Robust and Private Learning of Halfspaces
Badih Ghazi Ravi Kumar Pasin Manurangsi Thao Nguyen Google Research Mountain View, CA {badihghazi, ravi.k53}@gmail.com, {pasin, thaotn}@google.com
Abstract adversarial manipulations of their inputs at test time, with the intention of causing classification errors (e.g., Dalvi et al., 2004; Biggio et al., 2013; Szegedy et al., In this work, we study the trade-offbetween 2014; Goodfellow et al., 2015; Papernot et al., 2016). differential privacy and adversarial robustness Numerous methods have been proposed with the goal under L -perturbations in the context of learn- 2 of training models that are robust to such adversarial ing halfspaces. We prove nearly tight bounds attacks (e.g., Madry et al., 2018; Gowal et al., 2018, on the sample complexity of robust private 2019; Schott et al., 2019), which in turn has led to learning of halfspaces for a large regime of new attacks being devised in order to fool these mod- parameters. A highlight of our results is that els (Athalye et al., 2018; Carlini and Wagner, 2018; robust and private learning is harder than Sharma and Chen, 2017). See (Kolter and Madry, robust or private learning alone. We comple- 2018) for a recent tutorial on this topic. ment our theoretical analysis with experimen- tal results on the MNIST and USPS datasets, Some recent work has suggested incorporating for a learning algorithm that is both differen- mechanisms from DP into neural network training to tially private and adversarially robust. enhance adversarial robustness (Lecuyer et al., 2019; Phan et al., 2020, 2019). Given this existing interplay between DP and robustness, we seek to answer the 1Introduction following natural question: Is achieving privacy and adversarial robustness In this work, we study the interplay between two top- harder than achieving either criterion alone? ics at the core of AI ethics and safety: privacy and Recent empirical work has provided mixed response robustness. to the question (Song et al., 2019b,a; Hayes, 2020), As modern machine learning models are trained on reporting the success rate of membership inference potentially sensitive data, there has been a tremendous attacks as a heuristic measure of privacy. Instead, interest in privacy-preserving training methods. Differ- using theoretical analysis and the strict guarantees ential privacy (DP) (Dwork et al., 2006b,a) has emerged offered by DP, we formally investigate this question in as the gold standard for rigorously tracking the privacy the classic setting of halfspace learning, and arrive at leakage of algorithms in general (see, e.g., Dwork and anear-completepicture. Roth, 2014; Vadhan, 2017, and the references therein), and machine learning models in particular (e.g., Abadi Background. In order to present our results, we et al., 2016), resulting in several practical deployments start by recalling some notions from robust learning in recent years (e.g., Erlingsson et al., 2014; Shank- in the PAC model. Let 0, 1 X be a (Boolean) land, 2014; Greenberg, 2016; Apple Differential Privacy C✓{ } d hypothesis class on an instance space R .A Team, 2017; Ding et al., 2017; Abowd, 2018). X✓ perturbation is defined by a function P : 2X , X! Another vulnerability of machine learning models that where P(x) denotes the set of allowable perturbed ✓X has also been widely studied recently is with respect to instances starting from an instance x. The robust risk of a hypothesis h with respect to a distribution on D Proceedings of the 24th International Conference on Artifi- 1 and perturbation P is defined as (h, )= X⇥{± } RP D cial Intelligence and Statistics (AISTATS) 2021, San Diego, Pr(x,y) [ z P(x),h(z) = y]. Adistribution is said ⇠D 9 2 6 D California, USA. PMLR: Volume 130. Copyright 2021 by to be realizable (with respect to and P)iffthereexists the author(s). C h⇤ such that (h⇤, )=0. In the adversarially 2C RP D Robust and Private Learning of Halfspaces
