R5-1. Differential privacy

Please see GC1.

Thank you for the reply. This is the so-called post-processing property of DP: no matter what data-independent function you apply on the DP output (stochastic or not), the epsilons will not increase (they can decrease though). Thus your privacy guarantees will not get worse with the Bernoulli sampling procedure. But I can imagine that the Bernoulli sampling part could even amplify the privacy guarantees. But that should be then shown mathematically, how much amplification happens. And in case you are not actually using the amplification, as I understand, that should also be clearly stated and also the used privacy bounds should be clearly stated (if they are, e.g., the RDP-bounds of the Gaussian mechanism).

Thanks for providing valuable feedbacks and various concerns that arise in our work.

As can be seen from Appendix A of our manuscript, after clipping the noise-injected $\theta$, the privacy budget we have becomes $\epsilon_{amp}\leq min\{\epsilon, d\gamma_{\alpha}(c)\}$. Here, during the noise injection process, the variance $\sigma^2$ of the Gaussian noise should become a function of $\epsilon$, which controls the level of privacy we guarantee. Overall, the perturbing $\theta$ is necessary to guarantee a certain level of privacy. Regarding the privacy amplification, our intention was to theoretically show that the privacy bound can become tighter (or at least does not compromise the bound) by taking advantage of Bernoulli sampling. Depending on various parameters and the model size, it may or may not be amplified, but the key point here is that since we have applied $(\epsilon, \delta)$-dp to $\theta$, there is no case that the privacy bound falls below $\epsilon$.

R4-1. Experiment with other losses.

Please see GC1 and R1-1. We want to clarify the distinction between our approach and baselines. Baselines typically train the weights using GAN loss, while PRISM employs the MMD loss to find the SLT within the dense network. If an SLT is introduced into a baselines method, it essentially becomes PRISM. In that case, there is a potential question to consider whether strong performance emerges when GAN loss is applied to PRISM. To handle this curiosity, we conducted an experiment which utilizes GAN loss as score function for SLT, not MMD loss. In order to learn the generator by GAN loss instead of MMD loss, each client learns the discriminator and generator adversarially. After the local training is completed, the server aggregates and returns only the generator. As seen in Figure.10, the unstable GAN loss fails to find the SLT and proceed the FL normally, which implies that MMD loss is suitable for decentralized setting and SLT.

R4-2. Differential privacy

Please see GC1.

R4-3. Limited novelty

Please see GC2.

R4-4. GAN is out of fashion

The tackiness of GAN is discussed in GC1, GC2. Additionally, the reviewer’s question seems to be intended for DDPM, which has recently shown strong performance. Although we have been empirically confirmed that SLT works successfully, there are still several limitations such as slow convergence. We would like to clarify that PRISM uses MMD loss, while the baselines employ GANs. As you mentioned, it’s true that the popularity of GANs has declined with the emergence of diffusion models, but GANs still offer valid advantages such as simplicity and fast inference times [1]. While it’s possible to apply diffusion models to FL setups, the introduction is not straightforward in FL, where communication efficiency becomes a bottleneck. This is because diffusion models require substantial computational resources and slow convergence due to the iterative learning. Importantly, there should be discussions considering various ways in the field of FL for generative models.

R4-5. Other minor comments in Misc.

Corrected.

[1] Kang, Minguk, et al. "Scaling up gans for text-to-image synthesis." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2023.

R1-3. Which architecture is used? Does the choice matter?

We have consistently utilized the ResNet-based generator for both our method and all baseline methods to ensure a fair comparison. Our detailed analysis, shown in Figure 4, compares performance while controlling for the number of parameters. The results demonstrate that PRISM outperforms the other baseline methods, even when matched for capacity and network structure. In addition, our method works generally well for different architectures. Basically, SLT just presumes that a dense network is sufficiently overparameterized to find a useful subnetwork. This implies that SLT has robustness with architecture. To validate our argument, we will evaluate architectures frequently used in generative models. When ongoing experiments are completed, we will update you.

(updated)

We applied various generator architectures that have been studied in the field of generative models to the architecture of PRISM and compared their performance. Review can find the results in Table.8. We kept all settings, including DP, consistent with our framework. Our default configuration is a ResNet-based generator, and architectures such as DCGAN and SNGAN show robust performance on MNIST but exhibit a slight advantage depending on the architecture in CelebA. PRISM can somewhat follow the performance of the architecture since it extracts a subnetwork from the dense network. Still, it consistently finds a stable SLT for various structures.

