Tweet
Tweet

Slide 1

Slide 1 text

Confidential Customized for Lorem Ipsum LLC Version 1.0 Privacy-preserving data generation in the era of foundation models Mi Jung Park Applied Mathematics & Computer Science, Danmarks Tekniske Universitet (DTU) OT Workshop, Berlin March 15, 2024 1

Slide 2

Slide 2 text

Confidential Customized for Lorem Ipsum LLC Version 1.0 Students & Collaborator 2 Frederik Harder Saiyue Lyu Michael Lui Margarita Vinaroz Kamil Adamczewski Danica J Sutherland Milad Jalali

Slide 3

Slide 3 text

Data as a new kind of natural resource! 3 Data philanthropy “--- think of big data as a new kind of natural resource – infinitely renewable, increasingly ubiquitous – …Data has a social opportunity – and we have a social responsibility – … data reaches the people who need it most.”

Slide 4

Slide 4 text

Data as a new kind of natural resource! 3 Data philanthropy “--- think of big data as a new kind of natural resource – infinitely renewable, increasingly ubiquitous – …Data has a social opportunity – and we have a social responsibility – … data reaches the people who need it most.” •Great idea, but currently, a few large corporations can take advantage of data

Slide 5

Slide 5 text

Data as a new kind of natural resource! 3 Data philanthropy “--- think of big data as a new kind of natural resource – infinitely renewable, increasingly ubiquitous – …Data has a social opportunity – and we have a social responsibility – … data reaches the people who need it most.” •Great idea, but currently, a few large corporations can take advantage of data High-quality data locked in data servers

Slide 6

Slide 6 text

Data as a new kind of natural resource! 3 Data philanthropy “--- think of big data as a new kind of natural resource – infinitely renewable, increasingly ubiquitous – …Data has a social opportunity – and we have a social responsibility – … data reaches the people who need it most.” •Great idea, but currently, a few large corporations can take advantage of data High-quality data locked in data servers Privacy Regulations!

Slide 7

Slide 7 text

Synthetic Data 4 • Synthetic datasets are promised to preserve the statistical properties of the original data but “contain no personal data” • Why Useful : promote data sharing, debiasing, data augmentation, creating more “fair” datasets • Foundation models (e.g., Stable Diffusion, LLMs) for multi-modal synthetic data generation [Rajotte et al, iScience 22]

Slide 8

Slide 8 text

Synthetic data is not privacy-preserving! 5 • Memorising training data [Stadler et al., CSS 22] • Synthetic data is vulnerable to linkage attacks (link a synthetic data point to a single record in the original data) [Carlini et al., CSS 23]

Slide 9

Slide 9 text

Synthetic data is not privacy-preserving! 5 • Memorising training data [Stadler et al., CSS 22] • Synthetic data is vulnerable to linkage attacks (link a synthetic data point to a single record in the original data) [Carlini et al., CSS 23]

Slide 10

Slide 10 text

6 Privacy-preserving Algorithm Privacy-Sensitive Data Generated Data Release! How to create privacy-preserving synthetic data by utilizing pretrained large models?

Slide 11

Slide 11 text

6 Privacy-preserving Algorithm Privacy-Sensitive Data Generated Data Release! How to create privacy-preserving synthetic data by utilizing pretrained large models? Pre-trained Large Models

Slide 12

Slide 12 text

7 Privacy Definition

Slide 13

Slide 13 text

[Dwork 06] 8 D1 AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ D2 AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ A AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== Differential Privacy

Slide 14

Slide 14 text

[Dwork 06] 8 D1 AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ D2 AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ A AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== Differential Privacy • Privacy loss

Slide 15

Slide 15 text

[Dwork 06] 8 D1 AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ D2 AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ A AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== Differential Privacy • Privacy loss how well we can distinguish two datasets

