Abstract
This paper presents an auditing procedure for the Differentially PrivateStochastic Gradient Descent (DP-SGD) algorithm in the black-box threat modelthat is substantially tighter than prior work. The main intuition is to craftworst-case initial model parameters, as DP-SGD's privacy analysis is agnosticto the choice of the initial model parameters. For models trained on MNIST andCIFAR-10 at theoretical $\varepsilon=10.0$, our auditing procedure yieldsempirical estimates of $\varepsilon_{emp} = 7.21$ and $6.95$, respectively, ona 1,000-record sample and $\varepsilon_{emp}= 6.48$ and $4.96$ on the fulldatasets. By contrast, previous audits were only (relatively) tight in strongerwhite-box models, where the adversary can access the model's inner parametersand insert arbitrary gradients. Overall, our auditing procedure can offervaluable insight into how the privacy analysis of DP-SGD could be improved anddetect bugs and DP violations in real-world implementations. The source codeneeded to reproduce our experiments is available athttps://github.com/spalabucr/bb-audit-dpsgd.