In [2]:
 import keras

In [3]:
 !pip install syft==0.2.9 tensorflow_privacy==0.7.3

Collecting syft==0.2.9
  Downloading syft-0.2.9-py3-none-any.whl (433 kB)
[?25l[K     |▊                               | 10 kB 7.3 MB/s eta 0:00:01[K     |█▌                              | 20 kB 6.7 MB/s eta 0:00:01[K     |██▎                             | 30 kB 6.2 MB/s eta 0:00:01[K     |███                             | 40 kB 4.6 MB/s eta 0:00:01[K     |███▊                            | 51 kB 4.4 MB/s eta 0:00:01[K     |████▌                           | 61 kB 4.9 MB/s eta 0:00:01[K     |█████▎                          | 71 kB 4.8 MB/s eta 0:00:01[K     |██████                          | 81 kB 5.4 MB/s eta 0:00:01[K     |██████▉                         | 92 kB 4.9 MB/s eta 0:00:01[K     |███████▌                        | 102 kB 4.7 MB/s eta 0:00:01[K     |████████▎                       | 112 kB 4.7 MB/s eta 0:00:01[K     |█████████                       | 122 kB 4.7 MB/s eta 0:00:01[K     |█████████▉                      | 133 kB 4.7 MB/s eta 0:00:01[K  

Defines Loss Function

In [1]:
from absl import logging
import collections
import tensorflow as tf

# from tensorflow_privacy.privacy.analysis import privacy_ledger
from tensorflow_privacy.privacy.dp_query import gaussian_query

def make_optimizer_class(cls):
  """Constructs a DP optimizer class from an existing one."""
  parent_code = tf.compat.v1.train.Optimizer.compute_gradients.__code__
  child_code = cls.compute_gradients.__code__
  GATE_OP = tf.compat.v1.train.Optimizer.GATE_OP  # pylint: disable=invalid-name
  if child_code is not parent_code:
    logging.warning(
        'WARNING: Calling make_optimizer_class() on class %s that overrides '
        'method compute_gradients(). Check to ensure that '
        'make_optimizer_class() does not interfere with overridden version.',
        cls.__name__)

  class DPOptimizerClass(cls):
    """Differentially private subclass of given class cls."""

    _GlobalState = collections.namedtuple(
      '_GlobalState', ['l2_norm_clip', 'stddev'])
    
    def __init__(
        self,
        dp_sum_query,
        num_microbatches=None,
        unroll_microbatches=False,
        *args,  # pylint: disable=keyword-arg-before-vararg, g-doc-args
        **kwargs):
      """Initialize the DPOptimizerClass.

      Args:
        dp_sum_query: DPQuery object, specifying differential privacy
          mechanism to use.
        num_microbatches: How many microbatches into which the minibatch is
          split. If None, will default to the size of the minibatch, and
          per-example gradients will be computed.
        unroll_microbatches: If true, processes microbatches within a Python
          loop instead of a tf.while_loop. Can be used if using a tf.while_loop
          raises an exception.
      """
      super(DPOptimizerClass, self).__init__(*args, **kwargs)
      self._dp_sum_query = dp_sum_query
      self._num_microbatches = num_microbatches
      self._global_state = self._dp_sum_query.initial_global_state()
      # TODO(b/122613513): Set unroll_microbatches=True to avoid this bug.
      # Beware: When num_microbatches is large (>100), enabling this parameter
      # may cause an OOM error.
      self._unroll_microbatches = unroll_microbatches

    def compute_gradients(self,
                          loss,
                          var_list,
                          gate_gradients=GATE_OP,
                          aggregation_method=None,
                          colocate_gradients_with_ops=False,
                          grad_loss=None,
                          gradient_tape=None,
                          curr_noise_mult=0,
                          curr_norm_clip=1):

      self._dp_sum_query = gaussian_query.GaussianSumQuery(curr_norm_clip, 
                                                           curr_norm_clip*curr_noise_mult)
      self._global_state = self._dp_sum_query.make_global_state(curr_norm_clip, 
                                                                curr_norm_clip*curr_noise_mult)
      

      # TF is running in Eager mode, check we received a vanilla tape.
      if not gradient_tape:
        raise ValueError('When in Eager mode, a tape needs to be passed.')

