Exploiting Internal Randomness for Privacy in Vertical Federated Learning

Abstract

Vertical Federated Learning (VFL) is becoming a standard collaborative learning paradigm with various practical applications. Randomness is essential to enhancing privacy in VFL, but introducing too much external randomness often leads to an intolerable performance loss. Instead, as it was demonstrated for other federated learning settings, leveraging internal randomness – as provided by variational autoencoders (VAEs) –can be beneficial. However, the resulting privacy has never been quantified so far, nor has the approach been investigated for VFL.

We therefore propose a novel differential privacy (DP) estimate, denoted as distance-based empirical local differential privacy (\(\textsf{dELDP}\)). It allows us to empirically bound DP parameters of models or model components, quantifying the internal randomness with appropriate distance and sensitivity metrics. We apply \(\textsf{dELDP}\) to investigate the DP of VAEs and observe values up to \(\epsilon \approx 6.4\) and \(\delta = 2^{-32}\). Based on this, to link the \(\textsf{dELDP}\) parameters to the privacy of VAE-including VFL systems in practice, we conduct comprehensive experiments on the robustness against state-of-the-art privacy attacks. The results illustrate that the VAE system is robust against feature reconstruction attacks and outperforms other privacy-enhancing methods for VFL, especially when the adversary holds 75% of the features during label inference attacks.

Y. Sun and L. Duan—These authors contributed equally to this work.

A Proof of Theorem 2

Here is the complete proof of the \(\textsf{dLDP}\) main theorem (Theorem 2).

Proof

We start from one-dimensional case and upgrade it to the high dimensional case. If the distance \(< \infty \), it is 1 by definition for \(x, x'\) with \(\textsf{Label} (x) = \textsf{Label} (x')\) in (8). We start from one-dimensional case and real valued \(\mu ({x}), V(x)\). Fix a label \(\ell = \textsf{Label} (x) = \textsf{Label} (x')\), The sensitivity is

$$ \varDelta _{\ell } = \max _{x, x'} (|\mu ({x}) - \mu ({x'})|) $$

We then consider the absolute value of the privacy loss for \(x, x'\):

$$\begin{aligned} \left| \ln \left( \frac{ e^{(-1/2\sigma _{1}^{2}) x^2} }{ e^{(-1/2\sigma _{2}^2) (x + \varDelta _{\ell })^2} } \right) \right| , \end{aligned}$$

(12)

where \(\sigma _{1} = ||V(x)||_2\) and \(\sigma _{2} = ||V(x')||_2\), and V() is fixed.²

Without loss of generality, we assume \(\sigma _{1} \le \sigma _{2}\). Then we have

$$\begin{aligned} \left| \ln \left( \frac{ e^{(-1/2\sigma _1^{2}) x^2} }{ e^{(-1/2\sigma _1^2) (x + \varDelta _{\ell })^2} } \right) \right| \ge \left| \ln \left( \frac{ e^{(-1/2\sigma _1^{2}) x^2} }{ e^{(-1/2\sigma _2^2) (x + \varDelta _{\ell })^2} } \right) \right| . \end{aligned}$$

(13)

So to bound (12), we can bound the left-hand side of (13) instead, i.e., we need an \(\epsilon _1\), such that

$$\begin{aligned} \epsilon _1 \ge \left| \ln \left( \frac{ e^{(-1/2\sigma _1^{2}) x^2} }{ e^{(-1/2\sigma _1^2) (x + \varDelta _{\ell })^2} } \right) \right| = \left| \frac{1}{2\sigma _1^2} (2x\varDelta _{\ell } - \varDelta _{\ell }/2 ) \right| . \end{aligned}$$

(14)

Thus, if we iterate over all x with \(\textsf{Label} (x) = \ell \) and let

$$ \sigma _{\ell } := \min (\{\sigma _{i}\}), \sigma _{i} = V(x_i), $$

the bound for the privacy loss w.r.t. label \( \ell \) is

$$\begin{aligned} \epsilon _{\ell } \ge \left| \ln \left( \frac{ e^{(-1/2\sigma _{\ell }^{2}) x^2} }{ e^{(-1/2\sigma _{\ell }^2) (x + \varDelta _{\ell })^2} } \right) \right| = \left| \frac{-1}{2\sigma _{\ell }^2} (2x\varDelta _{\ell } - \varDelta _{\ell }/2 ) \right| \end{aligned}$$

