaOADfS3Ur5Pbj60NVfcyUE77+8Sm7PWoHfCq7PG5dXizqq5IAckiYJyAW5JF9Jh3QJJ0/kF/lDXrxn77f31/s3j1a8xcxn8gaVtVdbALSW</latexit> <latexit sha1_base64="+X0CDIcomi6ErAy21dx+wJeCuqc=">AAACS3icbVBNTxsxFPSmBUL4SumRi0WEFCQUdhESPSJy6TFIBCJlo9Wz4w0W3vXKfksTbff/ceHSW/9ELz0UVT3gfBwC6UiWRjPz9J6HZUpa9P2fXuXDx7X1jepmbWt7Z3ev/mn/1urccNHlWmnTY2CFkqnookQlepkRkDAl7thDe+rfPQpjpU5vcJKJQQKjVMaSAzopqrOQgSnCBPCexcWoLCOkoRIxgjH6Gw1jA3zJjrA5juRx6SSmx0UC47IZnNDwO13JODE6O20fl1G94bf8GegqCRakQRboRPUf4VDzPBEpcgXW9gM/w0EBBiVXoqyFuRUZ8AcYib6jKSTCDopZFyU9csqQxtq4lyKdqcsTBSTWThLmktOL7XtvKv7P6+cYfxkUMs1yFCmfL4pzRVHTabF0KI3gqCaOADfS3Ur5Pbj60NVfcyUE77+8Sm7PWoHfCq7PG5dXizqq5IAckiYJyAW5JF9Jh3QJJ0/kF/lDXrxn77f31/s3j1a8xcxn8gaVtVdbALSW</latexit> <latexit sha1_base64="+X0CDIcomi6ErAy21dx+wJeCuqc=">AAACS3icbVBNTxsxFPSmBUL4SumRi0WEFCQUdhESPSJy6TFIBCJlo9Wz4w0W3vXKfksTbff/ceHSW/9ELz0UVT3gfBwC6UiWRjPz9J6HZUpa9P2fXuXDx7X1jepmbWt7Z3ev/mn/1urccNHlWmnTY2CFkqnookQlepkRkDAl7thDe+rfPQpjpU5vcJKJQQKjVMaSAzopqrOQgSnCBPCexcWoLCOkoRIxgjH6Gw1jA3zJjrA5juRx6SSmx0UC47IZnNDwO13JODE6O20fl1G94bf8GegqCRakQRboRPUf4VDzPBEpcgXW9gM/w0EBBiVXoqyFuRUZ8AcYib6jKSTCDopZFyU9csqQxtq4lyKdqcsTBSTWThLmktOL7XtvKv7P6+cYfxkUMs1yFCmfL4pzRVHTabF0KI3gqCaOADfS3Ur5Pbj60NVfcyUE77+8Sm7PWoHfCq7PG5dXizqq5IAckiYJyAW5JF9Jh3QJJ0/kF/lDXrxn77f31/s3j1a8xcxn8gaVtVdbALSW</latexit> <latexit sha1_base64="+X0CDIcomi6ErAy21dx+wJeCuqc=">AAACS3icbVBNTxsxFPSmBUL4SumRi0WEFCQUdhESPSJy6TFIBCJlo9Wz4w0W3vXKfksTbff/ceHSW/9ELz0UVT3gfBwC6UiWRjPz9J6HZUpa9P2fXuXDx7X1jepmbWt7Z3ev/mn/1urccNHlWmnTY2CFkqnookQlepkRkDAl7thDe+rfPQpjpU5vcJKJQQKjVMaSAzopqrOQgSnCBPCexcWoLCOkoRIxgjH6Gw1jA3zJjrA5juRx6SSmx0UC47IZnNDwO13JODE6O20fl1G94bf8GegqCRakQRboRPUf4VDzPBEpcgXW9gM/w0EBBiVXoqyFuRUZ8AcYib6jKSTCDopZFyU9csqQxtq4lyKdqcsTBSTWThLmktOL7XtvKv7P6+cYfxkUMs1yFCmfL4pzRVHTabF0KI3gqCaOADfS3Ur5Pbj60NVfcyUE77+8Sm7PWoHfCq7PG5dXizqq5IAckiYJyAW5JF9Jh3QJJ0/kF/lDXrxn77f31/s3j1a8xcxn8gaVtVdbALSW</latexit> ˜ gt 1 L X i ⇥ ¯ gt(xi) + N(0, 2C2I) ⇤ <latexit sha1_base64="BmNsMn7AQlzvGkVR0WiBii+XoSw=">AAACZnicbVFNa9wwEJXdr2TbptuEkkMvQ5fChpbFDoH0GJpLCyUkkE0Ca9eMtbJXRLKNNG67CP/J3nrupT+j2o9DvgYGHu/NY0ZPeaOkpSj6E4SPHj95+mxjs/f8xcutV/3X2xe2bg0XY16r2lzlaIWSlRiTJCWuGiNQ50pc5tfHC/3yhzBW1tU5zRuRaiwrWUiO5Kms30FCUk2FSzTSLC9c2XUZQaJEQWhM/ROSwiB3cee++Vnb6kyu1AkkOZrbvuGvTO4BfABY0hyVO+mG0UdvlKXG7/tw7PvrHiRGljNKs/4gGkXLgvsgXoMBW9dp1v+dTGvealERV2jtJI4aSh0aklyJrpe0VjTIr7EUEw8r1MKmbhlTB+89M4WiNr4rgiV70+FQWzvXuZ9cXG/vagvyIW3SUvEpdbJqWhIVXy0qWgVUwyJzmEojOKm5B8iN9LcCn6GPlfzP9HwI8d0n3wcX+6M4GsVnB4Ojz+s4Nthb9o4NWcwO2RH7wk7ZmHH2N9gMtoOd4F+4Fb4Jd1ejYbD27LBbFcJ/eg63ig==</latexit> <latexit