fc4ddc15f9f4b4b06ef7844d6bb53abf-AuthorFeedback.pdf

A: We omitted this accidentally, but will definitely reference this in our revised3 version. Carlini et al. demonstrate privacy risks on models trained with standard SGD. Their attacks do not hold4 even with very weak differential privacy guarantees. In fact, we also evaluate our attack using two-layer neural networks, and the performance is similar. See8 Figure2(d),(e),(f),andTables1and3.9 Q: What does it mean for yp to be the smallest probability class on xp? A: The class which the model predicts with10 the smallest probability.