On the Privacy Properties of GAN-generated Samples
This work addresses privacy concerns for users of GANs in data generation, providing theoretical guarantees that are incremental to existing privacy-focused training algorithms.
The paper tackles the privacy implications of GAN-generated samples by proving that under certain assumptions, these samples inherently satisfy weak differential privacy guarantees, with delta scaling as O(n/m), and show robustness to membership inference attacks, limiting the adversary's ROC AUC to O(m^{-1/4}).
The privacy implications of generative adversarial networks (GANs) are a topic of great interest, leading to several recent algorithms for training GANs with privacy guarantees. By drawing connections to the generalization properties of GANs, we prove that under some assumptions, GAN-generated samples inherently satisfy some (weak) privacy guarantees. First, we show that if a GAN is trained on m samples and used to generate n samples, the generated samples are (epsilon, delta)-differentially-private for (epsilon, delta) pairs where delta scales as O(n/m). We show that under some special conditions, this upper bound is tight. Next, we study the robustness of GAN-generated samples to membership inference attacks. We model membership inference as a hypothesis test in which the adversary must determine whether a given sample was drawn from the training dataset or from the underlying data distribution. We show that this adversary can achieve an area under the ROC curve that scales no better than O(m^{-1/4}).