On the Ability of Developers' Training Data Preservation of Learnware

Many thanks for the constructive reviews!

---

Q1: I am a bit confused with regards to Theorem 3.4: Is Theorem 3.4 proven for the $\delta=0$ case or is it proven for a specific $\delta$ ? Intuitively, the overlap of a continuous distribution and a discrete distribution of synthetic data should be zero for $\delta=0$ regardless of how the number of discrete synthetic points. So I feel I am missing something.

A1: Thank you for your thorough review of Theorem 3.4 and for raising specific questions! Indeed, Theorem 3.4 is proven for the $\delta = 0$ case, but this is not a trivial case:

In our paper, the consistency risk is defined as $R\_C(\mathcal{P}) \triangleq \mathbb{E}\_{D \sim \mathcal{P}^n}\left(\mathbb{I}\_{Z\_\delta \cap D\_\delta \neq \emptyset}\right)$. Therefore, we are concerned not with the overlap of a continuous distribution and a discrete distribution of synthetic data, but with the probability that a dataset sampled from the continuous distribution overlaps with the synthetic data generated from that dataset. The value of $R_C(\mathcal{P})$ at $\delta = 0$ strongly depends on the properties of method of generating synthetic data. For example, if we replace the commonly used Gaussian kernel in RKME, $k\left(\boldsymbol{x}_1, \boldsymbol{x}_2\right)=\exp \left(-\gamma\left|\boldsymbol{x}_1-\boldsymbol{x}_2\right|_2^2\right)$, with a Laplacian kernel, $k\left(\boldsymbol{x}_1, \boldsymbol{x}_2\right)=\exp \left(-\gamma\left|\boldsymbol{x}_1-\boldsymbol{x}_2\right|\right)$, it can be shown through analysis of its nonlinear equations that for any dataset, the generated synthetic data in RKME will always contain points from the original dataset. In this case, even if $\delta = 0$, the $R_C(\mathcal{P})$ for RKME with the Laplacian kernel would be $1$. Therefore, the proof in our paper that $R_C(\mathcal{P})$ for RKME with the Gaussian kernel is $0$ when $\delta = 0$ is non-trivial and relies on the analysis of nonlinear equations involving the Gaussian kernel.

In the paper, we separately prove the $\delta = 0$ case because it has some geometric intuition and provides insights for the proof of the $\delta > 0$ case. In future versions, we will make the significance and position of this example clearer in the text.

---

Q2: Also I am still not sure which is the δ chosen for Theorem 3.5. Can you explain this more?

A2: Thanks for your valuable feedback!

A detailed discussion on the selection of $\delta$ can be found in Appendix D. Here, we provide a simple understanding and discussion. The meaning of $\delta$ is that we want the synthetic data to differ from the real data by at least $\delta$ to ensure that the real data does not appear in the synthetic data. Therefore, $\delta$ is related to the scale of the data. When the overall data scale is small, it is impossible to ensure a $\delta$ larger than the data scale to ensure privacy. Additionally, $\delta$ is related to the number of real data points. For example, when there are many real data points, they become very dense in $\mathbb{R}^d$, and the distance between real data points becomes very small. In this case, the feasible $\delta$ will also become correspondingly smaller. Hence, in the proof of Theorem 3.5, $\delta$ is chosen as $\frac{R}{n}$, where $R$ is the upper bound of the data and $n$ is the number of samples.

A simpler and more relaxed form of this selection is to directly choose the smallest different sample distance in the sample set, as it is easily shown to be less than $\frac{R}{n}$. However, this approach provides users with a clear metric: they can use the smallest sample distance in their data set to measure the strength of privacy protection we can offer. Therefore, we have provided this easier-to-understand form in the paper. In future versions, we will provide a more detailed explanation of the selection of $\delta$ in Section 3.

---

Q3: I am a bit confused about the linkability privacy game. ... why is the random $b$ introduced in the game?

A3: Thanks for your feedback!

The cases $b=0$ and $b=1$ indeed represent two completely independent subgames, and the random bit $b$ is a common and necessary setup in the privacy game. The random bit $b$ serves to indicate to the adversary whether the dataset provided is the real dataset. Without the random bit $b$, the adversary would still attempt to attack using some method even if they obtained the original dataset. Many membership inference attacks (e.g., black-box attacks) use a confidence estimation approach, and even with the original dataset, they cannot always provide a completely correct conclusion. In the linkage privacy game, we naturally want the adversary to be able to accurately determine conclusions if they have the original dataset. Therefore, we include a random bit $b$ to be sent to the adversary along with the dataset.

