7.1.1 CoRTeX

• Name:
  Python library for noun phrase COreference Resolution in natural language TEXts
• Keyword:
  Natural language processing
• Functional Description:
  CoRTex is a LGPL-licensed Python library for Noun Phrase coreference resolution in natural language texts. This library contains implementations of various state-of-the-art coreference resolution algorithms, including those developed in our research. In addition, it provides a set of APIs and utilities for text pre-processing, reading the CONLL2012 and CONLLU annotation formats, and performing evaluation, notably based on the main evaluation metrics (MUC, B-CUBED, and CEAF). As such, CoRTex provides benchmarks for researchers working on coreference resolution, but it is also of interest for developers who want to integrate a coreference resolution within a larger platform. It currently supports use of the English or French language.
• Contact:
  Pascal Denis
• Participant:
  Pascal Denis
• Partner:
  Orange Labs

7.1.2 Mangoes

• Name:
  MAgnet liNGuistic wOrd vEctorS
• Keywords:
  Word embeddings, NLP
• Functional Description:

  Mangoes is a toolbox for constructing and evaluating static and contextual token vector representations (aka embeddings). The main functionalities are:

  - Contextual embeddings: Access a large collection of pretrained transformer-based language models, Pre-train a BERT language model on a corpus, Fine-tune a BERT language model for a number of extrinsic tasks, Extract features/predictions from pretrained language models.

  - Static embeddings: Process textual data and compute vocabularies and co-occurrence matrices. Input data should be raw text or annotated text, Compute static word embeddings with different state-of-the art unsupervised methods, Propose statistical and intrinsic evaluation methods, as well as some visualization tools, Generate context dependent embeddings from a pretrained language model.

  Future releases will include methods for injecting lexical and semantic knowledge into token and multi-model embeddings, and interfaces into common external knowledge resources.

• URL:
  https://­gitlab.­inria.­fr/­magnet/­mangoes
• Contact:
  Nathalie Vauquier

7.1.3 metric-learn

• Keywords:
  Machine learning, Python, Metric learning
• Functional Description:

  Distance metrics are widely used in the machine learning literature. Traditionally, practicioners would choose a standard distance metric (Euclidean, City-Block, Cosine, etc.) using a priori knowledge of the domain. Distance metric learning (or simply, metric learning) is the sub-field of machine learning dedicated to automatically constructing optimal distance metrics.

  This package contains efficient Python implementations of several popular metric learning algorithms.

• URL:
  https://­github.­com/­scikit-learn-contrib/­metric-learn
• Contact:
  Aurélien Bellet
• Partner:
  Parietal

7.1.4 MyLocalInfo

• Keywords:
  Privacy, Machine learning, Statistics
• Functional Description:
  Decentralized algorithms for machine learning and inference tasks which (1) perform as much computation as possible locally and (2) ensure privacy and security by avoiding that personal data leaves devices.
• Contact:
  Nathalie Vauquier

7.1.5 Voice Transformer

• Name:
  Voice Transformer
• Keywords:
  Speech, Privacy
• Scientific Description:

  Three privacy-driven voice transformation methods have been implemented, improved and compared in this library: VoiceMask: This voice transformation method described in [Qia+18, Qia+17] performs frequency warping based on the composition of a quadratic function and a bilinear function using two different parameters. VTLN-based conversion: This voice conversion method described in [SN03] represents each speaker by a set of spectra for k phonetic classes, and maps the original speech to the target speaker’s voice by finding the transformation parameters that minimise the distance between target class spectra and transformed original class spectra. The VPC method is inspired from the speaker anonymisation method proposed in [Fan+19], which performs voice conversion based on x-vectors [Sny+18], a fixed-length representation of speech signals that form the basis of state-of-the-art speaker verification systems. We have brought several improvements to this method such as pitch transformation, and new design choices for x-vectors selection

