作者你好
我在使用高斯机制，dp=5，mnist数据集的时候，并没有达到你原本在log里保存的dp=5那么高的精度
目前在我的机器中运行dp=5时，精度10-20%左右
在您保存的训练数据中，dp=5最后的精度可达到54%
请问是哪里错误了吗？
图1是我正在训练时的精度，图2是您保存的训练数据精度

你好，我看了你的代码，per_sample_clip这个函数，是裁剪每一层而不是单样本裁剪的意思么？

Hi, thank you very for your great work. When I try to reproduce the results on cifar and shakespeare, I always met the out of memory issue. Could you please tell me how to solve this problem? In addition, does it support multi GPUs? Thank you very much!

你好，我想请问，为什么我在运行这个代码的时候，我发现他不收敛是咋回事呢，精度一直在十几

复现：
git clone https://github.com/wenzhu23333/Differential-Privacy-Based-Federated-Learning.git
cd Differential-Privacy-Based-Federated-Learning
python3 -u main.py --dataset mnist --dp_mechanism Gaussian --dp_epsilon 30 --dp_clip 10
然后就报
Traceback (most recent call last):
File "/home/yangxiyuan/prjs/DPBFL/main.py", line 144, in
w, loss, curLR = local.train(net=copy.deepcopy(net_glob).to(args.device))
File "/home/yangxiyuan/prjs/DPBFL/models/Update.py", line 51, in train
log_probs = net(images)
File "/home/yangxiyuan/anaconda3/envs/unbreakable/lib/python3.10/site-packages/torch/nn/modules/module.py", line 1190, in _call_impl
return forward_call(*input, **kwargs)
File "/home/yangxiyuan/anaconda3/envs/unbreakable/lib/python3.10/site-packages/opacus/grad_sample/grad_sample_module.py", line 148, in forward
return self._module(*args, **kwargs)
File "/home/yangxiyuan/anaconda3/envs/unbreakable/lib/python3.10/site-packages/torch/nn/modules/module.py", line 1190, in _call_impl
return forward_call(*input, **kwargs)
File "/home/yangxiyuan/prjs/DPBFL/models/Nets.py", line 38, in forward
x = F.relu(F.max_pool2d(self.conv1(x), 2))
File "/home/yangxiyuan/anaconda3/envs/unbreakable/lib/python3.10/site-packages/torch/nn/modules/module.py", line 1211, in _call_impl
hook_result = hook(self, input, result)
File "/home/yangxiyuan/anaconda3/envs/unbreakable/lib/python3.10/site-packages/opacus/grad_sample/grad_sample_module.py", line 288, in capture_activations_hook
p._forward_counter += 1
AttributeError: 'Parameter' object has no attribute '_forward_counter'

torch:1.13.0
opacus:1.3.0

呜呜呜呜呜您好，最近在复现您的代码但有一个bug我自己实在调不过来想着问问您 不知道方便留一个联系方式我加您吗😭😭😭😭

作者您好，有件事想要请教一下。这里我认为是对每一层参数分别添加比如方差为10的噪声，这和向所有参数整体添加方差为10的噪声有什么区别呢。那么比如向参数整体添加方差为10的噪声可以满足隐私预算为1的差分隐私定义，向每一层参数添加方差为10的噪声还可以满足隐私预算为1的差分隐私定义吗？这块不是很懂，希望可以得到您的指教。

Hi wenzhu!

In the file dp_mechanism.py, there are two different sensitivity calculations. I understand how the function cal_sensitivity() works, but a bit confused about the function cal_sensitivity_MA(). I wonder why the coefficients of output in the latter function is 1 instead of 2.

I'd appreciate it if you can help, thanks!

