Saved in:
Bibliographic Details
Main Authors: Xu, Ruichen, Chen, Kexin
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.04881
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910148282286080
author Xu, Ruichen
Chen, Kexin
author_facet Xu, Ruichen
Chen, Kexin
contents Differentially private learning is essential for training models on sensitive data, but empirical studies consistently show that it can degrade performance, introduce fairness issues like disparate impact, and reduce adversarial robustness. The theoretical underpinnings of these phenomena in modern, non-convex neural networks remain largely unexplored. This paper introduces a unified feature-centric framework to analyze the feature learning dynamics of differentially private stochastic gradient descent (DP-SGD) in two-layer ReLU convolutional neural networks. Our analysis establishes test loss bounds governed by a crucial metric: the feature-to-noise ratio (FNR). We demonstrate that the noise required for privacy leads to suboptimal feature learning, and specifically show that: 1) imbalanced FNRs across classes and subpopulations cause disparate impact; 2) even in the same class, noise has a greater negative impact on semantically long-tailed data; and 3) noise injection exacerbates vulnerability to adversarial attacks. Furthermore, our analysis reveals that the popular paradigm of public pre-training and private fine-tuning does not guarantee improvement, particularly under significant feature distribution shifts between datasets. Experiments on synthetic and real-world data corroborate our theoretical findings.
format Preprint
id arxiv_https___arxiv_org_abs_2603_04881
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Differential Privacy in Two-Layer Networks: How DP-SGD Harms Fairness and Robustness
Xu, Ruichen
Chen, Kexin
Machine Learning
Computers and Society
Differentially private learning is essential for training models on sensitive data, but empirical studies consistently show that it can degrade performance, introduce fairness issues like disparate impact, and reduce adversarial robustness. The theoretical underpinnings of these phenomena in modern, non-convex neural networks remain largely unexplored. This paper introduces a unified feature-centric framework to analyze the feature learning dynamics of differentially private stochastic gradient descent (DP-SGD) in two-layer ReLU convolutional neural networks. Our analysis establishes test loss bounds governed by a crucial metric: the feature-to-noise ratio (FNR). We demonstrate that the noise required for privacy leads to suboptimal feature learning, and specifically show that: 1) imbalanced FNRs across classes and subpopulations cause disparate impact; 2) even in the same class, noise has a greater negative impact on semantically long-tailed data; and 3) noise injection exacerbates vulnerability to adversarial attacks. Furthermore, our analysis reveals that the popular paradigm of public pre-training and private fine-tuning does not guarantee improvement, particularly under significant feature distribution shifts between datasets. Experiments on synthetic and real-world data corroborate our theoretical findings.
title Differential Privacy in Two-Layer Networks: How DP-SGD Harms Fairness and Robustness
topic Machine Learning
Computers and Society
url https://arxiv.org/abs/2603.04881