  [Fan+19] F. Fang, X. Wang, J. Yamagishi, I. Echizen, M. Todisco, N. Evans, and J.-F. Bonastre. “Speaker Anonymization Using x-vector and Neural Waveform Models”. In: Proceed- ings of the 10th ISCA Speech Synthesis Workshop. 2019, pp. 155–160. [Qia+17] J. Qian, H. Du, J. Hou, L. Chen, T. Jung, X. Li, Y. Wang, and Y. Deng. “Voice- Mask: Anonymize and Sanitize Voice Input on Mobile Devices”. In: arXiv preprint arXiv:1711.11460, 2017 abs/1711.11460 (2017). [Qia+18] J. Qian, H. Du, J. Hou, L. Chen, T. Jung, and X.-Y. Li. “Hidebehind: Enjoy Voice Input with Voiceprint Unclonability and Anonymity”. In: Proceedings of the 16th ACM Conference on Embedded Networked Sensor Systems. SenSys ’18. Shenzhen, China: Association for Computing Machinery, 2018, pp. 82–94. [SN03] D. Sundermann and H. Ney. “VTLN-based voice conversion”. In: Proceedings of the 3rd IEEE International Symposium on Signal Processing and Information Technology (IEEE Cat. No.03EX795). 2003, pp. 556–559.

  [Sny+18] D. Snyder, D. Garcia-Romero, G. Sell, D. Povey, and S. Khudanpur. “X-vectors: Ro- bust DNN embeddings for speaker recognition”. In: Proceedings of ICASSP 2018 - 2018 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). 2018, pp. 5329–5333.

• Functional Description:
  COMPRISE Voice Transformer is an open source tool that increases the privacy of users of voice interfaces by converting their voice into another person’s voice without modifying the spoken message. It ensures that any information extracted from the transformed voice can hardly be traced back to the original speaker, as validated through state-of-the-art biometric protocols, and it preserves the phonetic information required for human labelling and training of speech-to-text models.
• Release Contributions:
  This version gives access to the 2 generations of tools that have been used to transform the voice, as part of the COMPRISE project (https://www.compriseh2020.eu/). The first one is a python library that implements 2 basic voice conversion methods, both using VLTN. The second one implements an anonymization method using x-vectors and neural waveform models.
• News of the Year:
  We modified the x-vector based transformer by fixing the percentile-based pitch conversion method, using conda in Docker to fix issues with the Python version, and adding data from the speaker pool to simplify quick start.
• URL:
  https://­gitlab.­inria.­fr/­comprise/­voice_transformation
• Contact:
  Marc Tommasi
• Participants:
  Nathalie Vauquier, Brij Mohan Lal Srivastava, Marc Tommasi, Emmanuel Vincent, Md Sahidullah

7.1.6 declearn

• Keyword:
  Federated learning
• Scientific Description:

  declearn is a python package providing with a framework to perform federated learning, i.e. to train machine learning models by distributing computations across a set of data owners that, consequently, only have to share aggregated information (rather than individual data samples) with an orchestrating server (and, by extension, with each other).

  The aim of declearn is to provide both real-world end-users and algorithm researchers with a modular and extensible framework that:

  - builds on abstractions general enough to write backbone algorithmic code agnostic to the actual computation framework, statistical model details or network communications setup - designs modular and combinable objects, so that algorithmic features, and more generally any specific implementation of a component (the model, network protocol, client or server optimizer...) may easily be plugged into the main federated learning process - enabling users to experiment with configurations that intersect unitary features - provides with functioning tools that may be used out-of-the-box to set up federated learning tasks using some popular computation frameworks (scikit- learn, tensorflow, pytorch...) and federated learning algorithms (FedAvg, Scaffold, FedYogi...) - provides with tools that enable extending the support of existing tools and APIs to custom functions and classes without having to hack into the source code, merely adding new features (tensor libraries, model classes, optimization plug-ins, orchestration algorithms, communication protocols...) to the party

  At the moment, declearn has been focused on so-called "centralized" federated learning that implies a central server orchestrating computations, but it might become more oriented towards decentralized processes in the future, that remove the use of a central agent.