      vector_loss = loss()
      if self._num_microbatches is None:
        self._num_microbatches = tf.shape(input=vector_loss)[0]
      sample_state = self._dp_sum_query.initial_sample_state(var_list)
      microbatches_losses = tf.reshape(vector_loss, [self._num_microbatches, -1])
      sample_params = (self._dp_sum_query.derive_sample_params(self._global_state))

      def process_microbatch(i, sample_state):
        """Process one microbatch (record) with privacy helper."""
        microbatch_loss = tf.reduce_mean(input_tensor=tf.gather(microbatches_losses, [i]))
        grads = gradient_tape.gradient(microbatch_loss, var_list)
        sample_state = self._dp_sum_query.accumulate_record(sample_params, sample_state, grads)
        return sample_state
    
      for idx in range(self._num_microbatches):
        sample_state = process_microbatch(idx, sample_state)

      if curr_noise_mult > 0:
        grad_sums, self._global_state = (self._dp_sum_query.get_noised_result(sample_state, self._global_state))
      else:
        grad_sums = sample_state

      def normalize(v):
        return v / tf.cast(self._num_microbatches, tf.float32)

      final_grads = tf.nest.map_structure(normalize, grad_sums)
      grads_and_vars = final_grads#list(zip(final_grads, var_list))
    
      return grads_and_vars

  return DPOptimizerClass


def make_gaussian_optimizer_class(cls):
  """Constructs a DP optimizer with Gaussian averaging of updates."""

  class DPGaussianOptimizerClass(make_optimizer_class(cls)):
    """DP subclass of given class cls using Gaussian averaging."""

    def __init__(
        self,
        l2_norm_clip,
        noise_multiplier,
        num_microbatches=None,
        ledger=None,
        unroll_microbatches=False,
        *args,  # pylint: disable=keyword-arg-before-vararg
        **kwargs):
      dp_sum_query = gaussian_query.GaussianSumQuery(
          l2_norm_clip, l2_norm_clip * noise_multiplier)

      if ledger:
        dp_sum_query = privacy_ledger.QueryWithLedger(dp_sum_query,
                                                      ledger=ledger)

      super(DPGaussianOptimizerClass, self).__init__(
          dp_sum_query,
          num_microbatches,
          unroll_microbatches,
          *args,
          **kwargs)

    @property
    def ledger(self):
      return self._dp_sum_query.ledger

  return DPGaussianOptimizerClass
GradientDescentOptimizer = tf.compat.v1.train.GradientDescentOptimizer
DPGradientDescentGaussianOptimizer_NEW = make_gaussian_optimizer_class(GradientDescentOptimizer)

In [2]:
#import keras
#import tensorflow as tf
from tensorflow_privacy.privacy.analysis import compute_dp_sgd_privacy
from tensorflow_privacy.privacy.optimizers.dp_optimizer import DPGradientDescentGaussianOptimizer
from keras.datasets import mnist,cifar100
import numpy as np

# (mnist_x_train, mnist_y_train), (mnist_x_test, mnist_y_test) = mnist.load_data()
(mnist_x_train, mnist_y_train), (mnist_x_test, mnist_y_test) = cifar100.load_data()

mnist_x_train = mnist_x_train.astype( np.float32 ) / 255
mnist_x_test = mnist_x_test.astype( np.float32 ) / 255

mnist_x_train = mnist_x_train.reshape( -1, 32, 32, 3)
mnist_x_test = mnist_x_test.reshape( -1, 32, 32, 3)

mnist_y_train = tf.keras.utils.to_categorical(mnist_y_train)#keras.utils.to_categorical( mnist_y_train )
mnist_y_test = tf.keras.utils.to_categorical(mnist_y_test)#keras.utils.to_categorical( mnist_y_test )

EPOCHS = 10
BATCH_SIZE = 500

model = tf.keras.models.Sequential()
model.add( tf.keras.layers.Conv2D( 32, kernel_size=(3, 3), activation='relu', input_shape=mnist_x_train.shape[ 1: ]  ) )
model.add( tf.keras.layers.MaxPooling2D( pool_size=(2, 2) ) )
model.add( tf.keras.layers.Conv2D( 64, kernel_size=(3, 3), activation='relu' ) )
model.add( tf.keras.layers.Flatten() )
model.add( tf.keras.layers.Dense( 128, activation='relu' ) )
model.add( tf.keras.layers.Dense( 100, activation='softmax' ) )
optimizer = DPGradientDescentGaussianOptimizer_NEW(
   learning_rate = 0.0001,
   l2_norm_clip = 1.7,
   noise_multiplier = 1.0,
   num_microbatches = 150)

loss = tf.keras.losses.CategoricalCrossentropy( from_logits=True, reduction=tf.losses.Reduction.NONE )

model.compile(optimizer=optimizer, loss=loss, metrics=['accuracy'])

model.fit(mnist_x_train, mnist_y_train,epochs= EPOCHS, steps_per_epoch=50000/500)

print( 'test acc:', model.evaluate( mnist_x_test, mnist_y_test, batch_size=150 ) )

eps = compute_dp_sgd_privacy.compute_dp_sgd_privacy(n=60000, batch_size=150, noise_multiplier=1.3, epochs=5, delta=4e-5)
print( 'epsilon: ', eps )