robust PAC learning problem, the learner is given i.i.d. We first prove that robust learning with pure-DP re- samples from a realizable distribution on 1 , quires ⌦(d) samples. D X⇥{± } and the goal is to output a hypothesis h : 1 X!{± } Theorem 2. Any ✏-DP ( ,0.9 )-robust (possibly im- such that with probability 1 ⇠ it holds that (h, ) RP D proper) learner has sample complexity ⌦(d/✏). ↵.Wereferto⇠ as the failure probability and ↵ as the accuracy parameter.Alearnerissaidtobeproper if In the private but non-robust setting (i.e., for an ✏-DP the output hypothesis h belongs to ; otherwise, it is ( ,0)-robust learner2), Nguyen et al. (2020) showed that C said to be improper. O(1/ 2) samples suffice. Together with earlier known results showing that ( ,0.9 )-robust learning (without We focus our study on the concept class of halfspaces, 2 d privacy) only requires O(1/ ) samples (e.g., Bartlett i.e., halfspaces := hw w R where hw(x)= C { | 2 } and Mendelson, 2002; Koltchinskii and Panchenko, sgn( w, x ), in this model with respect to L perturba- h i 2 2002), our result gives a separation between robust tions, i.e., P (x):= z : z x 2 for margin { 2X k k } private learning and private learning alone or robust parameter >0.Weassumethroughoutthatthedo- learning alone, whenever d 1/ 2. main of our functions is bounded in the d-dimensional d d Euclidean unit ball B := x R x 2 1 .We For the case of approximate-DP, we establish a lower { 2 |k k } also write as a shorthand for .Analgorithmis bound of ⌦(min pd/ , d ), which holds only against R RP { } said to be a ( , 0)-robust learner if, for any realizable proper learners. As for Theorem 2 in the context of distribution with respect to halfspaces and P ,using pure-DP, this result implies a similar separation in the D C acertainnumberofsamples,itoutputsahypothesis approximate-DP proper learning setting. h such that w.p. 1 ⇠,wehave (h, ) ↵, where R 0 D Theorem 3. Let ✏<1.Any(✏, o(1/n))-DP ( ,0.9 )- ↵,⇠> 0 are sufficiently smaller than some positive con- robust proper learner has sample complexity n = 1 stant. We are especially interested in the case where ⌦(min pd/ , d ). 0 is close to ;forsimplicity,weuse 0 =0.9 as a { } representative setting throughout. In robust learning, Our proof technique can also be used to improve the the main quantities of interest are the sample complex- lower bound for DP ( ,0)-robust learning. Specifically, ity,i.e.,theminimumnumberofsamplesneededto Nguyen et al. (2020) show an ⌦(1/ 2) lower bound for learn, and the running time of the learning algorithm. proper ( ,0)-robust learners with pure-DP. We extend it to hold even for improper ( ,0)-robust learners with We use the standard terminology of DP. Recall that approximate-DP: two datasets X and X0 are neighbors if X0 results from adding or removing a single data point from X. Theorem 4. For any ✏>0, there exists >0 such that any (✏, )-DP ( ,0)-robust (possibly improper) Definition 1 (Differential Privacy (DP) (Dwork et al., 1 learner has sample complexity ⌦ 2 . Moreover, this 2006b,a)). Let ✏, R 0. A randomized algorithm A ✏ 2 taking as input a dataset is said to be (✏, )-differentially holds even when d = O(1/ 2). ⇣ ⌘ private (denoted by (✏, )-DP) if for any two neighbor- Finally, we provide algorithms with nearly matching ing datasets X and X0, and for any subset S of outputs ✏ upper bounds. For pure-DP, we prove the following, of A, it is the case that Pr[A(X) S] e Pr[A(X0) 2 · 2 S]+ .If =0, A is said to be ✏-differentially private which matches the lower bound in Theorem 2 to within a constant factor when d 1/ 2. (denoted by ✏-DP). Theorem 5. There is an ✏-DP ( ,0.9 )-robust learner As usual, ✏ should be thought of as a small constant, 3 1 1 with sample complexity O↵ max d, 2 . whereas should be negligible in the dataset size. We ✏ { } refer to the case where =0as pure-DP,andthecase ⇣ ⌘ For approximate-DP, it is already possible4 to achieve where >0 as approximate-DP. 3 asamplecomplexity of n = O˜↵(pd/ ) (Nguyen et al., 2020; Bassily et al., 2014) but the running time is Our Results. We assume that ✏ O(1) unless other- ⌦(n2d).5 We give a faster algorithm with running time wise stated, and that ,↵,⇠> 0 are sufficiently smaller O↵(nd/ ). than some positive constant. We will not state these assumptions explicitly here for simplicity; interested 2This means that the output hypothesis only needs to readers may refer to (the first lines of) the proofs for have a small classification error, but may have a large robust risk. the exact upper bounds that are imposed. 3 Here O↵( ) hides a factor of poly(1/↵),andO˜( ) hides 1 · · It is necessary to have 0 <