(15)

With a similar argument in the proof of Theorem A.1 in [12], and since |x| is identical to \(|| x ||_{2}\) if \(x \in \mathbb {R} \), then we can have the relation

$$\begin{aligned} \epsilon _{\ell } = \frac{\varDelta _{\ell }}{\sigma _{\ell }} \sqrt{2\log \frac{1.25}{\delta }}. \end{aligned}$$

(16)

By taking \(\epsilon = \max (\{\epsilon _{\ell }\})\), we can conclude that Theorem 2 is correct for one-dimensional posterior sampling in VAE.

We use a convention \(\mu _{x}:=\mu (x)\). For the high dimension case, i.e., \(\mu _{x}, x, V(x) \in \mathbb {R} ^{m}\), the sensitivity is changed to

$$ \varDelta _{\ell } = \max _{x, x'} (||\mu _{x} - \mu _{x'}||_{2}). $$

Similarly, we are interested in the privacy loss w.r.t. label \(\ell \)

$$\begin{aligned} \left| \ln \left( \frac{ e^{(-1/(2\sigma _{1}^{\textsf{T}}\sigma _1)) ||x||_2^2} }{ e^{(-1/(2\sigma _{2}^{\textsf{T}}\sigma _2)) ||(x + \mu _{x} - \mu _{x'})||_2^2} } \right) \right| , \end{aligned}$$

(17)

For \(\sigma _{1} = V(x)\) and \(\sigma _{2} = V(x')\), with \(\sigma _{1}^{\textsf{T}}\sigma _1 \le \sigma _{2}^{\textsf{T}}\sigma _2\), we can have

$$\begin{aligned} \left| \ln \left( \frac{ e^{(-1/(2\sigma _{1}^{\textsf{T}}\sigma _1)) ||x||_2^2} }{ e^{(-1/(2\sigma _{2}^{\textsf{T}}\sigma _2)) ||(x + \mu _{x} - \mu _{x'})||_2^2} } \right) \right| \ge \left| \ln \left( \frac{ e^{(-1/(2\sigma _{1}^{\textsf{T}}\sigma _1)) ||x||_2^2} }{ e^{(-1/(2\sigma _{1}^{\textsf{T}}\sigma _1)) ||(x + \mu _{x} - \mu _{x'})||_2^2} } \right) \right| . \end{aligned}$$

(18)

If we assume that \(\mu _{x}-\mu _{x'}\) with the maximum norm is aligned with x (which gives the biggest denominator), we are back to the one-dimensional case, i.e., for

$$ \sigma _{\ell } = \arg \min _{\sigma _i} (\sigma _{i}^{\textsf{T}}\sigma _{i}) , $$

the bound \(\epsilon _{\ell }\) for the privacy loss must fulfill

$$\begin{aligned} \epsilon _{\ell } \ge \left| \ln \left( \frac{ e^{(-1/(2\sigma _{\ell }^{\textsf{T}}\sigma _{\ell })) ||x||_2^2} }{ e^{(-1/(2\sigma _{\ell }^{\textsf{T}}\sigma _{\ell })) (||x||_2 + \varDelta _{\ell })^2} } \right) \right| = \left| \frac{-1}{2\sigma _{\ell }^{\textsf{T}}\sigma _{\ell }} (2||x||_2\varDelta _{\ell } - \varDelta _{\ell }/2 ) \right| . \end{aligned}$$

(19)

So we have (20) in high dimension. Theorem 2 holds.³

$$\begin{aligned} \epsilon _{\ell } = \frac{\varDelta _{\ell }}{\sqrt{\sigma _{\ell }^{\textsf{T}}\sigma _{\ell }}} \sqrt{2\log \frac{1.25}{\delta }}. \end{aligned}$$

(20)

   \(\square \)