Spectral-DP: Differentially Private Deep Learning through Spectral Perturbation and Filtering
This work addresses privacy-utility trade-offs in deep learning for applications requiring data protection, though it is incremental as it builds on existing DP-SGD frameworks.
The authors tackled the utility cost of differentially private deep learning by introducing Spectral-DP, a method that perturbs gradients in the spectral domain with filtering, achieving uniformly better utility than DP-SGD in experiments on benchmark datasets.
Differential privacy is a widely accepted measure of privacy in the context of deep learning algorithms, and achieving it relies on a noisy training approach known as differentially private stochastic gradient descent (DP-SGD). DP-SGD requires direct noise addition to every gradient in a dense neural network, the privacy is achieved at a significant utility cost. In this work, we present Spectral-DP, a new differentially private learning approach which combines gradient perturbation in the spectral domain with spectral filtering to achieve a desired privacy guarantee with a lower noise scale and thus better utility. We develop differentially private deep learning methods based on Spectral-DP for architectures that contain both convolution and fully connected layers. In particular, for fully connected layers, we combine a block-circulant based spatial restructuring with Spectral-DP to achieve better utility. Through comprehensive experiments, we study and provide guidelines to implement Spectral-DP deep learning on benchmark datasets. In comparison with state-of-the-art DP-SGD based approaches, Spectral-DP is shown to have uniformly better utility performance in both training from scratch and transfer learning settings.