mindarmour.privacy.diff_privacy
This module provides Differential Privacy feature to protect user privacy.
- class mindarmour.privacy.diff_privacy.AdaClippingWithGaussianRandom(decay_policy='Linear', learning_rate=0.001, target_unclipped_quantile=0.9, fraction_stddev=0.01, seed=0)[source]
Adaptive clipping. If decay_policy is ‘Linear’, the update formula \(norm\_bound = norm\_bound - learning\_rate*(beta - target\_unclipped\_quantile)\). If decay_policy is ‘Geometric’, the update formula is \(norm\_bound = norm\_bound*exp(-learning\_rate*(empirical\_fraction - target\_unclipped\_quantile))\). where beta is the empirical fraction of samples with the value at most target_unclipped_quantile.
- Parameters
decay_policy (str) – Decay policy of adaptive clipping, decay_policy must be in [‘Linear’, ‘Geometric’]. Default: ‘Linear’.
learning_rate (float) – Learning rate of update norm clip. Default: 0.001.
target_unclipped_quantile (float) – Target quantile of norm clip. Default: 0.9.
fraction_stddev (float) – The stddev of Gaussian normal which used in empirical_fraction, the formula is empirical_fraction + N(0, fraction_stddev). Default: 0.01.
seed (int) – Original random seed, if seed=0 random normal will use secure random number. IF seed!=0 random normal will generate values using given seed. Default: 0.
- Returns
Tensor, undated norm clip .
Examples
>>> from mindspore import Tensor >>> from mindspore.common import dtype as mstype >>> from mindarmour.privacy.diff_privacy import AdaClippingWithGaussianRandom >>> decay_policy = 'Linear' >>> beta = Tensor(0.5, mstype.float32) >>> norm_bound = Tensor(1.0, mstype.float32) >>> beta_stddev = 0.01 >>> learning_rate = 0.001 >>> target_unclipped_quantile = 0.9 >>> ada_clip = AdaClippingWithGaussianRandom(decay_policy=decay_policy, ... learning_rate=learning_rate, ... target_unclipped_quantile=target_unclipped_quantile, ... fraction_stddev=beta_stddev) >>> next_norm_bound = ada_clip(beta, norm_bound)
- construct(empirical_fraction, norm_bound)[source]
Update value of norm_bound.
- Parameters
empirical_fraction (Tensor) – empirical fraction of samples with the value at most target_unclipped_quantile.
norm_bound (Tensor) – Clipping bound for the l2 norm of the gradients.
- Returns
Tensor, generated noise with shape like given gradients.
- class mindarmour.privacy.diff_privacy.ClipMechanismsFactory[source]
Factory class of clip mechanisms Wrapper of clip noise generating mechanisms. It supports Adaptive Clipping with Gaussian Random Noise for now.
For details, please check Tutorial.
- static create(mech_name, decay_policy='Linear', learning_rate=0.001, target_unclipped_quantile=0.9, fraction_stddev=0.01, seed=0)[source]
- Parameters
mech_name (str) – Clip noise generated strategy, support ‘Gaussian’ now.
decay_policy (str) – Decay policy of adaptive clipping, decay_policy must be in [‘Linear’, ‘Geometric’]. Default: Linear.
learning_rate (float) – Learning rate of update norm clip. Default: 0.001.
target_unclipped_quantile (float) – Target quantile of norm clip. Default: 0.9.
fraction_stddev (float) – The stddev of Gaussian normal which used in empirical_fraction, the formula is \(empirical\_fraction + N(0, fraction\_stddev)\). Default: 0.01.
seed (int) – Original random seed, if seed=0 random normal will use secure random number. IF seed!=0 random normal will generate values using given seed. Default: 0.
- Raises
NameError – mech_name must be in [‘Gaussian’].
- Returns
Mechanisms, class of noise generated Mechanism.