R1-4. How does random mask learning benefit from multiple-round federated learning?

We interpret your question as probing why we opt for multiple-round learning rather than identifying a Strong Lottery Ticket (SLT) at each client side and then aggregating the final mask in a one-shot manner at the server. To answer this, we draw an analogy between each local dataset in our method and a mini-batch in traditional centralized SGD. In this comparison, one-shot aggregation is akin to optimizing with a very large step size. It is well-known in optimization theory that training with a large step size and few epochs can often lead to local minima. Coming back to the perspective of federated learning, by aggregating the scores (or binary masks) of each client through multiple rounds, our goal is to find the global lottery ticket that is not biased towards specific local dataset. To support our opinion, we conducted an experiment in which we performed single aggregation after overfitting MNIST dataset to 500 local iterations. The results can be found in Appendix.C. We observe that it fails to generate proper images.

R1-5. Differential privacy

Please see GC1.

R1-1. Why can SLT outperform a fully trained generative model? Why is MMD loss effective?

We interpret your question as probing why the combination of SLT and MMD loss performs so well. We will divide the reviewer’s question into three parts for clarity:

(1) Effectiveness of SLT: Previous research has theoretically shown that in large, randomly initialized models, there often exists a 'strong lottery ticket'--- a subnetwork capable of matching or even surpassing the performance of the full model [1]. To illustrate, consider the analogy of the Library of Babel, where a vast repository of all possible combinations of text exists. In such a library, the probability of finding meaningful books is not negligible. Similarly, in a large enough model, strong and effective subnetworks are likely to exist. This intuitive analogy serves as a foundation for understanding the concept of SLT. Consequently, when such a strong lottery ticket is identified, it has the potential to provide a comparable or sometimes even better performance than fully trained GAN-based models.

Of course, while the theoretical existence of SLTs is significant, the practical challenge lies in the methodology to locate these optimal subnetworks. This requires the careful development of a score function and algorithm tailored to the specific task at hand, which is a highly nontrivial endeavor. (Our contribution lies in this realm, developing a framework that effectively addresses the challenge of creating a federative generative model) Understanding this framework sets the stage to address the reviewer's next question: the effectiveness of MMD loss.

(2) Effectiveness of MMD Loss: MMD loss functions by minimizing the mean distance between samples in the Reproducing Kernel Hilbert Space (RKHS). Theoretical evidence suggests that distributions are identical when their statistics in RKHS coincide [2][3]. In practice, this translates to each client computing the L2 distance from the global model to its RKHS statistics during local training, effectively measuring the MMD distance for global statistics. This statistical approach underlies MMD's superiority over traditional GAN-based methods when combined with SLT. This method, as analyzed in the context of WGANs, suggests that MMD, being a distance function, provides more stability in training compared to divergence-based methods like traditional GANs.

This stability is crucial in federated learning environments, where training can be erratic and unstable due to the inherent challenges such as heterogeneous data distributions across clients. The ability of MMD loss to consistently measure distances in RKHS contributes significantly to mitigating these challenges, thereby enhancing model performance and reliability. Thus, our model leverages the combination of SLTs and the stable training dynamics of MMD loss to achieve its notable performance.

(3) Comparing GAN and MMD loss: GAN loss is known for its instability and requires extensive regularization and careful training management. To further confirm the advantage of using MMD loss in our setup, we have also explored the possibility of using the GAN loss to find SLT (Figure 10). Due to the inherent training instability of GAN loss, particularly in federated learning settings with data heterogeneity, this approach proved ineffective. Experiments using GAN loss instead of MMD in our PRISM framework resulted in collapsed images, emphasizing GAN loss's unsuitability for SLT in decentralized environments. Nevertheless, as you rightly pointed out, MMD does have limitations in handling large, complex datasets. Exploring alternative frameworks to overcome these challenges is an intriguing direction for future research.

[1] Ramanujan, Vivek, et al. "What's hidden in a randomly weighted neural network?." Proceedings of the IEEE/CVF conference on computer vision and pattern recognition. 2020.