Slide 16

Slide 16 text

[Dwork 06] 8 D1 AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ AAAB9HicbVDLSgMxFL1TX7W+qi7dBIvgqsyIoMuiLlxWsA9oh3InTdvQTGZMMoUy9DvcuFDErR/jzr8x085CWw8EDufcyz05QSy4Nq777RTW1jc2t4rbpZ3dvf2D8uFRU0eJoqxBIxGpdoCaCS5Zw3AjWDtWDMNAsFYwvs381oQpzSP5aKYx80McSj7gFI2V/G6IZkRRpHezntcrV9yqOwdZJV5OKpCj3it/dfsRTUImDRWodcdzY+OnqAyngs1K3USzGOkYh6xjqcSQaT+dh56RM6v0ySBS9klD5urvjRRDradhYCezkHrZy8T/vE5iBtd+ymWcGCbp4tAgEcREJGuA9Lli1IipJUgVt1kJHaFCamxPJVuCt/zlVdK8qHpu1Xu4rNRu8jqKcAKncA4eXEEN7qEODaDwBM/wCm/OxHlx3p2PxWjByXeO4Q+czx+iYZH+ D2 AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ AAAB9HicbVDLSgMxFL3js9ZX1aWbYBFclZki6LKoC5cV7APaoWTS2zY0kxmTTKEM/Q43LhRx68e482/MtLPQ1gOBwzn3ck9OEAuujet+O2vrG5tb24Wd4u7e/sFh6ei4qaNEMWywSESqHVCNgktsGG4EtmOFNAwEtoLxbea3Jqg0j+Sjmcboh3Qo+YAzaqzkd0NqRoyK9G7Wq/ZKZbfizkFWiZeTMuSo90pf3X7EkhClYYJq3fHc2PgpVYYzgbNiN9EYUzamQ+xYKmmI2k/noWfk3Cp9MoiUfdKQufp7I6Wh1tMwsJNZSL3sZeJ/Xicxg2s/5TJODEq2ODRIBDERyRogfa6QGTG1hDLFbVbCRlRRZmxPRVuCt/zlVdKsVjy34j1clms3eR0FOIUzuAAPrqAG91CHBjB4gmd4hTdn4rw4787HYnTNyXdO4A+czx+j5ZH/ A AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== AAAB6HicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE0GPVi8cW7Ae0oWy2k3btZhN2N0IJ/QVePCji1Z/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHssHM0nQj+hQ8pAzaqzUuOmXK27VnYOsEi8nFchR75e/eoOYpRFKwwTVuuu5ifEzqgxnAqelXqoxoWxMh9i1VNIItZ/ND52SM6sMSBgrW9KQufp7IqOR1pMosJ0RNSO97M3E/7xuasJrP+MySQ1KtlgUpoKYmMy+JgOukBkxsYQyxe2thI2ooszYbEo2BG/55VXSuqh6btVrXFZqt3kcRTiBUzgHD66gBvdQhyYwQHiGV3hzHp0X5935WLQWnHzmGP7A+fwBkt2MxQ== Differential Privacy • Privacy loss for all o and all pairs of datasets A is epsilon-DP if how well we can distinguish two datasets

Slide 17

Slide 17 text

Differential Privacy (continued) [Dwork 06] 9 • Approximate DP: A is (epsilon, delta)-DP if

Slide 18

Slide 18 text

Differential Privacy (continued) [Dwork 06] 9 DP holds w.p. • Approximate DP: A is (epsilon, delta)-DP if

Slide 19

Slide 19 text

Differential Privacy (continued) [Dwork 06] 9 DP holds w.p. noise variance • Approximate DP: A is (epsilon, delta)-DP if

Slide 20

Slide 20 text

Differential Privacy (continued) [Dwork 06] 9 DP holds w.p. noise variance sensitivity maximum over all pairs of datasets • Approximate DP: A is (epsilon, delta)-DP if

Slide 21

Slide 21 text

Differential Privacy (continued) [Dwork 06] 9 DP holds w.p. noise variance sensitivity maximum over all pairs of datasets • Privacy & Accuracy Trade-off: • Approximate DP: A is (epsilon, delta)-DP if

Slide 22

Slide 22 text

Properties of DP: Post-processing invariance 10 • Differential privacy is immune to post-processing: Sensitive Data epsilon-DP Algorithm

Slide 23

Slide 23 text

Properties of DP: Post-processing invariance 10 • Differential privacy is immune to post-processing: Sensitive Data epsilon-DP Algorithm Output Algorithm

Slide 24

Slide 24 text

Properties of DP: Post-processing invariance 10 • Differential privacy is immune to post-processing: Sensitive Data epsilon-DP Algorithm Output Algorithm epsilon-DP, With respect to Sensitive data!

Slide 25

Slide 25 text

Properties of DP: Composability 11 Sensitive Data epsilon1-DP Algorithm epsilon2-DP Algorithm Output1 Output2 • Union of output 1 & output 2 is (epsilon1+epsilon2)-DP!

Slide 26

Slide 26 text

Properties of DP: Composability 11 Sensitive Data epsilon1-DP Algorithm epsilon2-DP Algorithm Output1 Output2 • Union of output 1 & output 2 is (epsilon1+epsilon2)-DP! • More re fi ned composition methods, e.g., Moments accountant [Abadi et al,16]

Slide 27

Slide 27 text

12 DP Data Generation with Deep Learning

Slide 28

Slide 28 text

DP-fying GANs (Generative Adversarial Networks) [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019].

Slide 29

Slide 29 text

DP-fying GANs (Generative Adversarial Networks) [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. Random Input Generator (G) Generated Data Sample

Slide 30

Slide 30 text

DP-fying GANs (Generative Adversarial Networks) [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

Slide 31

Slide 31 text

DP-fying GANs (Generative Adversarial Networks) Loss [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

Slide 32

Slide 32 text

DP-fying GANs (Generative Adversarial Networks) Loss Only Discriminator sees Data. Perturb gradients of D [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

Slide 33

Slide 33 text

DP-fying GANs (Generative Adversarial Networks) Loss Only Discriminator sees Data. Perturb gradients of D [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. If D is DP, G: data-independent! Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

Slide 34

Slide 34 text

DP-fying GANs (Generative Adversarial Networks) Loss Only Discriminator sees Data. Perturb gradients of D [Park et al., 2018;Torkzadehmahani et al., 2019; Xie et al., 2018; Frigerio et al., 2019]. If D is DP, G: data-independent! DP-Generator by post-processing invariance of DP Random Input Generator (G) Generated Data Sample Discriminator (D) Real Data Sample