Examples
>>> from mindspore import Tensor >>> from mindspore.common import dtype as mstype >>> from mindarmour.privacy.diff_privacy import ClipMechanismsFactory >>> decay_policy = 'Linear' >>> beta = Tensor(0.5, mstype.float32) >>> norm_bound = Tensor(1.0, mstype.float32) >>> beta_stddev = 0.01 >>> learning_rate = 0.001 >>> target_unclipped_quantile = 0.9 >>> clip_mechanism = ClipMechanismsFactory() >>> ada_clip = clip_mechanism.create('Gaussian', ... decay_policy=decay_policy, ... learning_rate=learning_rate, ... target_unclipped_quantile=target_unclipped_quantile, ... fraction_stddev=beta_stddev) >>> next_norm_bound = ada_clip(beta, norm_bound)
- class mindarmour.privacy.diff_privacy.DPModel(micro_batches=2, norm_bound=1.0, noise_mech=None, clip_mech=None, **kwargs)[source]
DPModel is used for constructing a model for differential privacy training. This class is overload mindspore.train.model.Model.
For details, please check Tutorial.
- Parameters
micro_batches (int) – The number of small batches split from an original batch. Default: 2.
norm_bound (float) – Use to clip the bound, if set 1, will return the original data. Default: 1.0.
noise_mech (Mechanisms) – The object can generate the different type of noise. Default: None.
clip_mech (Mechanisms) – The object is used to update the adaptive clip. Default: None.
- Raises
ValueError – If DPOptimizer and noise_mech are both None or not None.
ValueError – If noise_mech or DPOtimizer’s mech method is adaptive while clip_mech is not None.
- class mindarmour.privacy.diff_privacy.DPOptimizerClassFactory(micro_batches=2)[source]
Factory class of Optimizer.
- Parameters
micro_batches (int) – The number of small batches split from an original batch. Default: 2.
- Returns
Optimizer, Optimizer class.
Examples
>>> from mindarmour.privacy.diff_privacy import DPOptimizerClassFactory >>> from tests.ut.python.utils.mock_net import Net >>> network = Net() >>> GaussianSGD = DPOptimizerClassFactory(micro_batches=2) >>> GaussianSGD.set_mechanisms('Gaussian', norm_bound=1.0, initial_noise_multiplier=1.5) >>> net_opt = GaussianSGD.create('Momentum')(params=network.trainable_params(), ... learning_rate=0.001, ... momentum=0.9)
- class mindarmour.privacy.diff_privacy.NoiseAdaGaussianRandom(norm_bound=1.0, initial_noise_multiplier=1.0, seed=0, noise_decay_rate=6e-06, decay_policy='Exp')[source]
Adaptive Gaussian noise generated mechanism. Noise would be decayed with training. Decay mode could be ‘Time’ mode, ‘Step’ mode, ‘Exp’ mode. self._noise_multiplier will be update during model training process.
- Parameters
norm_bound (float) – Clipping bound for the l2 norm of the gradients. Default: 1.0.
initial_noise_multiplier (float) – Ratio of the standard deviation of Gaussian noise divided by the norm_bound, which will be used to calculate privacy spent. Default: 1.0.
seed (int) – Original random seed, if seed=0 random normal will use secure random number. IF seed!=0 random normal will generate values using given seed. Default: 0.
noise_decay_rate (float) – Hyper parameter for controlling the noise decay. Default: 6e-6.
decay_policy (str) – Noise decay strategy include ‘Step’, ‘Time’, ‘Exp’. Default: ‘Exp’.
Examples
>>> from mindspore import Tensor >>> from mindspore.common import dtype as mstype >>> from mindarmour.privacy.diff_privacy import NoiseAdaGaussianRandom >>> gradients = Tensor([0.2, 0.9], mstype.float32) >>> norm_bound = 1.0 >>> initial_noise_multiplier = 1.0 >>> seed = 0 >>> noise_decay_rate = 6e-6 >>> decay_policy = "Exp" >>> net = NoiseAdaGaussianRandom(norm_bound, initial_noise_multiplier, seed, noise_decay_rate, decay_policy) >>> res = net(gradients)
- class mindarmour.privacy.diff_privacy.NoiseGaussianRandom(norm_bound=1.0, initial_noise_multiplier=1.0, seed=0, decay_policy=None)[source]
Generate noise in Gaussian Distribution with \(mean=0\) and \(standard\_deviation = norm\_bound * initial\_noise\_multiplier\).
- Parameters
norm_bound (float) – Clipping bound for the l2 norm of the gradients. Default: 1.0.
initial_noise_multiplier (float) – Ratio of the standard deviation of Gaussian noise divided by the norm_bound, which will be used to calculate privacy spent. Default: 1.0.
seed (int) – Original random seed, if seed=0, random normal will use secure random number. If seed!=0, random normal will generate values using given seed. Default: 0.
decay_policy (str) – Mechanisms parameters update policy. Default: None.