Moreover, the random bit $b$ plays a crucial role in the subsequent inference privacy game, as obtaining the original dataset does not necessarily lead to correct attribute inference (there could be samples with completely overlapping attributes except for the target attribute).

---

Q4: I think the clarity of Sections 3 and 4 can be significantly improved, so that they can be more approachable to a broader audience.

A4: Thanks for the constructive feedback!

We will address the two points mentioned by the reviewer in future versions as follows:

1. We will revise the order of Section 3, presenting the proof sketch first to give readers a preliminary understanding, followed by a detailed proof according to its logic.
2. We will provide more intuition in Sections 3 and 4, and move some of the more complex parts to the appendix as appropriate.

---

In the end, we take this opportunity to sincerely thank you for the careful review, your suggestions are very insightful and important for further improving the paper. We are happy to provide further clarifications if needed in the following author-reviewer discussions.

Many thanks for the constructive reviews!

---

Q1: The paper focuses on theoretical proofs and lacks extensive empirical evidence to support the effectiveness of the RKME specification in real-world scenarios.

A1: Thanks for the feedback! We are not entirely sure whether the "effectiveness of the RKME specification in real-world scenarios" you mentioned refers to the effectiveness of RKME in Learnware search or its effectiveness in protecting privacy while performing search tasks well. Therefore, we will provide a detailed discussion on both aspects below:

1. For Learnware search, in current learnware research, almost all data types that use RKME with Gaussian kernel as a specification have achieved very good results. [Liu et al., 2023] demonstrated through experiments that for tabular data, using RKME with Gaussian kernel for Learnware search significantly outperforms searching in the learnware market without a specification. Similarly, [Wu et al., 2023] have shown that image data, after feature extraction, can use RKME with Gaussian kernel and achieve good experimental results. It is important to note that the core contribution of our work is providing theoretical guarantees that RKME can protect user data privacy, while the effectiveness of RKME in Learnware model search is not within the scope of discussion of this paper.

2. For the effectiveness of RKME in protecting data privacy in real-world scenarios, we carried out detailed experiments, the results of which can be found in the global response to all reviewers. Additionally, we have provided an analysis of our experimental results in the global response to all reviewers. It is worth mentioning that our experimental results match our theory well and demonstrate that RKME effectively protects data privacy while performing Learnware search tasks efficiently.

If you still have any concerns, we are looking forward to addressing any further questions during the reviewer-author discussion period!

---

Q2: The analysis primarily hinges on the assumption that the RKME specification works optimally with certain types of data distributions and kernel functions.

A2: Thanks for the feedback! Our theoretical analysis does not make non-trivial assumptions about data distributions, and our analysis is also applicable to a broad class of kernel functions. We chose the Gaussian kernel for our proofs because it is widely recognized as the best kernel for the MMD (maximum mean discrepancy) distance. Here is a detailed explanation:

1. Note that in proving Theorem 3.4, we show that it holds for any continuous distribution. In the subsequent remark following Theorem 3.4, on line 165, we further discuss the applicability of Theorem 3.4 to discrete distributions. The conclusion of Theorem 3.5 is derived based on Theorem 3.4, so the assumptions are consistent. Therefore, our theory is not limited to specific types of data distributions.

2. In learnware research, one of the most representative distribution metric, MMD(maximum mean discrepancy), is used to calculate distribution distance. MMD distance with characteristic kernel is commonly used in various scenarios, such as applying MMD in GAN on image data, and the gaussian kernel is the most commonly used. Thus, following the tradition in most field using MMD as distribution metric, we mainly conduct the theoretical analysis on RKME with gaussian kernel.

   However, our analysis method is highly applicable to Kernels with nonrationality and analyticity. These properties determine whether the synthetic data in RKME are locally homeomorphic to the manifold of the sample space. Therefore, kernels that satisfy these properties (such as the Sigmoid kernel $K(x, y)=\tanh \left(\gamma x^T y+r\right)$, Cauchy kernel $K(x, y)=\frac{1}{1+\gamma|x-y|^2}$, etc.) can undergo a similar analysis and reach the same conclusion as Proposition 3.2 and Proposition 3.3.

   For these kernels, the bound appearing in Theorem 3.5 should be estimated differently for each kerne For the Gaussian kernel, we used linearization and isoperimetric inequalities in our proof to estimate sub-manifold within the manifold formed by the samples, which is also where the difficulty of this problem lies. For other kernels, similar conclusions can be reached after selecting appropriate methods for estimation.

