Privacy auditing techniques for differentially private (DP) algorithms are useful for estimating the privacy loss to compare against analytical bounds, or empirically measure privacy in settings where known analytical bounds on the DP loss are not tight. However, existing privacy auditing techniques usually make strong assumptions on the adversary (e.g., knowledge of intermediate model iterates or the training data distribution), are tailored to specific tasks and model architectures, and require retraining the model many times (typically on the order of thousands). These shortcomings make deploying such techniques at scale difficult in practice, especially in federated settings where model training can take days or weeks. In this work, we present a novel "one-shot" approach that can systematically address these challenges, allowing efficient auditing or estimation of the privacy loss of a model during the same, single training run used to fit model parameters. Our privacy auditing method for federated learning does not require a priori knowledge about the model architecture or task. We show that our method provides provably correct estimates for privacy loss under the Gaussian mechanism, and we demonstrate its performance on a well-established FL benchmark dataset under several adversarial models.

翻译：差分隐私算法的隐私审计技术可用于估计隐私损失，以与理论界限进行比较，或在已知差分隐私损失理论界限不严格的情况下进行经验测量。然而，现有隐私审计技术通常对攻击者做出强假设（例如，已知中间模型迭代或训练数据分布），针对特定任务和模型架构量身定制，且需要多次重新训练模型（通常达数千次）。这些缺陷使得此类技术难以在实际中大规模部署，尤其是在模型训练可能需要数天或数周的联邦学习场景中。本研究提出一种新颖的"一次性"方法，可系统性地解决上述挑战，允许在用于拟合模型参数的同一单次训练过程中高效审计或估计模型的隐私损失。我们的联邦学习隐私审计方法无需先验了解模型架构或任务。理论证明该方法在高斯机制下可提供隐私损失的正确估计，并在多个对抗模型下于成熟的联邦学习基准数据集上验证了其性能。