Slide 35

Slide 35 text

Differentially Private Stochastic Gradient Descent (DP-SGD) DP-Discriminator using DP-SGD : gt(xi) r✓t L(✓t, xi) AAACM3icbVDBattAFFylTZO6Sau0x16WmoILwUih0B5DciklhwRiO2AZ8bR+shevVmL3Ka0R+qdc+iM9FEoODSHX/kNXtgOt04GFYWYe+94khZKWguCnt/Ho8eaTre2nrWc7u89f+Hsv+zYvjcCeyFVuLhKwqKTGHklSeFEYhCxROEhmx40/uERjZa7PaV7gKIOJlqkUQE6K/c88yoCmSVpN6pg6X2P5jkcKUwJj8i880pAoiKuIpkgQU72MC1DVSd25V/d5Mxf77aAbLMAfknBF2myF09j/Ho1zUWaoSSiwdhgGBY0qMCSFwroVlRYLEDOY4NBRDRnaUbW4ueZvnTLmaW7c08QX6t8TFWTWzrPEJZuN7brXiP/zhiWlH0eV1EVJqMXyo7RUnHLeFMjH0qAgNXcEhJFuVy6mYECQq7nlSgjXT35I+gfdMOiGZ+/bh0erOrbZa/aGdVjIPrBD9omdsh4T7Ir9YL/YjffNu/ZuvbtldMNbzbxi/8D7/Qd58qtk AAACM3icbVDBattAFFylTZO6Sau0x16WmoILwUih0B5DciklhwRiO2AZ8bR+shevVmL3Ka0R+qdc+iM9FEoODSHX/kNXtgOt04GFYWYe+94khZKWguCnt/Ho8eaTre2nrWc7u89f+Hsv+zYvjcCeyFVuLhKwqKTGHklSeFEYhCxROEhmx40/uERjZa7PaV7gKIOJlqkUQE6K/c88yoCmSVpN6pg6X2P5jkcKUwJj8i880pAoiKuIpkgQU72MC1DVSd25V/d5Mxf77aAbLMAfknBF2myF09j/Ho1zUWaoSSiwdhgGBY0qMCSFwroVlRYLEDOY4NBRDRnaUbW4ueZvnTLmaW7c08QX6t8TFWTWzrPEJZuN7brXiP/zhiWlH0eV1EVJqMXyo7RUnHLeFMjH0qAgNXcEhJFuVy6mYECQq7nlSgjXT35I+gfdMOiGZ+/bh0erOrbZa/aGdVjIPrBD9omdsh4T7Ir9YL/YjffNu/ZuvbtldMNbzbxi/8D7/Qd58qtk AAACM3icbVDBattAFFylTZO6Sau0x16WmoILwUih0B5DciklhwRiO2AZ8bR+shevVmL3Ka0R+qdc+iM9FEoODSHX/kNXtgOt04GFYWYe+94khZKWguCnt/Ho8eaTre2nrWc7u89f+Hsv+zYvjcCeyFVuLhKwqKTGHklSeFEYhCxROEhmx40/uERjZa7PaV7gKIOJlqkUQE6K/c88yoCmSVpN6pg6X2P5jkcKUwJj8i880pAoiKuIpkgQU72MC1DVSd25V/d5Mxf77aAbLMAfknBF2myF09j/Ho1zUWaoSSiwdhgGBY0qMCSFwroVlRYLEDOY4NBRDRnaUbW4ueZvnTLmaW7c08QX6t8TFWTWzrPEJZuN7brXiP/zhiWlH0eV1EVJqMXyo7RUnHLeFMjH0qAgNXcEhJFuVy6mYECQq7nlSgjXT35I+gfdMOiGZ+/bh0erOrbZa/aGdVjIPrBD9omdsh4T7Ir9YL/YjffNu/ZuvbtldMNbzbxi/8D7/Qd58qtk AAACM3icbVDBattAFFylTZO6Sau0x16WmoILwUih0B5DciklhwRiO2AZ8bR+shevVmL3Ka0R+qdc+iM9FEoODSHX/kNXtgOt04GFYWYe+94khZKWguCnt/Ho8eaTre2nrWc7u89f+Hsv+zYvjcCeyFVuLhKwqKTGHklSeFEYhCxROEhmx40/uERjZa7PaV7gKIOJlqkUQE6K/c88yoCmSVpN6pg6X2P5jkcKUwJj8i880pAoiKuIpkgQU72MC1DVSd25V/d5Mxf77aAbLMAfknBF2myF09j/Ho1zUWaoSSiwdhgGBY0qMCSFwroVlRYLEDOY4NBRDRnaUbW4ueZvnTLmaW7c08QX6t8TFWTWzrPEJZuN7brXiP/zhiWlH0eV1EVJqMXyo7RUnHLeFMjH0qAgNXcEhJFuVy6mYECQq7nlSgjXT35I+gfdMOiGZ+/bh0erOrbZa/aGdVjIPrBD9omdsh4T7Ir9YL/YjffNu/ZuvbtldMNbzbxi/8D7/Qd58qtk ¯ gt