• Functional Description:
  This library provides the two main components to perform federated learning: - the client, to be run by each participant, performs the learning on local data et releases only the result of the computation - the server orchestrates the process and aggregates the local models in a global model
• URL:
  https://­gitlab.­inria.­fr/­magnet/­declearn/­declearn2
• Contact:
  Aurélien Bellet
• Participants:
  Paul Andrey, Aurélien Bellet, Nathan Bigaud, Marc Tommasi, Nathalie Vauquier
• Partner:
  CHRU Lille

7.1.7 fairgrad

• Name:
  FairGrad: Fairness Aware Gradient Descent
• Keywords:
  Fairness, Fair and ethical machine learning, Machine learning, Classification
• Functional Description:
  FairGrad is an easy to use general purpose approach in Machine Learning to enforce fairness in gradient descent based methods
• URL:
  https://­github.­com/­saist1993/­fairgrad
• Authors:
  Gaurav Maheshwari, Michael Perrot
• Contact:
  Michael Perrot

Chop and change: Anaphora resolution in instructional cooking videos, 33

Linguistic ambiguities arising from changes in entities in action flows are a key challenge in instructional cooking videos. In particular, temporally evolving entities present rich and to date understudied challenges for anaphora resolution. For example ”oil” mixed with ”salt” is later referred to as a ”mixture”. In this paper we propose novel annotation guidelines to annotate recipes for the anaphora resolution task, reflecting change in entities. Moreover, we present experimental results for end-to-end multimodal anaphora resolution with the new annotation scheme and propose the use of temporal features for performance improvement.

Improving Tokenization Expressiveness With Pitch Intervals, 48

Training sequence models such as transformers with symbolic music requires a representation of music as sequences of atomic elements called tokens. State-of-the-art music tokenizations encode pitch values explicitly, which complicates the ability of a machine learning model to generalize musical knowledge at different keys. We propose tracks for a tokenization encoding pitch intervals rather than pitch values, resulting in transposition invariant representations. The musical expressiveness of this new tokenization is evaluated through two MIR classification tasks: composer classification and end of phrase detection. We release publicly the code produced in this research.

Fair NLP Models with Differentially Private Text Encoders, 28

Encoded text representations often capture sensitive attributes about individuals (e.g., race or gender), which raise privacy concerns and can make downstream models unfair to certain groups. In this work, we propose FEDERATE, an approach that combines ideas from differential privacy and adversarial training to learn private text representations which also induces fairer models. We empirically evaluate the trade-off between the privacy of the representations and the fairness and accuracy of the downstream model on four NLP datasets. Our results show that FEDERATE consistently improves upon previous methods, and thus suggest that privacy and fairness can positively reinforce each other.

Anaphora Resolution in Dialogue: System Description (CODI-CRAC 2022 Shared Task), 21

We describe three models submitted for the CODI-CRAC 2022 shared task. To perform identity anaphora resolution, we test several combinations of the incremental clustering approach based on the Workspace Coreference System (WCS) with other coreference models. The best result is achieved by adding the "cluster merging" version of the coref-hoi model, which brings up to 10.33% improvement 1 over vanilla WCS clustering. Discourse deixis resolution is implemented as multi-task learning: we combine the learning objective of corefhoi with anaphor type classification. We adapt the higher-order resolution model introduced in Joshi et al. (2019) for bridging resolution given gold mentions and anaphors.

Refined Convergence and Topology Learning for Decentralized SGD with Heterogeneous Data, 42

One of the key challenges in decentralized and federated learning is to design algorithms that efficiently deal with highly heterogeneous data distributions across agents. In this paper, we revisit the analysis of the popular Decentralized Stochastic Gradient Descent algorithm (D-SGD) under data heterogeneity. We exhibit the key role played by a new quantity, called neighborhood heterogeneity, on the convergence rate of D-SGD. By coupling the communication topology and the heterogeneity, our analysis sheds light on the poorly understood interplay between these two concepts. We then argue that neighborhood heterogeneity provides a natural criterion to learn data-dependent topologies that reduce (and can even eliminate) the otherwise detrimental effect of data heterogeneity on the convergence time of D-SGD. For the important case of classification with label skew, we formulate the problem of learning such a good topology as a tractable optimization problem that we solve with a Frank-Wolfe algorithm. As illustrated over a set of simulated and real-world experiments, our approach provides a principled way to design a sparse topology that balances the convergence speed and the per-iteration communication costs of D-SGD under data heterogeneity.

