Is Private Learning Possible with Instance Encoding?

Nicholas Carlini, Samuel Deng, Sanjam Garg, Somesh Jha, Saeed Mahloujifar, Mohammad Mahmoody, Shuang Song, Abhradeep Thakurta and Florian Tramèr   (alphabetical author ordering)

IEEE Symposium on Security and Privacy (S&P) 2021

Previously presented at NeurIPS 2020 Workshop on Privacy Preserving Machine Learning (Oral presentation)


A private machine learning algorithm hides as much as possible about its training data while still preserving accuracy. In this work, we study whether a non-private learning algorithm can be made private by relying on an instance-encoding mechanism that modifies the training inputs before feeding them to a normal learner. We formalize both the notion of instance encoding and its privacy by providing two attack models. We first prove impossibility results for achieving a (stronger) model. Next, we demonstrate practical attacks in the second (weaker) attack model on InstaHide, a recent proposal by Huang, Song, Li and Arora [ICML’20] that aims to use instance encoding for privacy.

  author   =   {Carlini, Nicholas and Deng, Samuel and Garg, Sanjam and Jha, Somesh and Mahloujifar, Saeed and Mahmoody, Mohammad and Song, Shuang and Thakurta, Abhradeep and Tram{\`e}r, Florian},
  title   =   {Is Private Learning Possible with Instance Encoding?},
  booktitle   =   {IEEE Symposium on Security and Privacy (S\&P)},
  year   =   {2021},
  howpublished   =   {arXiv preprint arXiv:2011.05315},
  url   =   {}