[2] Gretton, Arthur, et al. "A kernel two-sample test." The Journal of Machine Learning Research 13.1 (2012): 723-773.

[3] Gretton, Arthur, et al. "A kernel method for the two-sample-problem." Advances in neural information processing systems 19 (2006).

R1-2. Limited novelty Please see GC2.

...

Please refer the remaining responses in the [Responses 2/2].

I'd like to thank the authors for providing such an informative response. However, as noted by the authors and other reviewers, there are a lot of things to discuss and improve in the paper, such as the difference between prior work and PRISM, privacy analysis, experiments, and some design choices. I am particularly concerned about the privacy part. The authors originally seem to make a wrong statement about the privacy cost of masking ($\varepsilon$ is larger than zero), and the corresponding experiments are also problematic (e.g., Table 2 still claims a privacy-preserving property for the proposed method). Even in the GC, the epsilon values seem not convincing. It may take some time to fix thoroughly.

Overall, though I appreciate the interesting application, I'd lean to rejection concerning the current presentation.

R2-1. Highlight and give credit to FedPM

As the reviewer suggested, we will more clearly outline the relationship between our research and prior works, including FedPM.

R2-2. Limited novelty. Why rename FedPM as PRISM?

Regarding the perceived limited novelty and the renaming of FedPM to PRISM, please see GC2 for a detailed explanation.

As outlined in GC2, our domain faces a significant gap in research that attempts to consider both privacy and communication efficiency simultaneously. This gap, particularly in the context of various losses and frameworks for GANs, results in existing methods underperforming. Our approach addresses this by integrating the MMD loss, which aids in the stable identification of SLT. We also incorporated elements from the decoder structure to improve performance without significantly increasing communication costs. Given these enhancements, we decided to name our method PRISM to reflect its distinctiveness and advancements. Nonetheless, in our revised submission, we will make sure to clarify the evolution from FedPM to PRISM, enabling readers to clearly understand the continuity and progression of ideas.

R2-3. Differential privacy

Please see GC1.

I thank the authors for the rebuttal. The privacy experiments seem rather limited since the privacy cost $\epsilon=50$ is too high. Also, it's not clear how the privacy amplification is used here without knowing the Renyi privacy parameter $\alpha$ since there is no amplification if $d \gamma_{\alpha}(c) > \epsilon$.

I appreciate the authors' efforts in extending FedPM framework to generative models. I believe this could be seen as an important contribution when it's presented in a different way by giving enough credit to the original work and highlighting the necessary modifications.

Thank you for your insights and constructive opinions. Your efforts have been a great help in developing our work!

Concerning privacy amplification, we aim to theoretically demonstrate that the privacy bound can be strengthened (or, at the least, remains uncompromised) through the utilization of bernoulli sampling. The degree of amplification may vary depending on different parameters and the model size. However, the crucial aspect is that, given the application of $(\epsilon, \delta)$-dp to $\theta$, there is no scenario where the privacy bound descends below $\epsilon$.

R3-1. Differential privacy

Please see GC1.

R3-2. Comparison to traditional FL

Since PRISM uploads binary masks instead of float-type weights, PRISM can save communication costs up to 32 times compared to traditional FL. The comparison of efficiency between PRISM and traditional FL can be found in Table.1,2, and 3. On the aspect of security, particularly against attacks aiming to infer clients' local datasets, PRISM offers robust protection. This security is primarily attributed to three factors. First, even if an attacker hijacks the mask used in PRISM, without knowledge of the client's architecture, the information gleaned is effectively meaningless. Second, even if the attacker is aware of the architecture, the lack of precise information about the random initialization renders any attempt to decode the client's data futile. Third, PRISM incorporates differential privacy (DP) techniques. It is well known that DP can prevent various attacks in decentralized environments. For more details on DP, please see GC1 and R3-3.

R3-3. DP in generative model

Differential privacy is an algorithm designed to reduce the influence of single elements on output. Let’s suppose M is a mechanism that we want to guarantee privacy, such as neural network. With adjacent datasets D, D’, M is $(\epsilon, \delta)$-differential privacy when $P(M(D)) \leq e^{\epsilon}P(M(D’)) + \delta$ is satisfied. Also, by composability, if all components of M satisfy DP, M itself also satisfies DP. Since generative model is a stacked layer, DP guarantees privacy in generative models.