sha1_base64="BmNsMn7AQlzvGkVR0WiBii+XoSw=">AAACZnicbVFNa9wwEJXdr2TbptuEkkMvQ5fChpbFDoH0GJpLCyUkkE0Ca9eMtbJXRLKNNG67CP/J3nrupT+j2o9DvgYGHu/NY0ZPeaOkpSj6E4SPHj95+mxjs/f8xcutV/3X2xe2bg0XY16r2lzlaIWSlRiTJCWuGiNQ50pc5tfHC/3yhzBW1tU5zRuRaiwrWUiO5Kms30FCUk2FSzTSLC9c2XUZQaJEQWhM/ROSwiB3cee++Vnb6kyu1AkkOZrbvuGvTO4BfABY0hyVO+mG0UdvlKXG7/tw7PvrHiRGljNKs/4gGkXLgvsgXoMBW9dp1v+dTGvealERV2jtJI4aSh0aklyJrpe0VjTIr7EUEw8r1MKmbhlTB+89M4WiNr4rgiV70+FQWzvXuZ9cXG/vagvyIW3SUvEpdbJqWhIVXy0qWgVUwyJzmEojOKm5B8iN9LcCn6GPlfzP9HwI8d0n3wcX+6M4GsVnB4Ojz+s4Nthb9o4NWcwO2RH7wk7ZmHH2N9gMtoOd4F+4Fb4Jd1ejYbD27LBbFcJ/eg63ig==</latexit> <latexit sha1_base64="BmNsMn7AQlzvGkVR0WiBii+XoSw=">AAACZnicbVFNa9wwEJXdr2TbptuEkkMvQ5fChpbFDoH0GJpLCyUkkE0Ca9eMtbJXRLKNNG67CP/J3nrupT+j2o9DvgYGHu/NY0ZPeaOkpSj6E4SPHj95+mxjs/f8xcutV/3X2xe2bg0XY16r2lzlaIWSlRiTJCWuGiNQ50pc5tfHC/3yhzBW1tU5zRuRaiwrWUiO5Kms30FCUk2FSzTSLC9c2XUZQaJEQWhM/ROSwiB3cee++Vnb6kyu1AkkOZrbvuGvTO4BfABY0hyVO+mG0UdvlKXG7/tw7PvrHiRGljNKs/4gGkXLgvsgXoMBW9dp1v+dTGvealERV2jtJI4aSh0aklyJrpe0VjTIr7EUEw8r1MKmbhlTB+89M4WiNr4rgiV70+FQWzvXuZ9cXG/vagvyIW3SUvEpdbJqWhIVXy0qWgVUwyJzmEojOKm5B8iN9LcCn6GPlfzP9HwI8d0n3wcX+6M4GsVnB4Ojz+s4Nthb9o4NWcwO2RH7wk7ZmHH2N9gMtoOd4F+4Fb4Jd1ejYbD27LBbFcJ/eg63ig==</latexit> <latexit sha1_base64="BmNsMn7AQlzvGkVR0WiBii+XoSw=">AAACZnicbVFNa9wwEJXdr2TbptuEkkMvQ5fChpbFDoH0GJpLCyUkkE0Ca9eMtbJXRLKNNG67CP/J3nrupT+j2o9DvgYGHu/NY0ZPeaOkpSj6E4SPHj95+mxjs/f8xcutV/3X2xe2bg0XY16r2lzlaIWSlRiTJCWuGiNQ50pc5tfHC/3yhzBW1tU5zRuRaiwrWUiO5Kms30FCUk2FSzTSLC9c2XUZQaJEQWhM/ROSwiB3cee++Vnb6kyu1AkkOZrbvuGvTO4BfABY0hyVO+mG0UdvlKXG7/tw7PvrHiRGljNKs/4gGkXLgvsgXoMBW9dp1v+dTGvealERV2jtJI4aSh0aklyJrpe0VjTIr7EUEw8r1MKmbhlTB+89M4WiNr4rgiV70+FQWzvXuZ9cXG/vagvyIW3SUvEpdbJqWhIVXy0qWgVUwyJzmEojOKm5B8iN9LcCn6GPlfzP9HwI8d0n3wcX+6M4GsVnB4Ojz+s4Nthb9o4NWcwO2RH7wk7ZmHH2N9gMtoOd4F+4Fb4Jd1ejYbD27LBbFcJ/eg63ig==</latexit> [Abadi et al 2016]. Discriminator parameters Sample-wise gradient has limited sensitivity

