Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta and Florian Tramèr
IEEE Symposium on Security and Privacy (S&P) 2021
Previously presented at NeurIPS 2020 Workshop on Privacy Preserving Machine Learning (Oral presentation)
A private machine learning algorithm hides as much as possible about its training data while still preserving accuracy. In this work, we study whether a non-private learning algorithm can be made private by relying on an instance-encoding mechanism that modifies the training inputs before feeding them to a normal learner. We formalize both the notion of instance encoding and its privacy by providing two attack models. We first prove impossibility results for achieving a (stronger) model. Next, we demonstrate practical attacks in the second (weaker) attack model on InstaHide, a recent proposal by Huang, Song, Li and Arora [ICML’20] that aims to use instance encoding for privacy.
| @inproceedings{CDGJ+21, | |||
| author | = | {Carlini, Nicholas and Deng, Samuel and Garg, Sanjam and Jha, Somesh and Mahloujifar, Saeed and Mahmoody, Mohammad and Song, Shuang and Thakurta, Abhradeep and Tram{\`e}r, Florian}, | |
| title | = | {Is Private Learning Possible with Instance Encoding?}, | |
| booktitle | = | {IEEE Symposium on Security and Privacy (S\&P)}, | |
| year | = | {2021}, | |
| howpublished | = | {arXiv preprint arXiv:2011.05315}, | |
| url | = | {https://arxiv.org/abs/2011.05315} | |
| } | |||