why l2_norm_clip is not the input of compute_dp_sgd_privacy function

tensorflow / privacy

Library for training machine learning models with privacy for training data

Apache License 2.0

1.95k stars 452 forks source link

why l2_norm_clip is not the input of compute_dp_sgd_privacy function #181

Closed YiheWang closed 2 years ago

YiheWang commented 2 years ago

Hi! I am confused about why l2_norm_clip is not the input of compute_dp_sgd_privacy function? I am new to differential privacy. In my understanding, l2_norm_clip is used to determine the sensitivity. And sensitivity is necessary to calculate privacy. Thank you for your reply in advance!

compute_dp_sgd_privacy.compute_dp_sgd_privacy(n=train_data.shape[0], batch_size=batch_size, noise_multiplier=noise_multiplier, epochs=epochs, delta=1e-5)

galenmandrew commented 2 years ago

Privacy is a function of the ratio of noise stddev to sensitivity, which we call "noise_multiplier". compute_dp_sgd_privacy could take both l2_clip_norm and noise_stddev as arguments, but the way it is done here is more general because it can accommodate, for example, adaptive clipping, where the l2_clip_norm and noise_stddev change during training but their ratio remains the same.

YiheWang commented 2 years ago

Thank you!

JeffffffFu commented 2 years ago

Why the RDP calculated where default sensitivity for D P is 1, and what if the sensitivity is not 1