  36. Challenge I: privatising entire Discriminator network during many steps of

    training results in High privacy loss, due to composability of DP Challenge II: Larger models (generally) have poor accuracy-privacy trade-offs, because noise scale (roughly) grows linearly with # parameters.

  37. Challenge I: privatising entire Discriminator network during many steps of

    training results in High privacy loss, due to composability of DP Challenge II: Larger models (generally) have poor accuracy-privacy trade-offs, because noise scale (roughly) grows linearly with # parameters. Kernel Mean Embedding Discriminator (D) Can we use a simpler “Discriminator” that allows us to add noise only once?

  38. 16 Differentially Private Kernel Mean Embeddings For Data Generation

  39. 17 how close is P from Q? Real data Synthetic

    data Given Kernel Mean Embedding (ME)

  40. 17 how close is P from Q? Real data Synthetic

    data Given probability space Kernel Mean Embedding (ME)

  41. 17 how close is P from Q? Real data Synthetic

    data Given probability space inf. dim. features reproducing kernel Hilbert space Kernel Mean Embedding (ME)

  42. 17 how close is P from Q? Real data Synthetic

    data Given probability space inf. dim. features reproducing kernel Hilbert space Kernel Mean Embedding (ME)

  43. 17 how close is P from Q? Real data Synthetic

    data Given probability space inf. dim. features reproducing kernel Hilbert space Kernel Mean Embedding (ME) Maximum mean discrepancy [Gretton et al, 2012]

  44. 17 kernel characteristic how close is P from Q? Real

    data Synthetic data Given probability space inf. dim. features reproducing kernel Hilbert space Kernel Mean Embedding (ME) Maximum mean discrepancy [Gretton et al, 2012]

  45. 18 Infinite-dimensional Mean Embedding

  46. 18 Infinite-dimensional Mean Embedding Only this term access Data, but

    the feature is infinite-dimensional! Sample average

  47. 18 Infinite-dimensional Mean Embedding Only this term access Data, but

    the feature is infinite-dimensional! Sample average The sensitivity of the mean embedding is unbounded! maximum over all pairs of datasets

  48. 19 Finite-dimensional approximation : random Fourier features Finite-dimensional features such

    that

  49. 19 Finite-dimensional approximation : random Fourier features Approximation error under