Downloading data from https://www.cs.toronto.edu/~kriz/cifar-100-python.tar.gz
Epoch 1/10


  return dispatch_target(*args, **kwargs)


Epoch 2/10
Epoch 3/10
Epoch 4/10
Epoch 5/10
Epoch 6/10
Epoch 7/10
Epoch 8/10
Epoch 9/10
Epoch 10/10
test acc: [3.547664165496826, 0.17489999532699585]
DP-SGD with sampling rate = 0.25% and noise_multiplier = 1.3 iterated over 2000 steps satisfies differential privacy with eps = 0.446 and delta = 4e-05.
The optimal RDP order is 19.0.
epsilon:  (0.44569798462065274, 19.0)


In [3]:
import keras
import tensorflow as tf
from tensorflow_privacy.privacy.analysis import compute_dp_sgd_privacy
from tensorflow_privacy.privacy.optimizers.dp_optimizer import DPGradientDescentGaussianOptimizer
from keras.datasets import mnist,cifar100
import numpy as np

# (mnist_x_train, mnist_y_train), (mnist_x_test, mnist_y_test) = mnist.load_data()
(mnist_x_train, mnist_y_train), (mnist_x_test, mnist_y_test) = cifar100.load_data()

mnist_x_train = mnist_x_train.astype( np.float32 ) / 255
mnist_x_test = mnist_x_test.astype( np.float32 ) / 255

mnist_x_train = mnist_x_train.reshape( -1, 32, 32, 3)
mnist_x_test = mnist_x_test.reshape( -1, 32, 32, 3)

mnist_y_train = tf.keras.utils.to_categorical(mnist_y_train)#keras.utils.to_categorical( mnist_y_train )
mnist_y_test = tf.keras.utils.to_categorical(mnist_y_test)#keras.utils.to_categorical( mnist_y_test )

EPOCHS = 10
BATCH_SIZE = 250

model = tf.keras.models.Sequential()
model.add( tf.keras.layers.Conv2D( 32, kernel_size=(3, 3), activation='relu', input_shape=mnist_x_train.shape[ 1: ]  ) )
model.add( tf.keras.layers.MaxPooling2D( pool_size=(2, 2) ) )
model.add( tf.keras.layers.Conv2D( 64, kernel_size=(3, 3), activation='relu' ) )
model.add( tf.keras.layers.Flatten() )
model.add( tf.keras.layers.Dense( 128, activation='relu' ) )
model.add( tf.keras.layers.Dense( 100, activation='softmax' ) )
optimizer=DPGradientDescentGaussianOptimizer_NEW(
   learning_rate = 0.1,
   l2_norm_clip = 1.2,
   noise_multiplier = 1.2,
   num_microbatches = 100)

loss = tf.keras.losses.CategoricalCrossentropy( from_logits=True, reduction=tf.losses.Reduction.NONE )

model.compile(optimizer=optimizer, loss=loss, metrics=['accuracy'])

model.fit(mnist_x_train, mnist_y_train,epochs= EPOCHS, steps_per_epoch=50000/500)

print( 'test acc:', model.evaluate( mnist_x_test, mnist_y_test, batch_size=250 ) )

eps = compute_dp_sgd_privacy.compute_dp_sgd_privacy(n=60000, batch_size=250, noise_multiplier=1.3, epochs=10, delta=4e-5)
print( 'epsilon: ', eps )


Epoch 1/10


  return dispatch_target(*args, **kwargs)


Epoch 2/10
Epoch 3/10
Epoch 4/10
Epoch 5/10
Epoch 6/10
Epoch 7/10
Epoch 8/10
Epoch 9/10
Epoch 10/10
test acc: [4.634218215942383, 0.009999999776482582]
DP-SGD with sampling rate = 0.417% and noise_multiplier = 1.3 iterated over 2400 steps satisfies differential privacy with eps = 0.702 and delta = 4e-05.
The optimal RDP order is 17.0.
epsilon:  (0.7021092097853936, 17.0)