---

We greatly appreciate the your feedback! We hope our responses have clarified our work. If you still have any concerns or feel unfamiliar with certain aspects, we are looking forward to addressing any further questions during the reviewer-author discussion period!

Many thanks for the constructive reviews! We provide detailed responses below, and hope the reviewer could reassess the significance of our results. We are looking forward to addressing any further question in the reviewer-author discussion period.

---

Q1: Is the Learnware market currently operational in the wild? ... For example, scale of daily uploads & downloads?

A1: Thanks for the feedback!

Yes. Recently, the first learnware dock system, Beimingwu, has been built and released [1,2]. With a novel specification-based architecture, the system can significantly streamline the process of building machine learning models for new tasks, by automatically identifying useful models. The system provides implementations and extensibility for the entire process of the learnware paradigm, including the submission, usability testing, organization, identification, deployment, and reuse of learnwares. The core engine is also released as learnware package [3].

The Beimingwu system is currently primarily serving as a research platform for learnware studies. Although it is only open to the academic community, it has already been registered by over 500 researchers from more than 150 universities.

[1] Beimingwu: A Learnware Dock System. KDD 2024.

[2] Website: https://bmwu.cloud/

[3] Learnware package: https://learnware.readthedocs.io/

---

Q2: Please describe how the Learnware approach outperforms existing ML model-sharing infrastructure ... reading through its data and model cards, benchmark and performance reviews, and trying it out in the online UI insufficient?

A2: Thanks for the detailed feedback!

The biggest advantage of Learnware compared to existing ML model-sharing infrastructures lies in model search with specification. As you mentioned in your example, reading through data and model cards, benchmarks, and performance reviews can certainly help determine a good model, but when there are lots of models in the library, it is difficult to try each one individually, which necessitates model search. General existing ML model-sharing infrastructures can only perform keyword or language description searches. Since they cannot access specific user task data, such searches are imprecise and require users to try the search results themselves.

In Learnware, besides using language description information (which we refer to as semantical specification), we also use the RKME-based statistical specification mentioned in this paper to describe the user's specific task for precise model localization. This allows users to search for models in the market that are more suitable for their specific tasks.

To our best knowledge, for the first time, the learnware paradigm formally proposes to build a large model platform consisting of numerous high-performing models with specifications, and enable users to easily leverage existing models to solve their tasks. Recently, utilizing the large model platform to solve new learning tasks has witnessed a rapidly increasing attention, notably the Hugging Face platform, hosting over half a million models. Thus identifying truly helpful models becomes more and more difficult. Based on a novel statistical-specification-based architecture, learnware system aims to automatically identify and assemble high-performing models suitable for user tasks, with no need for extensive data and expert knowledge, while preserving data privacy we proved in this paper.

---

Q3: The paper could do a better job of describing how the analyses build on and fit into the larger body of work on related tasks. Which of the theoretical analyses are novel compared to prior geometric analyses or privacy works?

A3: Thanks for the feedback. To the best of our knowledge, our work is the first to use geometric analyses to study privacy. The theories and related analytical methods are completely original and provide significant contributions to the field of privacy:

1. The problem we mainly focus on is the privacy of synthetic data brought by data compression. However, related work (e.g., data distillation/data condensation) mainly explores privacy properties through experiments without theoretical guarantees. This is because the most mainstream privacy theoretical analysis framework, differential privacy (DP), is difficult to apply to compressed synthetic datasets. Thus, theoretical analysis methods for the privacy of compressed data have always been lacking. Our paper provides the first theoretical analysis attempt for RKME, a special form of data compression.
2. The essential difficulty in analyzing the privacy of RKME-compressed synthetic datasets lies in the fact that RKME is the optimal solution to a non-convex nonlinear system of equations involving a Gaussian kernel. Solving the optimal solution for non-convex problems involving Gaussian kernels has been an open problem. However, in geometric analyses, we found a way to analyze the properties of the solution without solving this non-convex nonlinear system. Our newly proposed technique may prove to be highly useful in analyzing the properties of solutions to specific forms of non-convex problems.

---

Q4: Is it possible to experimentally ... to find an appropriate model?

A4: Thanks for your constructive feedback! We have carried out detailed experiments, the datasets, settings, and results of which can be found in the global response to all reviewers. We have also analyzed the experimental results in the global response to all reviewers, and the empirical findings align closely with our theories.

---

We once again thank you for your constructive comments! We believe that the Learnware paradigm is extremely important and general, and our research occupies a non-negligible position in both the learnware and privacy communities. We hope the above replies will address your concerns and would appreciate a reevaluation of our paper's score!