ON INSTAHIDE, PHASE RETRIEVAL, AND SPARSE MA-TRIX FACTORIZATION

Abstract

In this work, we examine the security of InstaHide, a scheme recently proposed by Huang et al. (2020b) for preserving the security of private datasets in the context of distributed learning. To generate a synthetic training example to be shared among the distributed learners, InstaHide takes a convex combination of private feature vectors and randomly flips the sign of each entry of the resulting vector with probability 1/2. A salient question is whether this scheme is secure in any provable sense, perhaps under a plausible complexity-theoretic assumption. The answer to this turns out to be quite subtle and closely related to the averagecase complexity of a multi-task, missing-data version of the classic problem of phase retrieval that is interesting in its own right. Motivated by this connection, under the standard distributional assumption that the public/private feature vectors are isotropic Gaussian, we design an algorithm that can actually recover a private vector using only the public vectors and a sequence of synthetic vectors generated by InstaHide.

1. INTRODUCTION

In distributed learning, where decentralized parties each possess some private local data and work together to train a global model, a central challenge is to ensure that the security of any individual party's local data is not compromised. Huang et al. (2020b) recently proposed an interesting approach called InstaHide for this problem. At a high level, InstaHide is a method for aggregating local data into synthetic data that can hopefully preserve the privacy of the local datasets and be used to train good models. Informally, given a collection of public feature vectors (e.g. a publicly available dataset like Ima-geNet Deng et al. ( 2009)) and a collection of private feature vectors (e.g. the union of all of the private datasets among learners), InstaHide produces a synthetic feature vector as follows. Let integers k pub , k priv be sparsity parameters. 1. Form a random convex combination of k pub public and k priv private vectors. 2. Multiply every coordinate of the resulting vector by an independent random sign in {±1}, and define this to be the synthetic feature vector. The hope is that by removing any sign information from the vector obtained in  = k priv = 2). 1 The two outstanding theoretical challenges that InstaHide poses are understanding: • Utility: What property, either of neural networks or of real-world distributions, lets one tolerate this kind of covariate shift between the synthetic and original datasets? • Security: Can one rigorously formulate a refutable security claim for InstaHide, under a plausible average-case complexity-theoretic assumption? In this paper we consider the latter question. One informal security claim implicit in Huang et al. ( 2020b) is that given a synthetic dataset of a certain size, no efficient algorithm can recover a private image to within a certain level of accuracy (see Problem 1 for a formal statement of this recovery question). On the one hand, it is a worthwhile topic of debate whether this is a satisfactory guarantee from a security standpoint. On the other, even this kind of claim is quite delicate to pin down formally, in part because it seems impossible for such a claim to hold for arbitrary private datasets. Known Attacks and the Importance of Distributional Assumptions If the private and public datasets consisted of natural images, for example, then attacks are known Jagielski (2020); Carlini et al. (2020) . At a high level, the attack of Jagielski (2020) crucially leverages local Lipschitzness properties of natural images and shows that when k priv + k pub = 2, even a single synthetic image can reveal significant information. The very recent attack of Carlini et al. ( 2020), which was independent of the present work and appeared a month after this submission appeared online, is more sophisticated and bears interesting similarities to the algorithms we consider. We defer a detailed discussion of these similarities to Appendix A in the supplement. While the original InstaHide paper Huang et al. (2020b) focused on image data, their general approach has the potential to be applicable to other forms of real-valued data, and it is an interesting mathematical question whether the above attacks remain viable. For instance, for distributions over private vectors where individual features are nearly independent, one cannot hope to leverage the kinds of local Lipschitz-ness properties that the attack of Jagielski (2020) exploits. Additionally, if the individual features are identically distributed, then it is information theoretically impossible to discern anything from just a single synthetic vector. For instance, if a synthetic vector v is given by the entrywise absolute value offoot_1 2 v 1 + 1 2 v 2 for private vectors v 1 , v 2 , then an equally plausible pair of private vectors generating v would be v 1 , v 2 given by swapping the i-th entry of v 1 with that of v 2 for any collection of indices i ∈ [d] . In other words, there are 2 d pairs of private vectors which are equally likely under the Gaussian measure and give rise to the exact same synthetic vector. Gaussian Images, and Our Results A natural candidate for probing whether such properties can make the problem of recovering private vectors more challenging is the case where the public and private vectors are sampled from the standard Gaussian distribution over R d . While this distribution does not capture datasets in the real world, it avoids some properties of distributions over natural images that might make InstaHide more vulnerable to attack and is thus a clean testbed for stresstesting candidate security claims for InstaHide. Furthermore, in light of known hardness results for certain learning problems over Gaussian space Diakonikolas et al. ( 2017 2017), one might hope that when the vectors are Gaussian, one could rigorously establish some lower bounds, e.g. on the size of the synthetic dataset (information-theoretic) and/or the runtime of the attacker (computational), perhaps under an average-case assumption, or in some restricted computational model like SQ. Orthogonally, we note that the recovery task the attacker must solve appears to be an interesting inverse problem in its own right, namely a multi-task, missing-entry version of phase retrieval with an intriguing connection to sparse matrix factorization (see Section 2.2 and Section 3). The assumption of Gaussianity is a natural starting point for understanding the average-case complexity of this problem, and in this learning-theoretic context it is desirable to give algorithms with provable guarantees.



* This work was supported in part by NSF CAREER Award CCF-1453261, NSF Large CCF-1565235 and Ankur Moitra's ONR Young Investigator Award. We did not describe how the labels for the synthetic vectors are assigned, but this part of InstaHide will not be important for our theoretical results and we defer discussion of labels to Section 4.



); Bruna et al. (2020); Diakonikolas et al. (2020b); Goel et al. (2020a); Diakonikolas et al. (2020a); Klivans & Kothari (2014); Goel et al. (2020b); Bubeck et al. (2019); Regev & Vijayaraghavan (

Step 1, Step 2 makes it difficult to discern which public and private vectors were selected in Step 1.Strikingly, Huang  et al. (2020b)  demonstrated on real-world datasets that if one trains a ResNet-18 or a NASNet on a dataset consisting of synthetic vectors generated in this fashion, one can still get good test accuracy on the underlying private dataset for modest sparsity parameters (e.g. k pub