gt(xi) max(1, kgt(xi)k2/C) AAACS3icbVBNTxsxFPSmBUL4SumRi0WEFCQUdhESPSJy6TFIBCJlo9Wz4w0W3vXKfksTbff/ceHSW/9ELz0UVT3gfBwC6UiWRjPz9J6HZUpa9P2fXuXDx7X1jepmbWt7Z3ev/mn/1urccNHlWmnTY2CFkqnookQlepkRkDAl7thDe+rfPQpjpU5vcJKJQQKjVMaSAzopqrOQgSnCBPCexcWoLCOkoRIxgjH6Gw1jA3zJjrA5juRx6SSmx0UC47IZnNDwO13JODE6O20fl1G94bf8GegqCRakQRboRPUf4VDzPBEpcgXW9gM/w0EBBiVXoqyFuRUZ8AcYib6jKSTCDopZFyU9csqQxtq4lyKdqcsTBSTWThLmktOL7XtvKv7P6+cYfxkUMs1yFCmfL4pzRVHTabF0KI3gqCaOADfS3Ur5Pbj60NVfcyUE77+8Sm7PWoHfCq7PG5dXizqq5IAckiYJyAW5JF9Jh3QJJ0/kF/lDXrxn77f31/s3j1a8xcxn8gaVtVdbALSW AAACS3icbVBNTxsxFPSmBUL4SumRi0WEFCQUdhESPSJy6TFIBCJlo9Wz4w0W3vXKfksTbff/ceHSW/9ELz0UVT3gfBwC6UiWRjPz9J6HZUpa9P2fXuXDx7X1jepmbWt7Z3ev/mn/1urccNHlWmnTY2CFkqnookQlepkRkDAl7thDe+rfPQpjpU5vcJKJQQKjVMaSAzopqrOQgSnCBPCexcWoLCOkoRIxgjH6Gw1jA3zJjrA5juRx6SSmx0UC47IZnNDwO13JODE6O20fl1G94bf8GegqCRakQRboRPUf4VDzPBEpcgXW9gM/w0EBBiVXoqyFuRUZ8AcYib6jKSTCDopZFyU9csqQxtq4lyKdqcsTBSTWThLmktOL7XtvKv7P6+cYfxkUMs1yFCmfL4pzRVHTabF0KI3gqCaOADfS3Ur5Pbj60NVfcyUE77+8Sm7PWoHfCq7PG5dXizqq5IAckiYJyAW5JF9Jh3QJJ0/kF/lDXrxn77f31/s3j1a8xcxn8gaVtVdbALSW AAACS3icbVBNTxsxFPSmBUL4SumRi0WEFCQUdhESPSJy6TFIBCJlo9Wz4w0W3vXKfksTbff/ceHSW/9ELz0UVT3gfBwC6UiWRjPz9J6HZUpa9P2fXuXDx7X1jepmbWt7Z3ev/mn/1urccNHlWmnTY2CFkqnookQlepkRkDAl7thDe+rfPQpjpU5vcJKJQQKjVMaSAzopqrOQgSnCBPCexcWoLCOkoRIxgjH6Gw1jA3zJjrA5juRx6SSmx0UC47IZnNDwO13JODE6O20fl1G94bf8GegqCRakQRboRPUf4VDzPBEpcgXW9gM/w0EBBiVXoqyFuRUZ8AcYib6jKSTCDopZFyU9csqQxtq4lyKdqcsTBSTWThLmktOL7XtvKv7P6+cYfxkUMs1yFCmfL4pzRVHTabF0KI3gqCaOADfS3Ur5Pbj60NVfcyUE77+8Sm7PWoHfCq7PG5dXizqq5IAckiYJyAW5JF9Jh3QJJ0/kF/lDXrxn77f31/s3j1a8xcxn8gaVtVdbALSW AAACS3icbVBNTxsxFPSmBUL4SumRi0WEFCQUdhESPSJy6TFIBCJlo9Wz4w0W3vXKfksTbff/ceHSW/9ELz0UVT3gfBwC6UiWRjPz9J6HZUpa9P2fXuXDx7X1jepmbWt7Z3ev/mn/1urccNHlWmnTY2CFkqnookQlepkRkDAl7thDe+rfPQpjpU5vcJKJQQKjVMaSAzopqrOQgSnCBPCexcWoLCOkoRIxgjH6Gw1jA3zJjrA5juRx6SSmx0UC47IZnNDwO13JODE6O20fl1G94bf8GegqCRakQRboRPUf4VDzPBEpcgXW9gM/w0EBBiVXoqyFuRUZ8AcYib6jKSTCDopZFyU9csqQxtq4lyKdqcsTBSTWThLmktOL7XtvKv7P6+cYfxkUMs1yFCmfL4pzRVHTabF0KI3gqCaOADfS3Ur5Pbj60NVfcyUE77+8Sm7PWoHfCq7PG5dXizqq5IAckiYJyAW5JF9Jh3QJJ0/kF/lDXrxn77f31/s3j1a8xcxn8gaVtVdbALSW ˜ gt 1 L X i ⇥ ¯ gt(xi) + N(0, 2C2I) ⇤ AAACZnicbVFNa9wwEJXdr2TbptuEkkMvQ5fChpbFDoH0GJpLCyUkkE0Ca9eMtbJXRLKNNG67CP/J3nrupT+j2o9DvgYGHu/NY0ZPeaOkpSj6E4SPHj95+mxjs/f8xcutV/3X2xe2bg0XY16r2lzlaIWSlRiTJCWuGiNQ50pc5tfHC/3yhzBW1tU5zRuRaiwrWUiO5Kms30FCUk2FSzTSLC9c2XUZQaJEQWhM/ROSwiB3cee++Vnb6kyu1AkkOZrbvuGvTO4BfABY0hyVO+mG0UdvlKXG7/tw7PvrHiRGljNKs/4gGkXLgvsgXoMBW9dp1v+dTGvealERV2jtJI4aSh0aklyJrpe0VjTIr7EUEw8r1MKmbhlTB+89M4WiNr4rgiV70+FQWzvXuZ9cXG/vagvyIW3SUvEpdbJqWhIVXy0qWgVUwyJzmEojOKm5B8iN9LcCn6GPlfzP9HwI8d0n3wcX+6M4GsVnB4Ojz+s4Nthb9o4NWcwO2RH7wk7ZmHH2N9gMtoOd4F+4Fb4Jd1ejYbD27LBbFcJ/eg63ig== AAACZnicbVFNa9wwEJXdr2TbptuEkkMvQ5fChpbFDoH0GJpLCyUkkE0Ca9eMtbJXRLKNNG67CP/J3nrupT+j2o9DvgYGHu/NY0ZPeaOkpSj6E4SPHj95+mxjs/f8xcutV/3X2xe2bg0XY16r2lzlaIWSlRiTJCWuGiNQ50pc5tfHC/3yhzBW1tU5zRuRaiwrWUiO5Kms30FCUk2FSzTSLC9c2XUZQaJEQWhM/ROSwiB3cee++Vnb6kyu1AkkOZrbvuGvTO4BfABY0hyVO+mG0UdvlKXG7/tw7PvrHiRGljNKs/4gGkXLgvsgXoMBW9dp1v+dTGvealERV2jtJI4aSh0aklyJrpe0VjTIr7EUEw8r1MKmbhlTB+89M4WiNr4rgiV70+FQWzvXuZ9cXG/vagvyIW3SUvEpdbJqWhIVXy0qWgVUwyJzmEojOKm5B8iN9LcCn6GPlfzP9HwI8d0n3wcX+6M4GsVnB4Ojz+s4Nthb9o4NWcwO2RH7wk7ZmHH2N9gMtoOd4F+4Fb4Jd1ejYbD27LBbFcJ/eg63ig== AAACZnicbVFNa9wwEJXdr2TbptuEkkMvQ5fChpbFDoH0GJpLCyUkkE0Ca9eMtbJXRLKNNG67CP/J3nrupT+j2o9DvgYGHu/NY0ZPeaOkpSj6E4SPHj95+mxjs/f8xcutV/3X2xe2bg0XY16r2lzlaIWSlRiTJCWuGiNQ50pc5tfHC/3yhzBW1tU5zRuRaiwrWUiO5Kms30FCUk2FSzTSLC9c2XUZQaJEQWhM/ROSwiB3cee++Vnb6kyu1AkkOZrbvuGvTO4BfABY0hyVO+mG0UdvlKXG7/tw7PvrHiRGljNKs/4gGkXLgvsgXoMBW9dp1v+dTGvealERV2jtJI4aSh0aklyJrpe0VjTIr7EUEw8r1MKmbhlTB+89M4WiNr4rgiV70+FQWzvXuZ9cXG/vagvyIW3SUvEpdbJqWhIVXy0qWgVUwyJzmEojOKm5B8iN9LcCn6GPlfzP9HwI8d0n3wcX+6M4GsVnB4Ojz+s4Nthb9o4NWcwO2RH7wk7ZmHH2N9gMtoOd4F+4Fb4Jd1ejYbD27LBbFcJ/eg63ig== AAACZnicbVFNa9wwEJXdr2TbptuEkkMvQ5fChpbFDoH0GJpLCyUkkE0Ca9eMtbJXRLKNNG67CP/J3nrupT+j2o9DvgYGHu/NY0ZPeaOkpSj6E4SPHj95+mxjs/f8xcutV/3X2xe2bg0XY16r2lzlaIWSlRiTJCWuGiNQ50pc5tfHC/3yhzBW1tU5zRuRaiwrWUiO5Kms30FCUk2FSzTSLC9c2XUZQaJEQWhM/ROSwiB3cee++Vnb6kyu1AkkOZrbvuGvTO4BfABY0hyVO+mG0UdvlKXG7/tw7PvrHiRGljNKs/4gGkXLgvsgXoMBW9dp1v+dTGvealERV2jtJI4aSh0aklyJrpe0VjTIr7EUEw8r1MKmbhlTB+89M4WiNr4rgiV70+FQWzvXuZ9cXG/vagvyIW3SUvEpdbJqWhIVXy0qWgVUwyJzmEojOKm5B8iN9LcCn6GPlfzP9HwI8d0n3wcX+6M4GsVnB4Ojz+s4Nthb9o4NWcwO2RH7wk7ZmHH2N9gMtoOd4F+4Fb4Jd1ejYbD27LBbFcJ/eg63ig== [Abadi et al 2016]. Discriminator parameters Sample-wise gradient has limited sensitivity

