Large-Scale Public Data Improves Differentially Private Image Generation Quality

Thank you for your positive and insightful feedback to our paper! We will add the discussions below in the revision.

Conditional generation: Thank you for pointing out the issue of conditional generation. We could extend our method by applying our method for each class while sharing a joint privacy budget; this is what DP-MEPF does for conditional generation. Although we believe that our advantage in image quality would apply in the conditional generation setting as well, we think advanced adaptation to conditional generation would be worth studying as future work.

The limitation of DP-MGE: We believe that the limitation of DP-MGE is because it models the private distribution in the feature space as a unimodal Gaussian, and not because of the noise added due to DP. This is because we found that in the $\varepsilon = \infty$ case, DP-MGE did quite poorly in some datasets (Pet, Objects-Grass, Objects-Autumn) in our experiments. We will clarify and discuss this in the paper.

Using a mixture of a small number of Gaussians (gaussian mixture models) instead of a single Gaussian is also a good idea; However, we think DP-DRE might still outperform this method for low privacy budgets ($\varepsilon\leq 1$). Notice that increasing the complexity of distribution representation (e.g. the number of Gaussian) will boost the performance when $\varepsilon=\infty$, this algorithm will become less robust to the noise due to DP than the unimodal Gaussian. For example, the accuracy DP-MGE significantly drops when $\varepsilon=1.0$ on the Pet dataset, which implies gaussian mixture models would significantly drop when $\varepsilon=1.0$ as well. By comparison, DP-DRE when $\varepsilon=1.0$ is capable of mostly achieving the same performance as non-private IC-GAN on Pet dataset – which is an upper bound on all IC-GAN based algorithms. Same analysis can be applied into other datasets.

The normalization operator in IC-GAN: This is designed inside the IC-GAN. Once the feature extractor (ResNet50) $h’$ is trained, the training procedure of the decoder (GAN) always uses the normalized features $h(x_i):=h’(x_i)/\|h’(x_i)\|$ from ResNet50.

Comparison with SOTA private training diffusion models: Thank you for pointing out the references to the diffusion models! We will add the discussion and comparisons below to our paper. [1] considers the more challenging pure private data/no pre-trained model setting. Consequently, their results apply to image datasets with low-resolution (MNIST, etc.) [2, 3] study DP fine-tuning on a publicly pre-trained model, where the public data is ImageNet – the same as our set-up. As their code does not appear to be publicly available, we will compare performances on CIFAR10, which is reported in their paper. For CIFAR10 – although [2,3] have lower FID scores when $\varepsilon \geq 5.0$, our method DP-DRE starts to outperform [2, 3] when $\varepsilon=1.0$ – DP-DRE has FID score of $20.9$ while [2, 3] have FID scores of $22.9$ and $25.2$. Indeed our method is also tested with $\varepsilon=0.1$ and its FID score still resists at $20.9$! This demonstrates the advantage of our method at the low $\varepsilon$ (high privacy) regime, while their method may do better at high $\varepsilon$ (low privacy) regimes.

Relevant topics and typos: Thanks for pointing out those relevant work and typos. We will address them in the revision.

[1] Differentially Private Diffusion Models, TMLR 2023.

[2] Differentially Private Latent Diffusion Models, Arxiv 2023.

[3] Differentially Private Diffusion Models Generate Useful Synthetic Images, Arxiv 2023.

I have carefully reviewed the authors' rebuttal and the feedback from other reviewers. I thank for the authors for their comprehensive response and the additional effort they have put into enhancing the manuscript. Specifically, I appreciate the authors to include recent works on private image generation and the almost of my concerns are clarified.

However, as I mentioned in Question1, I think it is hard to inject the conditional generation framework into DP-DRE since the class-wise mapping using IC-GAN is trained with bigger models (i.e., ImageNet) and corresponding class labels cannot be found on private domain such as CIFAR. Can you give me the idea more specifically about them? From my perspective, conditional generation is not selective works for generation tasks, but essential parts, especially for privacy.

Therefore, I will maintain my current score for the manuscript and await the comments of other reviewers.

Thank you for your insightful feedback to our paper! We will include the discussions below in the revision.