D-Cliques: Compensating for Data Heterogeneity with Topology in Decentralized Federated Learning, 22

The convergence speed of machine learning models trained with Federated Learning is significantly affected by heterogeneous data partitions, even more so in a fully decentralized setting without a central server. In this paper, we show that the impact of label distribution skew, an important type of data heterogeneity, can be significantly reduced by carefully designing the underlying communication topology. We present D-Cliques, a novel topology that reduces gradient bias by grouping nodes in sparsely interconnected cliques such that the label distribution in a clique is representative of the global label distribution. We also show how to adapt the updates of decentralized SGD to obtain unbiased gradients and implement an effective momentum with D-Cliques. Our extensive empirical evaluation on MNIST and CIFAR10 demonstrates that our approach provides similar convergence speed as a fully-connected topology, which provides the best convergence in a data heterogeneous setting, with a significant reduction in the number of edges and messages. In a 1000-node topology, D-Cliques require 98% less edges and 96% less total messages, with further possible gains using a small-world topology across cliques.

PEPPER: Empowering User-Centric Recommender Systems over Gossip Learning, 15

Recommender systems are proving to be an invaluable tool for extracting user-relevant content helping users in their daily activities (e.g., finding relevant places to visit, content to consume, items to purchase). However, to be effective, these systems need to collect and analyze large volumes of personal data (e.g., location check-ins, movie ratings, click rates .. etc.), which exposes users to numerous privacy threats. In this context, recommender systems based on Federated Learning (FL) appear to be a promising solution for enforcing privacy as they compute accurate recommendations while keeping personal data on the users' devices. However, FL, and therefore FL-based recommender systems, rely on a central server that can experience scalability issues besides being vulnerable to attacks. To remedy this, we propose PEPPER, a decentralized recommender system based on gossip learning principles. In PEPPER, users gossip model updates and aggregate them asynchronously. At the heart of PEPPER reside two key components: a personalized peer-sampling protocol that keeps in the neighborhood of each node, a proportion of nodes that have similar interests to the former and a simple yet effective model aggregation function that builds a model that is better suited to each user. Through experiments on three real datasets implementing two use cases: a location check-in recommendation and a movie recommendation, we demonstrate that our solution converges up to 42% faster than with other decentralized solutions providing up to 9% improvement on average performance metric such as hit ratio and up to 21% improvement on long tail performance compared to decentralized competitors.

Collaborative Algorithms for Online Personalized Mean Estimation, 14

We consider an online estimation problem involving a set of agents. Each agent has access to a (personal) process that generates samples from a real-valued distribution and seeks to estimate its mean. We study the case where some of the distributions have the same mean, and the agents are allowed to actively query information from other agents. The goal is to design an algorithm that enables each agent to improve its mean estimate thanks to communication with other agents. The means as well as the number of distributions with same mean are unknown, which makes the task nontrivial. We introduce a novel collaborative strategy to solve this online personalized mean estimation problem. We analyze its time complexity and introduce variants that enjoy good performance in numerical experiments. We also extend our approach to the setting where clusters of agents with similar means seek to estimate the mean of their cluster.

An Accurate, Scalable and Verifiable Protocol for Federated Differentially Private Averaging, 16

Learning from data owned by several parties, as in federated learning, raises challenges regarding the privacy guarantees provided to participants and the correctness of the computation in the presence of malicious parties. We tackle these challenges in the context of distributed averaging, an essential building block of federated learning algorithms. Our first contribution is a scalable protocol in which participants exchange correlated Gaussian noise along the edges of a graph, complemented by independent noise added by each party. We analyze the differential privacy guarantees of our protocol and the impact of the graph topology under colluding malicious parties, showing that we can nearly match the utility of the trusted curator model even when each honest party communicates with only a logarithmic number of other parties chosen at random. This is in contrast with protocols in the local model of privacy (with lower utility) or based on secure aggregation (where all pairs of users need to exchange messages). Our second contribution enables users to prove the correctness of their computations without compromising the efficiency and privacy guarantees of the protocol. Our construction relies on standard cryptographic primitives like commitment schemes and zero knowledge proofs.