    RF [Sutherland & Schneider15] [Rahimi & Recht, 2018] Finite-dimensional features such that

  50. 19 Finite-dimensional approximation : random Fourier features Approximation error under

    RF [Sutherland & Schneider15] [Rahimi & Recht, 2018] Finite-dimensional features such that

  51. 19 Finite-dimensional approximation : random Fourier features Perturb MERF With

    Gaussian noise Approximation error under RF [Sutherland & Schneider15] [Rahimi & Recht, 2018] Finite-dimensional features such that

  52. 19 Finite-dimensional approximation : random Fourier features Perturb MERF With

    Gaussian noise Approximation error under RF [Sutherland & Schneider15] [Rahimi & Recht, 2018] Finite-dimensional features such that DP-MERF [Harder et al, AISTATS 2021]

  53. 20 DP-MERF on tabular data ROC: receiver operating characteristics PRC:

    precision recall curve F1 score: harmonic mean of precision and recall [DP-CGAN by Torkzadehmahani et al., 2019] Evaluation: Train 12-classifiers using Synthetic data; and Test them on Real test data ROC PRC ROC PRC ROC PRC

  54. 20 DP-MERF on tabular data ROC: receiver operating characteristics PRC:

    precision recall curve F1 score: harmonic mean of precision and recall [DP-CGAN by Torkzadehmahani et al., 2019] • Takeaway: The kernel-based method (DP-MERF) performs better than DP-CGAN at a small privacy budget (epsilon=1) Evaluation: Train 12-classifiers using Synthetic data; and Test them on Real test data ROC PRC ROC PRC ROC PRC

  55. 20 DP-MERF on tabular data ROC: receiver operating characteristics PRC:

    precision recall curve F1 score: harmonic mean of precision and recall [DP-CGAN by Torkzadehmahani et al., 2019] • Takeaway: The kernel-based method (DP-MERF) performs better than DP-CGAN at a small privacy budget (epsilon=1) Evaluation: Train 12-classifiers using Synthetic data; and Test them on Real test data ROC PRC ROC PRC ROC PRC • Later work: DP-HP (Hermite Polynomials) [Vinaroz et al, ICML 2022]

  56. 21 But when applied to CIFAR10 data

  57. 21 But when applied to CIFAR10 data

  58. 22 Could there be more expressive features we could use?

  59. 23 Perceptual features [Zhang et al, CVPR 2018] • Unlike

    traditional metrics (L2/SNR, etc), embedding using the features of VGG networks trained on ImageNet classi fi cation agrees surprisingly well with human’s perceptual similarity. [Dos Santos et al, ICCV 2019] • Generative modelling via Moment matching using perceptual features

  60. 24 DP-MEPF (perceptual features) [Harder et al, TMLR 2023] Pre-trained

    VGG19 Using Gaussian mechanism • MMD is a well-de fi ned metric if PFs are universal features. • A bit murky: Empirically, in transfer learning, features from ImageNet pretrained VGG/ResNet can express any functions for a downstream task by fi nding a linear weight in their span, which follows the de fi nition of universal feature [Charles et al, JMLR 06]

  61. 25 More theoretical analyses in the paper Assuming PFs are

    universal features, • Second term goes to zero for good generators • At a given DP-level, sigma is constant, but the error is small if D (PF dimension) is smaller than m^2 (private data size). In CIFAR10, m=50k and D=300k.

  62. 26 DP-MEPF (Imagenet -> CIFAR10)

  63. Summary of DP-MEPF 27 A simple & practical algorithm for

    DP data generation using mean embeddings with perceptual features, a good accuracy-privacy trade-off!

  64. Summary of DP-MEPF 27 First time, being able to generate

    datasets like CIFAR10 with DP! A simple & practical algorithm for DP data generation using mean embeddings with perceptual features, a good accuracy-privacy trade-off!

  65. Summary of DP-MEPF 27 First time, being able to generate

    datasets like CIFAR10 with DP! A simple & practical algorithm for DP data generation using mean embeddings with perceptual features, a good accuracy-privacy trade-off! Could we use better generative models (e.g., diffusion models), and adjust features for private data via fine-tuning, so we can generate more complex data beyond CIFAR10? But static (not adapted to private data) features are somewhat limited

  66. 28 Differentially Private (Latent) Diffusion Models For Data Generation

  67. DDPM [Ho et al, 2020] Data generation process, reverse process

    (sampling direction) Di ff usion process, forward process (inference direction) Extremely slow training (100s GPU days)! Not a good fit to generative modelling with DP!