Comparison between DP-MGE and DP-MEPF: This is actually an insightful point! It is correct that both DP-MGE and DP-MEPF estimate the first and second order statistics. DP-MGE directly uses the embedding while DP-MEPF instead approximates such embedding. However, DP-MGE has the help of IC-GAN to generate images from given features, while DP-MEPF has to train a generator from scratch to match the statistics. DP-MGE outperforming DP-MEPF actually demonstrates the advantage of adopting the IC-GAN framework.

The justification of the assumption: We agree that especially motivated by [R1] how to leverage out-of-distribution public data for the task of data generation is one important future direction. Alternatively, regarding our assumption that the support of the public data distribution covers the support of the private, with time, this assumption is becoming increasingly true – as foundation models get trained on larger and larger datasets covering larger and larger domains.

Explanation for the results of DP-MGE: Because there is a large gap between DP-MGE and Non-private IC-GAN, this implies that the unimodal Gaussian with the correct mean and variance is very different from the true private distribution in the feature space. Because the mean and variance of the private distribution is not necessary to be the optimal mean and variance in the unimodal Gaussian to describe the private distribution, a small amount of additive noise to the mean and variance estimation is possible to improve the performance.

Comparison between DP-GAN-FT and DP-GAN-MI: This is a very insightful question! DP-GAN-MI is to train a GAN in the feature space, where the image information is already extracted by the pretrained feature mapping. However, DP-GAN-FT is training a GAN in the image space and has to learn more implicit connection between the image space and the latent space, which is harder by intuition.

Thank you for your constructive feedback to our paper!

Comparison with SOTA private training diffusion models: Since the review doesn’t specify the latest methodology, we follow the suggestion from Reviewer 3Hzn and compare our method with [1, 2, 3]. [1] considers the more challenging pure private data/no pre-trained model setting. Consequently, their results apply to image datasets with low-resolution (MNIST, etc.) [2, 3] study DP fine-tuning on a publicly pre-trained model, where the public data is ImageNet – the same as our set-up. As their code does not appear to be publicly available, we will compare performances on CIFAR10, which is reported in their paper. For CIFAR10 – although [2,3] have lower FID scores when $\varepsilon \geq 5.0$, our method DP-DRE starts to outperform [2, 3] when $\varepsilon=1.0$ – DP-DRE has FID score of $20.9$ while [2, 3] have FID scores of $22.9$ and $25.2$. Indeed our method is also tested with $\varepsilon=0.1$ and its FID score still resists at $20.9$! This demonstrates the advantage of our method at the low $\varepsilon$ (high privacy) regime, while their method may do better at high $\varepsilon$ (low privacy) regimes.

The explanation for DP-MEPF: This indeed can be validated by the comparison between DP-MGE and DP-MEPF. Both DP-MGE and DP-MEPF estimate the first and second order statistics, while DP-MGE further utilizes a pretrained decoder in IC-GAN to generate images from the statistics and DP-MEPF trains a generator from scratch to match the statistics. We can observe that DP-MGE is able to generate realistic high resolution images.

Comparison with Diffusion-GAN: As our paper focuses on the privacy-preserving image generation, instead of the effectiveness of the generation model, the hardness is mainly to achieve a great privacy-utility tradeoff (how to inject noise to make it private while keeping a good performance). We have discussed in the related work section that our method has better privacy-utility tradeoff than GAN-based methods with differential privacy in the literature.

[1] Differentially Private Diffusion Models, TMLR 2023.

[2] Differentially Private Latent Diffusion Models, Arxiv 2023.

[3] Differentially Private Diffusion Models Generate Useful Synthetic Images, Arxiv 2023.

Thank you for proposing comparison with meaningful baseline, which helps better demonstrate the advantage of our method empirically.

Comparison with the usage of the foundation model: Filtering out the outputs from a strong foundation model. Indeed, we make this attempt as described in the paragraph “Rejection sampling in the latent space versus the image space” in Section 4.2. IC-GAN is one of the SOTA image generation methods as well and we implement the rejection sampling on the IC-GAN pretrained on ImageNet. Also, notice that DP-DRE is essentially the rejection sampling in the feature space. As stated in the paragraph “Rejection … space”, the DP-DRE has better performance and less computation cost.