您好，非常感谢您愿意开源差分隐私与联邦学习结合相关的代码内容，您的代码对我有不少帮助，但我也有一些问题想请教您，问题如下

1. 根据16年的deep learning with differential privacy那篇文章来看，如果我没有理解错的话使用MA的方法评估epsilon是不是相比Simple Composition，在相同epsilon的情况下算出的噪声系数要更小，如果这样为什么您在readme中展示的准确度的图像的准确度是反过来的，是因为使用MA方法评估的实验还有其它的超参数与Simple Composition不同吗？
2. 我看您的博客中计算敏感度的方法与20年Federated Learning With Differential Privacy: Algorithms and Performance Analysis中的结果相似，该文章提供的算法是本地客户端在完成本地训练之后对将要上传至服务器进行聚合的模型参数进行裁剪与加噪，请问对训练后将要上传至服务器进行聚合的模型参数进行裁剪与加噪和在模型训练时对每一轮中的每一批数据的单独梯度进行裁剪加噪（也就是本项目代码实现的算法）相比，是否前者在性能上要更优（因为不需要借助opacus库中单独拆出每个数据的独立梯度从而导致显存爆炸，且对于每一个本地客户端来说加噪的次数要更少，只是在每次上传前加一次噪声而不是对一本地轮中的每批次数据进行加噪），如果对即将用于聚合的模型参数数据裁剪加噪相比本项目代码的方法存在什么问题，或者是我对20年这篇文章这部分的理解是否存在偏差，这是我目前想到的两个问题，如果您能为我解答我会非常感谢。

再次感谢您提供的开源代码。

Hi wenzhu,

Thanks a lot for this nice code!
I found that with the following code
optimizer = torch.optim.SGD(optimizer = torch.optim.SGD(net.parameters(), lr=self.args.lr, momentum=self.args.momentum))
and in the training step, to zero the gradients of the model, optimzer.zero_grad(), consumes much more resources compared with net.zero_grad().
Generally speaking, optimizer.zero_grad() and net.zero_grad() is equivalent, with the above definition of optimizer.
Is it the problem caused by packalge opacus? I am not quite familar with opacus.

您好，我发现每次训练出来的精度都是相同的，是为什么呢

ModuleNotFoundError: No module named 'tensorflow_privacy.compute_noise_from_budget_lib'

First of all, thank you for your great contribution to the community.
Since the prosperity of LLMs, many researchers are hoping to apply dp-based FL algorithm to this new setting.
Also, it seems that the Ocapus has already had a LLM trainer. So is it pending that this repository will include a new branch on LLMs?
Very looking forward to seeing that. Thanks again!

我看这个MA的sensitivity值计算的函数
def cal_sensitivity_MA(lr, clip, dataset_size):
return lr * clip / dataset_size
想问下为什么还要乘一个learning rate呢😭实在是想不明白

请问代码中的梯度裁剪阈值为什么默认设置为了10，现在主流的设置不是0.1吗？

Hi Wenzhu! I wonder if you can help to share the hyperparameters you used when training the CNN model for cifar10 dataset. For me the best test accuracy that I can achieve when there is no dp is around 34%. Is it the similar story on your side as well? Many thanks!

作者您好，非常感谢您的分享。当阅读您的代码时，我遇到了一些理解上的困难，因为刚刚开始学习这部分内容，可能会有一些过于简单的问题，希望您能够谅解并给予指导。

以您代码中 Laplace 机制的部分为例：

1. 关于敏感度的计算，在您发布的知乎文章中，推荐了 Federated Learning with Differential Privacy: Algorithms and Performance Analysis 这篇文章，其中敏感度的计算方式为 $\frac{2C}{m}$，而您的代码中有乘 lr，为什么需要乘 lr 呢？
2. 客户端代码中调用 Laplace 函数的部分是 np.random.laplace(loc=0, scale=sensitivity * self.noise_scale, size=v.shape)，其中 noise_scale = self.args.dp_epsilon / self.times，在上面那篇文章中，是让 scale >= c * sensitivity / epsilon。为什么需要将计算方式改为敏感度乘以 epsilon / times 而不是除以 epsilon 呢？

期待您的回复！

Hi,

I don't understand how you calculate the sensitivity of DP to determine the noise level for the gradients. For example for a local dp process, can you recommend a way to compute sensitivity for this code block?

class Laplace:

def __init__(self, *, epsilon, delta=0.0, sensitivity):
    self.scale = float(sensitivity) / (float(epsilon) - np.log(1 - float(delta)))

def compute_noise(self, size):
    return torch.tensor(np.random.laplace(loc=0.0, scale=self.scale, size=size))

In literature, it is said that sensitivity is computed by measuring the change in the output of the model by removing or changing an input.