Examples
>>> from mindspore import Tensor >>> from mindspore.common import dtype as mstype >>> from mindarmour.privacy.diff_privacy import NoiseGaussianRandom >>> gradients = Tensor([0.2, 0.9], mstype.float32) >>> norm_bound = 0.1 >>> initial_noise_multiplier = 1.0 >>> seed = 0 >>> decay_policy = None >>> net = NoiseGaussianRandom(norm_bound, initial_noise_multiplier, seed, decay_policy) >>> res = net(gradients)
- class mindarmour.privacy.diff_privacy.NoiseMechanismsFactory[source]
Factory class of noise mechanisms Wrapper of noise generating mechanisms. It supports Gaussian Random Noise and Adaptive Gaussian Random Noise for now.
For details, please check Tutorial.
- static create(mech_name, norm_bound=1.0, initial_noise_multiplier=1.0, seed=0, noise_decay_rate=6e-06, decay_policy=None)[source]
- Parameters
mech_name (str) – Noise generated strategy, could be ‘Gaussian’ or ‘AdaGaussian’. Noise would be decayed with ‘AdaGaussian’ mechanism while be constant with ‘Gaussian’ mechanism.
norm_bound (float) – Clipping bound for the l2 norm of the gradients. Default: 1.0.
initial_noise_multiplier (float) – Ratio of the standard deviation of Gaussian noise divided by the norm_bound, which will be used to calculate privacy spent. Default: 1.0.
seed (int) – Original random seed, if seed=0 random normal will use secure random number. IF seed!=0 random normal will generate values using given seed. Default: 0.
noise_decay_rate (float) – Hyper parameter for controlling the noise decay. Default: 6e-6.
decay_policy (str) – Mechanisms parameters update policy. If decay_policy is None, no parameters need update. Default: None.
- Raises
NameError – mech_name must be in [‘Gaussian’, ‘AdaGaussian’].
- Returns
Mechanisms, class of noise generated Mechanism.
Examples
>>> from mindarmour.privacy.diff_privacy import NoiseMechanismsFactory >>> norm_bound = 1.0 >>> initial_noise_multiplier = 1.0 >>> noise_mechanism = NoiseMechanismsFactory() >>> clip = noise_mechanism.create('Gaussian', ... norm_bound=norm_bound, ... initial_noise_multiplier=initial_noise_multiplier)
- class mindarmour.privacy.diff_privacy.PrivacyMonitorFactory[source]
Factory class of DP training’s privacy monitor. For details, please check Tutorial.
- static create(policy, *args, **kwargs)[source]
Create a privacy monitor class.
- Parameters
policy (str) – Monitor policy, ‘rdp’ and ‘zcdp’ are supported by now. If policy is ‘rdp’, the monitor will compute the privacy budget of DP training based on Renyi differential privacy theory; If policy is ‘zcdp’, the monitor will compute the privacy budget of DP training based on zero-concentrated differential privacy theory. It’s worth noting that ‘zcdp’ is not suitable for subsampling noise mechanism.
args (Union[int, float, numpy.ndarray, list, str]) – Parameters used for creating a privacy monitor.
kwargs (Union[int, float, numpy.ndarray, list, str]) – Keyword parameters used for creating a privacy monitor.
- Returns
Callback, a privacy monitor.
Examples
>>> from mindarmour.privacy.diff_privacy import PrivacyMonitorFactory >>> rdp = PrivacyMonitorFactory.create(policy='rdp', num_samples=60000, batch_size=32)
- class mindarmour.privacy.diff_privacy.RDPMonitor(num_samples, batch_size, initial_noise_multiplier=1.5, max_eps=10.0, target_delta=0.001, max_delta=None, target_eps=None, orders=None, noise_decay_mode='Time', noise_decay_rate=0.0006, per_print_times=50, dataset_sink_mode=False)[source]
Compute the privacy budget of DP training based on Renyi differential privacy (RDP) theory. According to the reference below, if a randomized mechanism is said to have ε’-Renyi differential privacy of order α, it also satisfies conventional differential privacy (ε, δ) as below:
\[(ε'+\frac{log(1/δ)}{α-1}, δ)\]For details, please check Tutorial.
