A private machine learning algorithm hides as much as possible about its training data while still preserving accuracy. In this work, we study whether a non-private learning algorithm can be made private by relying on an instance-encoding mechanism that modifies the training inputs before feeding them to a normal learner. We formalize both the notion of instance encoding and its privacy by providing two attack models. We first prove impossibility results for achieving a (stronger) model. Next, we demonstrate practical attacks in the second (weaker) attack model on InstaHide, a recent proposal by Huang, Song, Li and Arora [ICML'20] that aims to use instance encoding for privacy.

翻译：私人机器学习算法在保留准确性的同时,尽可能隐藏其培训数据。 在这项工作中,我们研究是否可以通过依赖一种实例编码机制来使非私人学习算法成为私人的,这种机制在将培训投入输入给正常学习者之前修改培训投入。我们通过提供两种攻击模型来正式确定实例编码概念及其隐私。我们首先证明不可能取得一个(强者)模型。接下来,我们在第二个InstaHide攻击模式(较弱)中展示了实际攻击,这是黄、宋、李和阿罗拉(ICML'20)最近提出的一项建议,其目的是用实例编码来保护隐私。