Slide 36

Slide 36 text

Challenge I: privatising entire Discriminator network during many steps of training results in High privacy loss, due to composability of DP Challenge II: Larger models (generally) have poor accuracy-privacy trade-offs, because noise scale (roughly) grows linearly with # parameters.

Slide 37

Slide 37 text

Challenge I: privatising entire Discriminator network during many steps of training results in High privacy loss, due to composability of DP Challenge II: Larger models (generally) have poor accuracy-privacy trade-offs, because noise scale (roughly) grows linearly with # parameters. Kernel Mean Embedding Discriminator (D) Can we use a simpler “Discriminator” that allows us to add noise only once?

Slide 38

Slide 38 text

16 Differentially Private Kernel Mean Embeddings For Data Generation

Slide 39

Slide 39 text

17 how close is P from Q? Real data Synthetic data Given Kernel Mean Embedding (ME)

Slide 40

Slide 40 text

17 how close is P from Q? Real data Synthetic data Given probability space Kernel Mean Embedding (ME)

Slide 41

Slide 41 text

17 how close is P from Q? Real data Synthetic data Given probability space inf. dim. features reproducing kernel Hilbert space Kernel Mean Embedding (ME)

Slide 42

Slide 42 text

17 how close is P from Q? Real data Synthetic data Given probability space inf. dim. features reproducing kernel Hilbert space Kernel Mean Embedding (ME)

Slide 43

Slide 43 text

17 how close is P from Q? Real data Synthetic data Given probability space inf. dim. features reproducing kernel Hilbert space Kernel Mean Embedding (ME) Maximum mean discrepancy [Gretton et al, 2012]

Slide 44

Slide 44 text

17 kernel characteristic how close is P from Q? Real data Synthetic data Given probability space inf. dim. features reproducing kernel Hilbert space Kernel Mean Embedding (ME) Maximum mean discrepancy [Gretton et al, 2012]

Slide 45

Slide 45 text

18 Infinite-dimensional Mean Embedding

Slide 46

Slide 46 text

18 Infinite-dimensional Mean Embedding Only this term access Data, but the feature is infinite-dimensional! Sample average

Slide 47

Slide 47 text

18 Infinite-dimensional Mean Embedding Only this term access Data, but the feature is infinite-dimensional! Sample average The sensitivity of the mean embedding is unbounded! maximum over all pairs of datasets

Slide 48

Slide 48 text

19 Finite-dimensional approximation : random Fourier features Finite-dimensional features such that

Slide 49

Slide 49 text

19 Finite-dimensional approximation : random Fourier features Approximation error under RF [Sutherland & Schneider15] [Rahimi & Recht, 2018] Finite-dimensional features such that

Slide 50

Slide 50 text

19 Finite-dimensional approximation : random Fourier features Approximation error under RF [Sutherland & Schneider15] [Rahimi & Recht, 2018] Finite-dimensional features such that

Slide 51

Slide 51 text

19 Finite-dimensional approximation : random Fourier features Perturb MERF With Gaussian noise Approximation error under RF [Sutherland & Schneider15] [Rahimi & Recht, 2018] Finite-dimensional features such that

Slide 52

Slide 52 text

19 Finite-dimensional approximation : random Fourier features Perturb MERF With Gaussian noise Approximation error under RF [Sutherland & Schneider15] [Rahimi & Recht, 2018] Finite-dimensional features such that DP-MERF [Harder et al, AISTATS 2021]

Slide 53

Slide 53 text

20 DP-MERF on tabular data ROC: receiver operating characteristics PRC: precision recall curve F1 score: harmonic mean of precision and recall [DP-CGAN by Torkzadehmahani et al., 2019] Evaluation: Train 12-classifiers using Synthetic data; and Test them on Real test data ROC PRC ROC PRC ROC PRC

Slide 54

Slide 54 text

20 DP-MERF on tabular data ROC: receiver operating characteristics PRC: precision recall curve F1 score: harmonic mean of precision and recall [DP-CGAN by Torkzadehmahani et al., 2019] • Takeaway: The kernel-based method (DP-MERF) performs better than DP-CGAN at a small privacy budget (epsilon=1) Evaluation: Train 12-classifiers using Synthetic data; and Test them on Real test data ROC PRC ROC PRC ROC PRC

Slide 55

Slide 55 text

20 DP-MERF on tabular data ROC: receiver operating characteristics PRC: precision recall curve F1 score: harmonic mean of precision and recall [DP-CGAN by Torkzadehmahani et al., 2019] • Takeaway: The kernel-based method (DP-MERF) performs better than DP-CGAN at a small privacy budget (epsilon=1) Evaluation: Train 12-classifiers using Synthetic data; and Test them on Real test data ROC PRC ROC PRC ROC PRC • Later work: DP-HP (Hermite Polynomials) [Vinaroz et al, ICML 2022]

Slide 56

Slide 56 text

21 But when applied to CIFAR10 data

Slide 57

Slide 57 text

21 But when applied to CIFAR10 data

Slide 58

Slide 58 text

22 Could there be more expressive features we could use?

Slide 59

Slide 59 text

23 Perceptual features [Zhang et al, CVPR 2018] • Unlike traditional metrics (L2/SNR, etc), embedding using the features of VGG networks trained on ImageNet classi fi cation agrees surprisingly well with human’s perceptual similarity. [Dos Santos et al, ICCV 2019] • Generative modelling via Moment matching using perceptual features

Slide 60

Slide 60 text

24 DP-MEPF (perceptual features) [Harder et al, TMLR 2023] Pre-trained VGG19 Using Gaussian mechanism • MMD is a well-de fi ned metric if PFs are universal features. • A bit murky: Empirically, in transfer learning, features from ImageNet pretrained VGG/ResNet can express any functions for a downstream task by fi nding a linear weight in their span, which follows the de fi nition of universal feature [Charles et al, JMLR 06]

Slide 61

Slide 61 text

25 More theoretical analyses in the paper Assuming PFs are universal features, • Second term goes to zero for good generators • At a given DP-level, sigma is constant, but the error is small if D (PF dimension) is smaller than m^2 (private data size). In CIFAR10, m=50k and D=300k.

