This work examines how optimizer selection and sub-sampling strategies affect model performance and adversarial vulnerability under differential privacy. We evaluate Differentially Private Stochastic Gradient Descent (DP-SGD) with and without sub-sampling, measuring attack success through classification rates, pixel similarity (PSNR), and structural similarity (SSIM). Results show that switching from Adam to DP-SGD, combined with sub-sampling, lowers adversarial classification accuracy across privacy budgets but can also increase pixel-level similarity in reconstructed inputs. These findings highlight a tension between differential privacy and perceptual privacy under standard DP training. Specifically, we simulate a black-box model inversion attack, where the adversary can only query the model’s outputs without access to internal parameters. This threat model reflects realistic deployment scenarios and underscores the importance of defenses that do not rely on obfuscation but provide formal privacy guarantees.This work examines how optimizer selection and sub-sampling strategies affect model performance and adversarial vulnerability under differential privacy. We evaluate Differentially Private Stochastic Gradient Descent (DP-SGD) with and without sub-sampling, measuring attack success through classification rates, pixel similarity (PSNR), and structural similarity (SSIM). Results show that switching from Adam to DP-SGD, combined with sub-sampling, lowers adversarial classification accuracy across privacy budgets but can also increase pixel-level similarity in reconstructed inputs. These findings highlight a tension between differential privacy and perceptual privacy under standard DP training. Specifically, we simulate a black-box model inversion attack, where the adversary can only query the model’s outputs without access to internal parameters. This threat model reflects realistic deployment scenarios and underscores the importance of defenses that do not rely on obfuscation but provide formal privacy guarantees.

Detta arbete undersöker hur valet av optimeringsalgoritm och användningen av delmängdsurval påverkar modellens prestanda och sårbarhet för attacker under differentiell sekretess. Vi utvärderar stokastisk gradientnedstigning med differentiell sekretess (DP-SGD) med och utan delmängdsurval genom att mäta attackframgång baserat på klassificeringsgrad, pixelsimilaritet (PSNR) och strukturell similaritet (SSIM). Resultaten visar att övergången från Adam till DP-SGD, i kombination med delmängdsurval, sänker den adversariella klassificeringsnoggrannheten över olika integritetsbudgetar, men samtidigt kan öka pixelnivåns likhet i rekonstruerade indata. Dessa resultat belyser en konflikt mellan medlemskapssekretess och perceptuell sekretess vid standardiserad med differentiell sekretess. Specifikt simulerar vi en black-box model inversionsattack, där angriparen enbart kan göra förfrågningar till modellens utdata utan tillgång till interna parametrar. Denna hotmodell speglar realistiska driftsmiljöer och understryker vikten av försvar som inte förlitar sig på fördoldhet utan erbjuder formella sekretessgarantier.