Differentially Private Federated Learning on Heterogeneous Data, 32

Federated Learning (FL) is a paradigm for large-scale distributed learning which faces two key challenges: (i) training efficiently from highly heterogeneous user data, and (ii) protecting the privacy of participating users. In this work, we propose a novel FL approach (DP-SCAFFOLD) to tackle these two challenges together by incorporating Differential Privacy (DP) constraints into the popular SCAFFOLD algorithm. We focus on the challenging setting where users communicate with a ”honest-but-curious” server without any trusted intermediary, which requires to ensure privacy not only towards a third party observing the final model but also towards the server itself. Using advanced results from DP theory and optimization, we establish the convergence of our algorithm for convex and non-convex objectives. Our paper clearly highlights the trade-off between utility and privacy and demonstrates the superiority of DP-SCAFFOLD over the state-ofthe-art algorithm DP-FedAvg when the number of local updates and the level of heterogeneity grows. Our numerical results confirm our analysis and show that DP-SCAFFOLD provides significant gains in practice.

GAP: Differentially Private Graph Neural Networks with Aggregation Perturbation, 34

In this paper, we study the problem of learning Graph Neural Networks (GNNs) with Differential Privacy (DP). We propose a novel differentially private GNN based on Aggregation Perturbation (GAP), which adds stochastic noise to the GNN's aggregation function to statistically obfuscate the presence of a single edge (edge-level privacy) or a single node and all its adjacent edges (node-level privacy). Tailored to the specifics of private learning, GAP's new architecture is composed of three separate modules: (i) the encoder module, where we learn private node embeddings without relying on the edge information; (ii) the aggregation module, where we compute noisy aggregated node embeddings based on the graph structure; and (iii) the classification module, where we train a neural network on the private aggregations for node classification without further querying the graph edges. GAP's major advantage over previous approaches is that it can benefit from multi-hop neighborhood aggregations, and guarantees both edge-level and node-level DP not only for training, but also at inference with no additional costs beyond the training's privacy budget. We analyze GAP's formal privacy guarantees using Rényi DP and conduct empirical experiments over three real-world graph datasets. We demonstrate that GAP offers significantly better accuracy-privacy trade-offs than state-of-the-art DP-GNN approaches and naive MLP-based baselines. Our code is publicly available at github.com/sisaman/GAP.

Differentially Private Coordinate Descent for Composite Empirical Risk Minimization, 29

Machine learning models can leak information about the data used to train them. To mitigate this issue, Differentially Private (DP) variants of optimization algorithms like Stochastic Gradient Descent (DP-SGD) have been designed to trade-off utility for privacy in Empirical Risk Minimization (ERM) problems. In this paper, we propose Differentially Private proximal Coordinate Descent (DP-CD), a new method to solve composite DP-ERM problems. We derive utility guarantees through a novel theoretical analysis of inexact coordinate descent. Our results show that, thanks to larger step sizes, DP-CD can exploit imbalance in gradient coordinates to outperform DP-SGD. We also prove new lower bounds for composite DP-ERM under coordinate-wise regularity assumptions, that are nearly matched by DP-CD. For practical implementations, we propose to clip gradients using coordinate-wise thresholds that emerge from our theory, avoiding costly hyperparameter tuning. Experiments on real and synthetic data support our results, and show that DP-CD compares favorably with DP-SGD.