  68. Existing work on DP + Diffusion Models 30 • DP-DM:

    [Dockhorn et al, TMLR 23]: Train a small-ish DM with DP-SGD for datasets like MNIST/FashionMNIST (still requires 192 GPU days) • DP-Diffusion: [Ghalebikesabi et al. 23]: Fine-tune a pre-trained DM with DP-SGD. Performs well on CIFAR-10, CelebA32, Camelyon17. But the Unet is large, requiring fi ne-tuning 80 M parameters using DP-SGD seems awfully inef fi cient!

  69. Latent Diffusion Model (Stable Diffusion) 31 • We turn to

    Latent Diffusion Models, where Autoencoders maps high-dimensional pixels to lower-dimensional space to diffuse. Faster training (from 100s-1000s to 1-10s GPU days). [Rombach et al., CVPR 22]

  70. Latent Diffusion Model (Stable Diffusion) 31 • We turn to

    Latent Diffusion Models, where Autoencoders maps high-dimensional pixels to lower-dimensional space to diffuse. Faster training (from 100s-1000s to 1-10s GPU days). [Rombach et al., CVPR 22]

  71. DP-LDM 32 • Take a pre-trained LDM (pre-trained with ImageNet).

    • Update only attention modules with DP-SGD using private data (if conditioned generation, fi ne- tune conditioning embedder as well). [Lyu et al, submitted 2023]

  72. • Attention modules determine which features are more important to

    a given task / given a distribution. Fine-tuning weights for what to focus on seems to make sense. • LLMs: altering attention modules substantially alters the models’ behaviors [(Shi et al., 2023; Hu et al., 2021]. DMs: manipulating or fi ne-tuning attention modules yields a more targeted generation, e.g., targeted for a user- preference [Zhang et al., ICLR 24] and transferring to a target distribution [You & Zhao, 2023] 33 Intermediate representation Conditioning Why attention modules?

  73. Higher dimensional image data (32->256) 34 Transferring Imagenet -> CelebAHQ

    Takeaway: DP-LDM (fine- tuned attention modules) performs way better than DP-MEPF (static features)

  74. A bonus: DP text- to-image Generation 35 Training image Transferring

    LAION-400M -> MM-CelebAHQ Takeaway: DP-LDM’s generated images are realistic, yet far from training images!

  75. 36 Fun Slide What happened to Ann Graham Lotz?

  76. What happened to Ann Graham after fine-tuning DP-LDM with CelebA?

    37

  77. What happened to Ann Graham after fine-tuning DP-LDM with CelebA?

    37 Input Prompt: Ann Graham Generated images from DP-LDM

  78. Conclusion and Discussion 38 DP-LDM: greatly reduce the gap between

    DP and non-DP generative modelling, compared to existing methods.

  79. Conclusion and Discussion 38 DP-LDM: greatly reduce the gap between

    DP and non-DP generative modelling, compared to existing methods. What’s next?

  80. Conclusion and Discussion 38 DP-LDM: greatly reduce the gap between

    DP and non-DP generative modelling, compared to existing methods. Fine-tuning DMs is still annoying… Any other ways to use foundation models? Something like, e.g., DP-API [Lin et al, ICLR 2024] DP-histogram mechanism to generate synthetic data through the utilization of publicly accessible APIs What’s next?

  81. Conclusion and Discussion 38 DP-LDM: greatly reduce the gap between

    DP and non-DP generative modelling, compared to existing methods. Fine-tuning DMs is still annoying… Any other ways to use foundation models? Something like, e.g., DP-API [Lin et al, ICLR 2024] DP-histogram mechanism to generate synthetic data through the utilization of publicly accessible APIs What about Tabular data? What’s next?

