Saved in:
Bibliographic Details
Main Authors: Zheng, Yu, Li, Chenang, Li, Zhou, Wang, Qingsong
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2506.22727
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915714755985408
author Zheng, Yu
Li, Chenang
Li, Zhou
Wang, Qingsong
author_facet Zheng, Yu
Li, Chenang
Li, Zhou
Wang, Qingsong
contents Differential privacy (DP) has been integrated into graph neural networks (GNNs) to protect sensitive structural information, e.g., edges, nodes, and associated features across various applications. A prominent approach is to perturb the message-passing process, which forms the core of most GNN architectures. However, existing methods typically incur a privacy cost that grows linearly with the number of layers (e.g., GAP published in Usenix Security'23), ultimately requiring excessive noise to maintain a reasonable privacy level. This limitation becomes particularly problematic when multi-layer GNNs, which have shown better performance than one-layer GNN, are used to process graph data with sensitive information. In this paper, we theoretically establish that the privacy budget converges with respect to the number of layers by applying privacy amplification techniques to the message-passing process, exploiting the contractive properties inherent to standard GNN operations. Motivated by this analysis, we propose a simple yet effective Contractive Graph Layer (CGL) that ensures the contractiveness required for theoretical guarantees while preserving model utility. Our framework, CARIBOU, supports both training and inference, equipped with a contractive aggregation module, a privacy allocation module, and a privacy auditing module. Experimental evaluations demonstrate that CARIBOU significantly improves the privacy-utility trade-off and achieves superior performance in privacy auditing tasks.
format Preprint
id arxiv_https___arxiv_org_abs_2506_22727
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Convergent Privacy Framework for Multi-layer GNNs through Contractive Message Passing
Zheng, Yu
Li, Chenang
Li, Zhou
Wang, Qingsong
Cryptography and Security
Differential privacy (DP) has been integrated into graph neural networks (GNNs) to protect sensitive structural information, e.g., edges, nodes, and associated features across various applications. A prominent approach is to perturb the message-passing process, which forms the core of most GNN architectures. However, existing methods typically incur a privacy cost that grows linearly with the number of layers (e.g., GAP published in Usenix Security'23), ultimately requiring excessive noise to maintain a reasonable privacy level. This limitation becomes particularly problematic when multi-layer GNNs, which have shown better performance than one-layer GNN, are used to process graph data with sensitive information. In this paper, we theoretically establish that the privacy budget converges with respect to the number of layers by applying privacy amplification techniques to the message-passing process, exploiting the contractive properties inherent to standard GNN operations. Motivated by this analysis, we propose a simple yet effective Contractive Graph Layer (CGL) that ensures the contractiveness required for theoretical guarantees while preserving model utility. Our framework, CARIBOU, supports both training and inference, equipped with a contractive aggregation module, a privacy allocation module, and a privacy auditing module. Experimental evaluations demonstrate that CARIBOU significantly improves the privacy-utility trade-off and achieves superior performance in privacy auditing tasks.
title Convergent Privacy Framework for Multi-layer GNNs through Contractive Message Passing
topic Cryptography and Security
url https://arxiv.org/abs/2506.22727