R3-4. Comparison with SOTA (e.g., Multi-FLGAN).

Multi-FLGAN introduces multi-GAN, competing X generators and Y discriminators to select the best-performing generator. Consequently, there exist X*Y sync servers. While Multi-FLGAN achieves excellent performance and stability, it demands a substantial amount of computation resources. According to the paper, authors used four V100 GPUs for experiments on MNIST and FMNIST. However, we agree that comparing PRISM with SOTA models can enhance the contribution of PRISM. We will apply differential privacy to Multi-FLGAN and update the results when experiments are completed.

(updated)

As we discussed above, Multi-FLGAN employs a complex architecture involving multiple generators and discriminators ($X\times Y$ of each per client), with the server aggregating $N\times X\times Y$ models, where $N$ is the number of clients. Our comparison between PRISM and Multi-FLGAN[1] involved a scaled-down Multi-FLGAN setup ($X=2, Y=2$) due to its high resource demands.
The table below details our findings, comparing the standard Multi-FLGAN (default setup introduced in the original paper) and an modified version, Multi-FLGAN+DP version, which incorporates differential privacy ($(\epsilon, \delta)=(9.8, 10^{-5})$) for a fair comparison to PRISM and other baseline models. We observed significant performance degradation in Multi-FLGAN when applying DP, likely due to its complex framework involving both generators and discriminators. This raises to two key concerns: DP suitability: The complex framework of Multi-FLGAN limits its effectiveness when DP is applied, suggesting that the framework may not be ideally suited for privacy-preserving FL scenarios. Resource and Communication Overheads: The architecture demands extensive training resources and incurs high communication overhead, posing challenges for practical deployment, especially in resource-constrained environments.

[1] Amalan, Akash, et al. "MULTI-FLGANs: Multi-Distributed Adversarial Networks for Non-IID distribution." arXiv preprint arXiv:2206.12178 (2022).

Our response about the comparisons with other SOTA (e.g., Multi-FLGAN) is updated in R3-4.

GC2. Lack of Novelty We appreciate the reviewer's observation regarding our method's foundation on the principles outlined in [1] and [2]. It's true that our research can be viewed as an A+B type, where we have combined the concept of Strong Lottery Tickets (SLT) in generative models with the federated learning framework of FedPM. However, the novelty and significance of our work lie in the successful application and adaptation of these ideas to a new and challenging domain – federative generative models.

Federative generative models, particularly in non-IID settings, have been relatively unexplored and pose unique challenges. Traditional federative learning (FL) methods, especially those based on GANs, often suffer from performance issues in these scenarios. Our research addresses this gap by developing a more stable algorithm tailored for federative generative models.

To effectively integrate the concepts from [1] and [2], we encountered and overcame several new challenges. For instance, the mere communication of masks, as suggested in conventional FL, proved insufficient for the complex task of image generation in non-IID FL settings. This led us to devise a novel hybrid score-mask communication strategy, enabling us to finely balance image generation quality with communication load. This strategy, along with other components like weight initialization and ternary quantization, was pivotal in adapting the SLT concept to the unique demands of federative generative models.

Furthermore, our work pioneers the application of these ideas in the context of challenging non-IID federative generative model settings. We are the first to demonstrate successful image generation on datasets like CelebA under distributed and privacy-conscious settings, which marks a significant advancement in this field.

In summary, while our research builds upon existing work, the value of our contribution lies in the unique application, adaptation, and overcoming of specific challenges in a relatively unexplored domain. This not only validates the A+B approach but also extends it by adding new dimensions and insights, thereby advancing the field of federative generative models.

We will clarify these points in our manuscript and state the relationship to the prior works more clearly as the reviewers suggested. We hope that these new findings as well as new technical contributions could be acknowledged by the reviewers.

[1] Isik, Berivan, et al. "Sparse random networks for communication-efficient federated learning." arXiv preprint arXiv:2209.15328 (2022). [2] Yeo, Sangyeop, et al. "Can we find strong lottery tickets in generative models?." Proceedings of the AAAI Conference on Artificial Intelligence. Vol. 37. No. 3. 2023.