Deep Learning with Label Differential Privacy
About
The Randomized Response (RR) algorithm is a classical technique to improve robustness in survey aggregation, and has been widely adopted in applications with differential privacy guarantees. We propose a novel algorithm, Randomized Response with Prior (RRWithPrior), which can provide more accurate results while maintaining the same level of privacy guaranteed by RR. We then apply RRWithPrior to learn neural networks with label differential privacy (LabelDP), and show that when only the label needs to be protected, the model performance can be significantly improved over the previous state-of-the-art private baselines. Moreover, we study different ways to obtain priors, which when used with RRWithPrior can additionally improve the model performance, further reducing the accuracy gap between private and non-private models. We complement the empirical results with theoretical analysis showing that LabelDP is provably easier than protecting both the inputs and labels.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Image Classification | CIFAR-100 (test) | Accuracy74.1 | 3518 | |
| Image Classification | CIFAR-10 (test) | Accuracy95.25 | 906 | |
| Image Classification | MNIST (test) | Accuracy99.33 | 882 | |
| Image Classification | Fashion MNIST (test) | Accuracy94.28 | 568 | |
| Image Classification | CIFAR-100 (test) | Top-1 Acc74.14 | 275 | |
| Collaborative Filtering | MovieLens 1M (test) | RMSE0.865 | 25 | |
| Image Classification | CelebA-G (test) | -- | 12 | |
| Image Classification | CelebA-H (test) | -- | 11 |