Privacy Amplification by Decentralization, 24

Analyzing data owned by several parties while achieving a good trade-off between utility and privacy is a key challenge in federated learning and analytics. In this work, we introduce a novel relaxation of local differential privacy (LDP) that naturally arises in fully decentralized algorithms, i.e., when participants exchange information by communicating along the edges of a network graph without central coordinator. This relaxation, that we call network DP, captures the fact that users have only a local view of the system. To show the relevance of network DP, we study a decentralized model of computation where a token performs a walk on the network graph and is updated sequentially by the party who receives it. For tasks such as real summation, histogram computation and optimization with gradient descent, we propose simple algorithms on ring and complete topologies. We prove that the privacy-utility trade-offs of our algorithms under network DP significantly improve upon what is achievable under LDP, and often match the utility of the trusted curator model. Our results show for the first time that formal privacy gains can be obtained from full decentralization. We also provide experiments to illustrate the improved utility of our approach for decentralized training with stochastic gradient descent.

High-Dimensional Private Empirical Risk Minimization by Greedy Coordinate Descent, 45

In this paper, we study differentially private empirical risk minimization (DP-ERM). It has been shown that the worst-case utility of DP-ERM reduces polynomially as the dimension increases. This is a major obstacle to privately learning large machine learning models. In high dimension, it is common for some model's parameters to carry more information than others. To exploit this, we propose a differentially private greedy coordinate descent (DP-GCD) algorithm. At each iteration, DP-GCD privately performs a coordinate-wise gradient step along the gradients' (approximately) greatest entry. We show theoretically that DP-GCD can achieve a logarithmic dependence on the dimension for a wide range of problems by naturally exploiting their structural properties (such as quasi-sparse solutions). We illustrate this behavior numerically, both on synthetic and real datasets.

Private Sampling with Identifiable Cheaters, 17

In this paper we study verifiable sampling from probability distributions in the context of multi-party computation. This has various applications in randomized algorithms performed collaboratively by parties not trusting each other. One example is differentially private machine learning where noise should be drawn, typically from a Laplace or Gaussian distribution, and it is desirable that no party can bias this process. In particular, we propose algorithms to draw random numbers from uniform, Laplace, Gaussian and arbitrary probability distributions, and to verify honest execution of the protocols through zero-knowledge proofs. We propose protocols that result in one party knowing the drawn number and protocols that deliver the drawn random number as a shared secret.

Muffliato: Peer-to-Peer Privacy Amplification for Decentralized Optimization and Averaging, 25

Decentralized optimization is increasingly popular in machine learning for its scalability and efficiency. Intuitively, it should also provide better privacy guarantees, as nodes only observe the messages sent by their neighbors in the network graph. But formalizing and quantifying this gain is challenging: existing results are typically limited to Local Differential Privacy (LDP) guarantees that overlook the advantages of decentralization. In this work, we introduce pairwise network differential privacy, a relaxation of LDP that captures the fact that the privacy leakage from a node $u$ to a node $v$ may depend on their relative position in the graph. We then analyze the combination of local noise injection with (simple or randomized) gossip averaging protocols on fixed and random communication graphs. We also derive a differentially private decentralized optimization algorithm that alternates between local gradient descent steps and gossip averaging. Our results show that our algorithms amplify privacy guarantees as a function of the distance between nodes in the graph, matching the privacy-utility trade-off of the trusted curator, up to factors that explicitly depend on the graph topology. Finally, we illustrate our privacy gains with experiments on synthetic and real-world datasets.

FLamby: Datasets and Benchmarks for Cross-Silo Federated Learning in Realistic Healthcare Settings, 35

Federated Learning (FL) is a novel approach enabling several clients holding sensitive data to collaboratively train machine learning models, without centralizing data. The cross-silo FL setting corresponds to the case of few (2–50) reliable clients, each holding medium to large datasets, and is typically found in applications such as healthcare, finance, or industry. While previous works have proposed representative datasets for cross-device FL, few realistic healthcare cross-silo FL datasets exist, thereby slowing algorithmic research in this critical application. In this work, we propose a novel cross-silo dataset suite focused on healthcare, FLamby (Federated Learning AMple Benchmark of Your cross-silo strategies), to bridge the gap between theory and practice of cross-silo FL. FLamby encompasses 7 healthcare datasets with natural splits, covering multiple tasks, modalities, and data volumes, each accompanied with baseline training code. As an illustration, we additionally benchmark standard FL algorithms on all datasets. Our flexible and modular suite allows researchers to easily download datasets, reproduce results and re-use the different components for their research. FLamby is available at www.github.com/owkin/flamby.

