I'm working on the intersection of TFF
and TFP
. I'm trying to train a differentially private federated model for a certain number of rounds while attaching a dp-query
to ensure a central user-level privacy.
I came across several examples and tutorials in TFF
and TFP
, for which, the privacy budget is always evaluated in a post-hoc manner after the model has been trained then the rdp accountant
is used to approximate the spent privacy budget.
In my case, I'm interested in training the federated model for K rounds with a predefined privacy budget epsilon that is set beforehand.
For that, I'm using the equation below taken from "the algorithmic foundations of differential privacy" in order to compute the required stdv of the added noise
?? = sqrt 2 (???? (1.25/??) ) * l2_sensitivity / ??
code snippet is below
num_users = 200
eps = 1.5
delta = num_users ** (-1)
rounds = 30
sensitivity_bound = 0.6
# sigma is the added noise so epsilon is satisfied
sigma = (np.sqrt(2 * np.log(1.25 / delta)) * sensitivity_bound) / eps
# noise_multiplier, the ratio of Gaussian noise stdv to sensitivity bound
noise_multiplier = sigma / sensitivity_bound
dp_query = tff.utils.build_dp_query(
clip = sensitivity_bound,
noise_multiplier = noise_multiplier,
expected_total_weight = num_users,
adaptive_clip_learning_rate = 0,
target_unclipped_quantile = 0.5,
clipped_count_budget_allocation = 0.1,
expected_clients_per_round = num_users
)
weights_type = tff.learning.framework.weights_type_from_model(model_fn)
aggregation_process = tff.utils.build_dp_aggregate_process(weights_type.trainable, dp_query)
iterative_process = tff.learning.build_federated_averaging_process(
model_fn=model_fn,
client_optimizer_fn=lambda: tf.keras.optimizers.SGD(learning_rate=0.1),
server_optimizer_fn=lambda: tf.keras.optimizers.SGD(learning_rate=1.0),
aggregation_process=aggregation_process
)
I'm would assume that the noise_multiplier in the code above would satisfy (1.5, 0.005)-DP for only one execution of the federated algorithm (one training round).
I would like to know how to adapt the sigma equation above (or maybe apply the composition theorem) in federated settings in order to compute the required noise_multiplier that would satisfy a predefined (1.5, 0.005)-DP for K rounds
Thanks in advance
question from:
https://stackoverflow.com/questions/66065436/training-a-differentially-private-federated-model-with-a-predefined-privacy-guar 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…