Reference: Rényi Differential Privacy of the Sampled Gaussian Mechanism
- Parameters
num_samples (int) – The total number of samples in training data sets.
batch_size (int) – The number of samples in a batch while training.
initial_noise_multiplier (Union[float, int]) – Ratio of the standard deviation of Gaussian noise divided by the norm_bound, which will be used to calculate privacy spent. Default: 1.5.
max_eps (Union[float, int, None]) – The maximum acceptable epsilon budget for DP training, which is used for estimating the max training epochs. ‘None’ means there is no limit to epsilon budget. Default: 10.0.
target_delta (Union[float, int, None]) – Target delta budget for DP training. If target_delta is set to be δ, then the privacy budget δ would be fixed during the whole training process. Default: 1e-3.
max_delta (Union[float, int, None]) – The maximum acceptable delta budget for DP training, which is used for estimating the max training epochs. Max_delta must be less than 1 and suggested to be less than 1e-3, otherwise overflow would be encountered. ‘None’ means there is no limit to delta budget. Default: None.
target_eps (Union[float, int, None]) – Target epsilon budget for DP training. If target_eps is set to be ε, then the privacy budget ε would be fixed during the whole training process. Default: None.
orders (Union[None, list[int, float]]) – Finite orders used for computing rdp, which must be greater than 1. The computation result of privacy budget would be different for various orders. In order to obtain a tighter (smaller) privacy budget estimation, a list of orders could be tried. Default: None.
noise_decay_mode (Union[None, str]) – Decay mode of adding noise while training, which can be None, ‘Time’, ‘Step’ or ‘Exp’. Default: ‘Time’.
noise_decay_rate (float) – Decay rate of noise while training. Default: 6e-4.
per_print_times (int) – The interval steps of computing and printing the privacy budget. Default: 50.
dataset_sink_mode (bool) – If True, all training data would be passed to device(Ascend) one-time. If False, training data would be passed to device after each step training. Default: False.
Examples
>>> from mindarmour.privacy.diff_privacy import PrivacyMonitorFactory >>> rdp = PrivacyMonitorFactory.create(policy='rdp', num_samples=100, batch_size=32)
- class mindarmour.privacy.diff_privacy.ZCDPMonitor(num_samples, batch_size, initial_noise_multiplier=1.5, max_eps=10.0, target_delta=0.001, noise_decay_mode='Time', noise_decay_rate=0.0006, per_print_times=50, dataset_sink_mode=False)[source]
Compute the privacy budget of DP training based on zero-concentrated differential privacy theory (zcdp). According to the reference below, if a randomized mechanism is said to have ρ-zCDP, it also satisfies conventional differential privacy (ε, δ) as below:
\[(ρ+2\sqrt{ρ*log(1/δ)}, δ)\]It should be noted that ZCDPMonitor is not suitable for subsampling noise mechanisms(such as NoiseAdaGaussianRandom and NoiseGaussianRandom). The matching noise mechanism of ZCDP will be developed in the future.
For details, please check Tutorial.
Reference: Concentrated Differentially Private Gradient Descent with Adaptive per-Iteration Privacy Budget
- Parameters
num_samples (int) – The total number of samples in training data sets.
batch_size (int) – The number of samples in a batch while training.
initial_noise_multiplier (Union[float, int]) – Ratio of the standard deviation of Gaussian noise divided by the norm_bound, which will be used to calculate privacy spent. Default: 1.5.
max_eps (Union[float, int]) – The maximum acceptable epsilon budget for DP training, which is used for estimating the max training epochs. Default: 10.0.
target_delta (Union[float, int]) – Target delta budget for DP training. If target_delta is set to be δ, then the privacy budget δ would be fixed during the whole training process. Default: 1e-3.
noise_decay_mode (Union[None, str]) – Decay mode of adding noise while training, which can be None, ‘Time’, ‘Step’ or ‘Exp’. Default: ‘Time’.
noise_decay_rate (float) – Decay rate of noise while training. Default: 6e-4.
per_print_times (int) – The interval steps of computing and printing the privacy budget. Default: 50.
dataset_sink_mode (bool) – If True, all training data would be passed to device(Ascend) one-time. If False, training data would be passed to device after each step training. Default: False.
Examples
>>> from mindarmour.privacy.diff_privacy import PrivacyMonitorFactory >>> zcdp = PrivacyMonitorFactory.create(policy='zcdp', ... num_samples=100, ... batch_size=32, ... initial_noise_multiplier=1.5)