Passive Query-Recovery Attack Against Secure Conjunctive Keyword Search Schemes, 39

While storing documents on the cloud can be attractive, the question remains whether cloud providers can be trusted with storing private documents. Even if trusted, data breaches are ubiquitous. To prevent information leakage one can store documents encrypted. If encrypted under traditional schemes, one loses the ability to perform simple operations over the documents, such as searching through them. Searchable encryption schemes were proposed allowing some search functionality while documents remain encrypted. Orthogonally, research is done to find attacks that exploit search and access pattern leakage that most efficient schemes have. One type of such an attack is the ability to recover plaintext queries. Passive query-recovery attacks on single-keyword search schemes have been proposed in literature, however, conjunctive keyword search has not been considered, although keyword searches with two or three keywords appear more frequently in online searches. We introduce a generic extension strategy for existing passive query-recovery attacks against single-keyword search schemes and explore its applicability for the attack presented by Damie et al. (USENIX Security ’21). While the original attack achieves up to a recovery rate of 85% against single-keyword search schemes for an attacker without exact background knowledge, our experiments show that the generic extension to conjunctive queries comes with a significant performance decrease achieving recovery rates of at most 32%. Assuming a stronger attacker with partial knowledge of the indexed document set boosts the recovery rate to 85% for conjunctive keyword queries with two keywords and achieves similar recovery rates as previous attacks by Cash et al. (CCS ’15) and Islam et al. (NDSS ’12) in the same setting for single-keyword search schemes.

Enhancing speech privacy with slicing, 30

Privacy preservation calls for speech anonymization methods which hide the speaker's identity while minimizing the impact on downstream tasks such as automatic speech recognition (ASR) training or decoding. In the recent VoicePrivacy 2020 Challenge, several anonymization methods have been proposed to transform speech utterances in a way that preserves their verbal and prosodic contents while reducing the accuracy of a speaker verification system. In this paper, we propose to further increase the privacy achieved by such methods by segmenting the utterances into shorter slices. We show that our approach has two major impacts on privacy. First, it reduces the accuracy of speaker verification with respect to unsegmented utterances. Second, it also reduces the amount of personal information that can be extracted from the verbal content, in a way that cannot easily be reversed by an attacker. We also show that it is possible to train an ASR system from anonymized speech slices with negligible impact on the word error rate.

Privacy and utility of x-vector based speaker anonymization, 19

We study the scenario where individuals (speakers) contribute to the publication of an anonymized speech corpus. Data users then leverage this public corpus to perform downstream tasks (such as training automatic speech recognition systems), while attackers may try to de-anonymize itbased on auxiliary knowledge they collect. Motivated by this scenario, speaker anonymization aims to conceal the speaker identity while preserving the quality and usefulness of speech data. In this paper, we study x-vector based speaker anonymization, the leading approach in the recent Voice Privacy Challenge, which converts an input utterance into that of a random pseudo-speaker. We show that the strength of the anonymization varies significantly depending on how the pseudo-speaker is selected. In particular, we investigate four design choices: the distance measure between speakers, the region of x-vector space where the pseudo-speaker is mapped, the gender selection and whether to use speaker or utterance level assignment. We assess the quality of anonymization from the perspective of the three actors involved in our threat model, namely the speaker, the user and the attacker. To measure privacy and utility, we use respectively the linkability score achieved by the attackers and the decoding word error rate incurred by an ASR model trained with the anonymized data. Experiments on LibriSpeech dataset confirm that the optimal combination ofdesign choices yield state-of-the-art performance in terms of privacy protection as well as utility. Experiments on Mozilla Common Voice dataset show that the best design choices with 50 speakers guarantee the same anonymization level against re-identification attack as raw speech with 20,000 speakers.

