We are setting up a Federated Learning System including differential privacy and we have noticed that the implementation of the SVTProtocol is not consistent with the implementation in the paper Li et al., Privacy-preserving Federated Brain Tumour Segmentation, arXiv:1910.00962. The implementation differs from the paper in the following points:
- calculation of the threshold, Algo 2, Line 5: In the paper it is
Lap(s/eps_2)and in the implementation
- calculation of eps_2: The paper proposes
eps_2 = ((2qs)**(2/3)) * eps_1and in the implementation it is
eps_2 = ((2q)**(2/3)) * eps_1
- calculation of threshold noise, Algo 2, Line 8: In the paper it is
Lap(2qs/eps_1)and in the implementation
- calculation noisy answer, Algo 2, Line 9: In the paper it is
Lap(qs/eps_3)and in the implementation
The following questions arise for us now:
- is the implementation correct and what are the thoughts behind the changes?
- what guarantee does the implemented algorithm have? Is the guarantee
(eps_1 + eps_2 + eps_3)-DPfrom the paper still valid?
Thank you for your support!
All the best,