  82. Thank you very much indeed! 39

  83. Backup slides 40

  84. 41 Benefits of kernel mean embeddings No information loss due

    to a selection of a certain statistic

  85. 41 Benefits of kernel mean embeddings No information loss due

    to a selection of a certain statistic Closed-form estimator :

  86. 41 Benefits of kernel mean embeddings No information loss due

    to a selection of a certain statistic Closed-form estimator : Pair-wise evaluation Of a kernel function Using samples drawn from P and Q

  87. 41 Benefits of kernel mean embeddings No information loss due

    to a selection of a certain statistic Closed-form estimator : Pair-wise evaluation Of a kernel function Using samples drawn from P and Q Needs privatization once

  88. 41 Benefits of kernel mean embeddings No information loss due

    to a selection of a certain statistic Closed-form estimator : Pair-wise evaluation Of a kernel function Using samples drawn from P and Q Needs privatization in every training step Needs privatization once

  89. Objective in Diffusion Models Surrogate Objective

  90. 43 DP-MEPF (imagenet -> celebA)

  91. 43 DP-MEPF (imagenet -> celebA) Takeaway: pre-trained perceptual features boost

    performance significantly.

  92. 44 DP-MERF on tabular data • Comparison metric: test accuracy

    under 12 downstream tasks. (model fitted to generated data & tested on real data)

  93. 44 DP-MERF on tabular data • Comparison metric: test accuracy

    under 12 downstream tasks. (model fitted to generated data & tested on real data)

  94. 44 DP-MERF on tabular data • Comparison metric: test accuracy

    under 12 downstream tasks. (model fitted to generated data & tested on real data)

  95. 44 DP-MERF on tabular data • Comparison metric: test accuracy

    under 12 downstream tasks. (model fitted to generated data & tested on real data) Multi-class & Heterogeneous data

  96. Detail in Random “Fourier” Features Applicable to any translation invariant

    kernels : Approximate via MC integration Bochner’s Theorem [Rahimi & Recht, 2018]

  97. Detail in Random “Fourier” Features Applicable to any translation invariant

    kernels : Approximate via MC integration Bochner’s Theorem Draw random frequencies Random features for Depending on the kernel [Rahimi & Recht, 2018]

  98. 46 Benefits of DP-MERF DP-GAN Type Work DP-MERF Privacy cost

    High: perturb high-dimensional gradients at every training step Low (hence, practical) : perturb first term once-for-all Sensitivity No analytic sensitivity: needs to search for optimal norm clipping bound (costly) Analytic sensitivity : RFs are norm bounded by construction Generating Input/output pairs Output (labels) assumed to be known. Generate outputs condition on inputs Learn joint distribution! By constructing a new kernel Heterogeneous data GANs not working well with mixed-data Simple! By constructing a new kernel [modelling tabular data using CGAN by Xu et al, 2019]

  99. 47 DP-MERF for generating input/output pairs [Harder et al, 2021]

    Generator learns joint distribution

  100. 47 DP-MERF for generating input/output pairs [Harder et al, 2021]

    Decompose G as Generator learns joint distribution

  101. 47 DP-MERF for generating input/output pairs [Harder et al, 2021]

    Decompose G as Generator learns joint distribution (1)

  102. 47 DP-MERF for generating input/output pairs [Harder et al, 2021]

    Decompose G as Generator learns joint distribution (1) (2)

  103. 47 DP-MERF for generating input/output pairs [Harder et al, 2021]

    Decompose G as Generator learns joint distribution (1) (2)

  104. 47 DP-MERF for generating input/output pairs [Harder et al, 2021]

    Decompose G as Generator learns joint distribution (1) (2) Product of two kernels:

  105. 47 DP-MERF for generating input/output pairs [Harder et al, 2021]

    Decompose G as Generator learns joint distribution (1) (2) Product of two kernels: Characteristic kernels [Szabo & Sriperumbudur18]

  106. 47 DP-MERF for generating input/output pairs [Harder et al, 2021]

    Decompose G as Generator learns joint distribution (1) (2) Product of two kernels: Characteristic kernels [Szabo & Sriperumbudur18] DP-Proportion to real data

  107. 47 DP-MERF for generating input/output pairs [Harder et al, 2021]

    Decompose G as Generator learns joint distribution (1) (2) Product of two kernels: Characteristic kernels [Szabo & Sriperumbudur18] DP-Proportion to real data DP-MERF

  108. 48 DP-LDM: Fine-tune Other parts

  109. 49 DP-LDM: LoRA