The initial learning rate is set to 0.1. A.2 AdversarialTraining Unless otherwise specified, we perform adversarial training to train robust classifiers by following Madry etal.[74]. Specifically,we train against aprojected gradient descent (PGD) adversary, starting from a random initial perturbation of the training data. Unless otherwise specified, we use the values of provided in Table 5 to train our models. We use 7 steps of PGD with a step size of/5. A.3 DelusiveAdversaries Six delusive attacks are considered to validate our proposed defense.

Figure 7: The Onion Effect is not a result of the outliers changing after each removal step.

The recent developments of Diffusion Models (DMs) enable generation of astonishingly high-quality synthetic samples. Recent work showed that the synthetic samples generated by the diffusion model, which is pre-trained on public data and fully fine-tuned with differential privacy on private data, can train a downstream classifier, while achieving a good privacy-utility tradeoff. However, fully fine-tuning such large diffusion models with DP-SGD can be very resource-demanding in terms of memory usage and computation. In this work, we investigate Parameter-Efficient Fine-Tuning (PEFT) of diffusion models using Low-Dimensional Adaptation (LoDA) with Differential Privacy. We evaluate the proposed method with the MNIST and CIFAR-10 datasets and demonstrate that such efficient fine-tuning can also generate useful synthetic samples for training downstream classifiers, with guaranteed privacy protection of fine-tuning data. Our source code will be made available on GitHub.