Comparing DP-DRE with training a GAN in the feature space: Our baseline DP-GAN-MI is to learn a GAN in the feature space and the empirical results of DP-GAN-MI are much worse than DP-DRE in the private setting. Actually, GAN is to learn a distribution from scratch, while DP-DRE, leveraging the public data, only needs to learn a boundary to select representative data from public data and is not necessary to learn what features should look like. The latter process can be very robust to the noise introduced from the DP algorithm especially when the representative data has a certain margin with the remaining data.

Comparing with advanced other architecture-based methods: Thanks for raising this point. We agree that having a paragraph that summarizes the comparison with other architecture-based methods can help understand the position of our method in the literature and will add the discussion below to our experiment section. GAN-based DP algorithm. As stated in the related work, the GAN-based DP algorithm in the literature is far away from generating realistic high resolution images at the low $\varepsilon$ regime; they are working towards MNIST. Diffusion-based DP algorithm.

1. [1] considers the more challenging pure private data/no pre-trained model setting. Consequently, their results apply to image datasets with low-resolution (MNIST, etc.)
2. [2, 3] study DP fine-tuning on a publicly pre-trained model, where the public data is ImageNet – the same as our set-up. As their code does not appear to be publicly available, we will compare performances on CIFAR10, which is reported in their paper. For CIFAR10 – although [2,3] have lower FID scores when $\varepsilon \geq 5.0$, our method DP-DRE starts to outperform [2, 3] when $\varepsilon=1.0$ – DP-DRE has FID score of $20.9$ while [2, 3] have FID scores of $22.9$ and $25.2$. Indeed our method is also tested with $\varepsilon=0.1$ and its FID score still resists at $20.9$! This demonstrates the advantage of our method at the low $\varepsilon$ (high privacy) regime, while their method may do better at high $\varepsilon$ (low privacy) regimes.

[1] Differentially Private Diffusion Models, TMLR 2023.

[2] Differentially Private Latent Diffusion Models, Arxiv 2023.

[3] Differentially Private Diffusion Models Generate Useful Synthetic Images, Arxiv 2023.

Thank you for your constructive feedback!

The justification of the assumption: Regarding our assumption that the support of the public data distribution covers the support of the private, with time, this assumption is becoming increasingly true – as foundation models get trained on larger and larger datasets covering larger and larger domains. However, note that this does not mean that there is no distribution shift – as the private distribution may assign a lot of probability mass to parts of the space where the public distribution has very low (but still non-zero) mass. An example is when the public data are common objects from all over the world, and private data (e.g. DollarStreat dataset) are the objects from developing countries.

Contributions: While the use of public data and an autoencoder-style pipeline have been investigated in isolation, our main contribution is to find the right algorithmic technique that can obtain good results – namely, the use of IC-GAN to convert the generation problem in the image space into the feature space, and careful design of the distribution learning method in the feature space leveraging the public data again (in the next paragraph, we will explain more about the key advantages of IC-GAN). We agree that the final algorithm is simple, but in this case, simplicity is a strength as it leads to good private performance!

The key advantages of IC-GAN: Thank you for asking this insightful question. DP-DRE has two design ideas and IC-GAN plays a crucial role for the performance of DP-DRE:

1. Converting the generation task from image space to feature space.
   • IC-GAN is such an auto-encoder to make this conversion and it provides a time-efficient way to compute both directions (image$\to$feature, feature$\to$image). By comparison, image$\to$feature in a standard GAN, e.g. stylegan, is well-known as GAN-inversion, which is hard in terms of time complexity and the performance [1].
2. Learning the distribution in a discriminative way to better leverage the public data. Unlike other methods which learn the private distribution from scratch (in the feature space, e.g. DP-GAN-MI), DP-DRE only needs to learn a boundary to select representative data from public data if public data has a subset well representing the private data.
   • A good latent space can make this boundary easier to learn. The latent space in IC-GAN is a self-supervised-learning feature space and both public and private data distribution have good structures in such a feature space. This reason especially makes IC-GAN distinguished from other auto-encoder or generative models. By comparison, for example, the public distribution in the latent space of GAN and VAE is a normal distribution and has less structure to distinguish it from the private data.

[1] Gan inversion: A survey. IEEE Transactions on Pattern Analysis and Machine Intelligence 45.3 (2022): 3121-3138.