Slide 62

Slide 62 text

26 DP-MEPF (Imagenet -> CIFAR10)

Slide 63

Slide 63 text

Summary of DP-MEPF 27 A simple & practical algorithm for DP data generation using mean embeddings with perceptual features, a good accuracy-privacy trade-off!

Slide 64

Slide 64 text

Summary of DP-MEPF 27 First time, being able to generate datasets like CIFAR10 with DP! A simple & practical algorithm for DP data generation using mean embeddings with perceptual features, a good accuracy-privacy trade-off!

Slide 65

Slide 65 text

Summary of DP-MEPF 27 First time, being able to generate datasets like CIFAR10 with DP! A simple & practical algorithm for DP data generation using mean embeddings with perceptual features, a good accuracy-privacy trade-off! Could we use better generative models (e.g., diffusion models), and adjust features for private data via fine-tuning, so we can generate more complex data beyond CIFAR10? But static (not adapted to private data) features are somewhat limited

Slide 66

Slide 66 text

28 Differentially Private (Latent) Diffusion Models For Data Generation

Slide 67

Slide 67 text

DDPM [Ho et al, 2020] Data generation process, reverse process (sampling direction) Di ff usion process, forward process (inference direction) Extremely slow training (100s GPU days)! Not a good fit to generative modelling with DP!

Slide 68

Slide 68 text

Existing work on DP + Diffusion Models 30 • DP-DM: [Dockhorn et al, TMLR 23]: Train a small-ish DM with DP-SGD for datasets like MNIST/FashionMNIST (still requires 192 GPU days) • DP-Diffusion: [Ghalebikesabi et al. 23]: Fine-tune a pre-trained DM with DP-SGD. Performs well on CIFAR-10, CelebA32, Camelyon17. But the Unet is large, requiring fi ne-tuning 80 M parameters using DP-SGD seems awfully inef fi cient!

Slide 69

Slide 69 text

Latent Diffusion Model (Stable Diffusion) 31 • We turn to Latent Diffusion Models, where Autoencoders maps high-dimensional pixels to lower-dimensional space to diffuse. Faster training (from 100s-1000s to 1-10s GPU days). [Rombach et al., CVPR 22]

Slide 70

Slide 70 text

Latent Diffusion Model (Stable Diffusion) 31 • We turn to Latent Diffusion Models, where Autoencoders maps high-dimensional pixels to lower-dimensional space to diffuse. Faster training (from 100s-1000s to 1-10s GPU days). [Rombach et al., CVPR 22]

Slide 71

Slide 71 text

DP-LDM 32 • Take a pre-trained LDM (pre-trained with ImageNet). • Update only attention modules with DP-SGD using private data (if conditioned generation, fi ne- tune conditioning embedder as well). [Lyu et al, submitted 2023]

Slide 72

Slide 72 text

• Attention modules determine which features are more important to a given task / given a distribution. Fine-tuning weights for what to focus on seems to make sense. • LLMs: altering attention modules substantially alters the models’ behaviors [(Shi et al., 2023; Hu et al., 2021]. DMs: manipulating or fi ne-tuning attention modules yields a more targeted generation, e.g., targeted for a user- preference [Zhang et al., ICLR 24] and transferring to a target distribution [You & Zhao, 2023] 33 Intermediate representation Conditioning Why attention modules?

Slide 73

Slide 73 text

Higher dimensional image data (32->256) 34 Transferring Imagenet -> CelebAHQ Takeaway: DP-LDM (fine- tuned attention modules) performs way better than DP-MEPF (static features)

Slide 74

Slide 74 text

A bonus: DP text- to-image Generation 35 Training image Transferring LAION-400M -> MM-CelebAHQ Takeaway: DP-LDM’s generated images are realistic, yet far from training images!

Slide 75

Slide 75 text

36 Fun Slide What happened to Ann Graham Lotz?

Slide 76

Slide 76 text

What happened to Ann Graham after fine-tuning DP-LDM with CelebA? 37

Slide 77

Slide 77 text

What happened to Ann Graham after fine-tuning DP-LDM with CelebA? 37 Input Prompt: Ann Graham Generated images from DP-LDM

Slide 78

Slide 78 text

Conclusion and Discussion 38 DP-LDM: greatly reduce the gap between DP and non-DP generative modelling, compared to existing methods.

Slide 79

Slide 79 text

Conclusion and Discussion 38 DP-LDM: greatly reduce the gap between DP and non-DP generative modelling, compared to existing methods. What’s next?

Slide 80

Slide 80 text

Conclusion and Discussion 38 DP-LDM: greatly reduce the gap between DP and non-DP generative modelling, compared to existing methods. Fine-tuning DMs is still annoying… Any other ways to use foundation models? Something like, e.g., DP-API [Lin et al, ICLR 2024] DP-histogram mechanism to generate synthetic data through the utilization of publicly accessible APIs What’s next?