Thanks for your good work!

Maybe this should be equal to Laplace ?

你好，我在运行命令：python main.py --dataset mnist --model cnn --dp_mechanism Gaussian --dp_epsilon 10 --dp_delta 1e-5 --dp_clip 10时报错
D:\Anaconda\envs\gym_gpu\lib\site-packages\torchvision\datasets\mnist.py:65: UserWarning: train_labels has been renamed targets
warnings.warn("train_labels has been renamed targets")
GradSampleModule(CNNMnist(
(conv1): Conv2d(1, 10, kernel_size=(5, 5), stride=(1, 1))
(conv2): Conv2d(10, 20, kernel_size=(5, 5), stride=(1, 1))
(conv2_drop): Dropout2d(p=0.5, inplace=False)
(fc1): Linear(in_features=320, out_features=50, bias=True)
(fc2): Linear(in_features=50, out_features=10, bias=True)
))
Traceback (most recent call last):
File "D:\PyCharm\备份\Differential-Privacy-Based-Federated-Learning-master\main.py", line 147, in
w, loss = local.train(net=copy.deepcopy(net_glob).to(args.device))
File "D:\PyCharm\备份\Differential-Privacy-Based-Federated-Learning-master\models\Update.py", line 57, in train
log_probs = net(images)
File "D:\Anaconda\envs\gym_gpu\lib\site-packages\torch\nn\modules\module.py", line 1501, in _call_impl
return forward_call(*args, **kwargs)
File "D:\Anaconda\envs\gym_gpu\lib\site-packages\opacus\grad_sample\grad_sample_module.py", line 148, in forward
return self._module(*args, **kwargs)
File "D:\Anaconda\envs\gym_gpu\lib\site-packages\torch\nn\modules\module.py", line 1501, in _call_impl
return forward_call(*args, **kwargs)
File "D:\PyCharm\备份\Differential-Privacy-Based-Federated-Learning-master\models\Nets.py", line 38, in forward
x = F.relu(F.max_pool2d(self.conv1(x), 2))
File "D:\Anaconda\envs\gym_gpu\lib\site-packages\torch\nn\modules\module.py", line 1547, in _call_impl
hook_result = hook(self, args, result)
File "D:\Anaconda\envs\gym_gpu\lib\site-packages\opacus\grad_sample\grad_sample_module.py", line 288, in capture_activations_hook
p._forward_counter += 1
AttributeError: 'Parameter' object has no attribute '_forward_counter'

作者你好，看到您和另一个人在讨论加噪的问题。我这里有几点疑问，我也是刚开始学DP+FL不久，希望能得到您的解答。
看到您说这份代码是对梯度进行加噪。我问了下GPT，他说state_dict是模型的参数，并不是梯度，提的是模型的参数。

如果是对梯度加噪的话，我看某些论文需要在加噪后还需要除以批量样本数，但我在您的代码里并没有找到这个操作，是我哪里理解错了吗？

想问一下大佬有没有试过用Opacus直接进行差分隐私的添加，我这边用Opacus不同的差分预算的准确率却差不多，很奇怪

您好，我想要更改本地训练回合，这样需要怎么改，会出现什么问题？我修改本地训练回合是为了和我之前做的实验保持实验环境一致。

I am trying to implement client-level differential privacy where noise is added during the federated averaging step. To estimate epsilon at the step, I am using say gradient clipping S and a noise multiplier z. From there I calculate sigma = z*S/q, where q is the sampling rate of clients (if um_clients = 5 and q = 0.6, then the clients participating in federation each round = 5 * 0.6 = 3).

So now, I am using this sigma parameter as variance for adding Gaussian noise, like N(0, sigma*sigma). I am using tensorflow privacy to estimate epsilon value, where it takes as input (sampling rate, noise multiplier, epochs, and delta=1e-5). What should I set as the value of epochs for client-level DP? Number of federation rounds (maybe 10) or the number of local epochs of all clients (maybe 300 per client)?

您好，想问一下几个问题
1.每一层能否使用不同的隐私预算进行加噪，如果用这种方式，那么总隐私消耗应该怎样计算呢
2.使用f-DP进行隐私预算的计算方法，是与RDP转(ε,δ)-DP的方法类似的嘛