Sequential Subspace Noise Injection Prevents Accuracy Collapse in Certified Unlearning

Certified unlearning based on differential privacy offers strong guarantees but remains largely impractical: the noisy fine-tuning approaches proposed so far achieve these guarantees but severely reduce model accuracy. We propose sequential noise scheduling, which distributes the noise budget across orthogonal subspaces of the parameter space, rather than injecting it all at once. This simple modification mitigates the destructive effect of noise while preserving the original certification guarantees. We extend the analysis of noisy fine-tuning to the subspace setting, proving that the same $(\varepsilon,δ)$ privacy budget is retained. Empirical results on image classification benchmarks show that our approach substantially improves accuracy after unlearning while remaining robust to membership inference attacks. These results show that certified unlearning can achieve both rigorous guarantees and practical utility.

Key Contributions

• Sequential Subspace Noise Injection: partitions parameter space into orthogonal blocks and applies noise sequentially per block, reducing per-step distortion versus simultaneous full-model noise injection.
• Theoretical extension proving the block-wise schedule preserves the same (ε,δ) certified unlearning budget as standard noisy fine-tuning.
• Empirical demonstration on MNIST and CIFAR-10 showing substantially reduced post-unlearning accuracy drop while maintaining robustness to membership inference attacks on the forgotten data.

🛡️ Threat Analysis

Details

Similar Papers