Slide 81

Slide 81 text

Conclusion and Discussion 38 DP-LDM: greatly reduce the gap between DP and non-DP generative modelling, compared to existing methods. Fine-tuning DMs is still annoying… Any other ways to use foundation models? Something like, e.g., DP-API [Lin et al, ICLR 2024] DP-histogram mechanism to generate synthetic data through the utilization of publicly accessible APIs What about Tabular data? What’s next?

Slide 82

Slide 82 text

Thank you very much indeed! 39

Slide 83

Slide 83 text

Backup slides 40

Slide 84

Slide 84 text

41 Benefits of kernel mean embeddings No information loss due to a selection of a certain statistic

Slide 85

Slide 85 text

41 Benefits of kernel mean embeddings No information loss due to a selection of a certain statistic Closed-form estimator :

Slide 86

Slide 86 text

41 Benefits of kernel mean embeddings No information loss due to a selection of a certain statistic Closed-form estimator : Pair-wise evaluation Of a kernel function Using samples drawn from P and Q

Slide 87

Slide 87 text

41 Benefits of kernel mean embeddings No information loss due to a selection of a certain statistic Closed-form estimator : Pair-wise evaluation Of a kernel function Using samples drawn from P and Q Needs privatization once

Slide 88

Slide 88 text

41 Benefits of kernel mean embeddings No information loss due to a selection of a certain statistic Closed-form estimator : Pair-wise evaluation Of a kernel function Using samples drawn from P and Q Needs privatization in every training step Needs privatization once

Slide 89

Slide 89 text

Objective in Diffusion Models Surrogate Objective

Slide 90

Slide 90 text

43 DP-MEPF (imagenet -> celebA)

Slide 91

Slide 91 text

43 DP-MEPF (imagenet -> celebA) Takeaway: pre-trained perceptual features boost performance significantly.

Slide 92

Slide 92 text

44 DP-MERF on tabular data • Comparison metric: test accuracy under 12 downstream tasks. (model fitted to generated data & tested on real data)

Slide 93

Slide 93 text

44 DP-MERF on tabular data • Comparison metric: test accuracy under 12 downstream tasks. (model fitted to generated data & tested on real data)

Slide 94

Slide 94 text

44 DP-MERF on tabular data • Comparison metric: test accuracy under 12 downstream tasks. (model fitted to generated data & tested on real data)

Slide 95

Slide 95 text

44 DP-MERF on tabular data • Comparison metric: test accuracy under 12 downstream tasks. (model fitted to generated data & tested on real data) Multi-class & Heterogeneous data

Slide 96

Slide 96 text

Detail in Random “Fourier” Features Applicable to any translation invariant kernels : Approximate via MC integration Bochner’s Theorem [Rahimi & Recht, 2018]

Slide 97

Slide 97 text

Detail in Random “Fourier” Features Applicable to any translation invariant kernels : Approximate via MC integration Bochner’s Theorem Draw random frequencies Random features for Depending on the kernel [Rahimi & Recht, 2018]

Slide 98

Slide 98 text

46 Benefits of DP-MERF DP-GAN Type Work DP-MERF Privacy cost High: perturb high-dimensional gradients at every training step Low (hence, practical) : perturb first term once-for-all Sensitivity No analytic sensitivity: needs to search for optimal norm clipping bound (costly) Analytic sensitivity : RFs are norm bounded by construction Generating Input/output pairs Output (labels) assumed to be known. Generate outputs condition on inputs Learn joint distribution! By constructing a new kernel Heterogeneous data GANs not working well with mixed-data Simple! By constructing a new kernel [modelling tabular data using CGAN by Xu et al, 2019]

Slide 99

Slide 99 text

47 DP-MERF for generating input/output pairs [Harder et al, 2021] Generator learns joint distribution

Slide 100

Slide 100 text

47 DP-MERF for generating input/output pairs [Harder et al, 2021] Decompose G as Generator learns joint distribution

Slide 101

Slide 101 text

47 DP-MERF for generating input/output pairs [Harder et al, 2021] Decompose G as Generator learns joint distribution (1)

Slide 102

Slide 102 text

47 DP-MERF for generating input/output pairs [Harder et al, 2021] Decompose G as Generator learns joint distribution (1) (2)

Slide 103

Slide 103 text

47 DP-MERF for generating input/output pairs [Harder et al, 2021] Decompose G as Generator learns joint distribution (1) (2)

Slide 104

Slide 104 text

47 DP-MERF for generating input/output pairs [Harder et al, 2021] Decompose G as Generator learns joint distribution (1) (2) Product of two kernels:

Slide 105

Slide 105 text

47 DP-MERF for generating input/output pairs [Harder et al, 2021] Decompose G as Generator learns joint distribution (1) (2) Product of two kernels: Characteristic kernels [Szabo & Sriperumbudur18]

Slide 106

Slide 106 text

47 DP-MERF for generating input/output pairs [Harder et al, 2021] Decompose G as Generator learns joint distribution (1) (2) Product of two kernels: Characteristic kernels [Szabo & Sriperumbudur18] DP-Proportion to real data

Slide 107

Slide 107 text

47 DP-MERF for generating input/output pairs [Harder et al, 2021] Decompose G as Generator learns joint distribution (1) (2) Product of two kernels: Characteristic kernels [Szabo & Sriperumbudur18] DP-Proportion to real data DP-MERF

Slide 108

Slide 108 text

48 DP-LDM: Fine-tune Other parts

Slide 109

Slide 109 text

49 DP-LDM: LoRA