Retrieving Speaker Information from Personalized Acoustic Models for Speech Recognition, 31, 37

The widespread of powerful personal devices capable of collecting voice of their users has opened the opportunity to build speaker adapted speech recognition system (ASR) or to participate to collaborative learning of ASR. In both cases, personalized acoustic models (AM), i.e. fine-tuned AM with specific speaker data, can be built. A question that naturally arises is whether the dissemination of personalized acoustic models can leak personal information. In this paper, we show that it is possible to retrieve the gender of the speaker, but also his identity, by just exploiting the weight matrix changes of a neural acoustic model locally adapted to this speaker. Incidentally we observe phenomena that may be useful towards explainability of deep neural networks in the context of speech processing. Gender can be identified almost surely using only the first layers and speaker verification performs well when using middle-up layers. Our experimental study on the TED-LIUM 3 dataset with HMM/TDNN models shows an accuracy of 95% for gender detection, and an Equal Error Rate of 9.07% for a speaker verification task by only exploiting the weights from personalized models that could be exchanged instead of user data.

Differentially private speaker anonymization, 18

Sharing real-world speech utterances is key to the training and deployment of voice-based services. However, it also raises privacy risks as speech contains a wealth of personal data. Speaker anonymization aims to remove speaker information from a speech utterance while leaving its linguistic and prosodic attributes intact. State-of-the-art techniques operate by disentangling the speaker information (represented via a speaker embedding) from these attributes and re-synthesizing speech based on the speaker embedding of another speaker. Prior research in the privacy community has shown that anonymization often provides brittle privacy protection, even less so any provable guarantee. In this work, we show that disentanglement is indeed not perfect: linguistic and prosodic attributes still contain speaker information. We remove speaker information from these attributes by introducing differentially private feature extractors based on an autoencoder and an automatic speech recognizer, respectively, trained using noise layers. We plug these extractors in the state-of-the-art anonymization pipeline and generate, for the first time, differentially private utterances with a provable upper bound on the speaker information they contain. We evaluate empirically the privacy and utility resulting from our differentially private speaker anonymization approach on the LibriSpeech data set. Experimental results show that the generated utterances retain very high utility for automatic speech recognition training and inference, while being much better protected against strong adversaries who leverage the full knowledge of the anonymization process to try to infer the speaker identity.

The VoicePrivacy 2020 Challenge: Results and findings, 20 and 47

This paper presents the results and analyses stemming from the first VoicePrivacy 2020 Challenge which focuses on developing anonymization solutions for speech technology. We provide a systematic overview of the challenge design with an analysis of submitted systems and evaluation results. In particular, we describe the voice anonymization task and datasets used for system development and evaluation. Also, we present different attack models and the associated objective and subjective evaluation metrics. We introduce two anonymization baselines and provide a summary description of the anonymization systems developed by the challenge participants. We report objective and subjective evaluation results for baseline and submitted systems. In addition, we present experimental results for alternative privacy metrics and attack models developed as a part of the post-evaluation analysis. Finally, we summarise our insights and observations that will influence the design of the next VoicePrivacy challenge edition and some directions for future voice anonymization research.

Privacy attacks for automatic speech recognition acoustic models in a federated learning framework, 36, 38

This paper investigates methods to effectively retrieve speaker information from the personalized speaker adapted neural network acoustic models (AMs) in automatic speech recognition (ASR). This problem is especially important in the context of federated learning of ASR acoustic models where a global model is learnt on the server based on the updates received from multiple clients. We propose an approach to analyze information in neural network AMs based on a neural network footprint on the so-called Indicator dataset. Using this method, we develop two attack models that aim to infer speaker identity from the updated personalized models without access to the actual users' speech data. Experiments on the TED-LIUM 3 corpus demonstrate that the proposed approaches are very effective and can provide equal error rate (EER) of 1-2%.

Fairness Certificates for Differentially Private Classification, 46

In this work, we theoretically study the impact of differential privacy on fairness in binary classification. We prove that, given a class of models, popular group fairness measures are pointwise Lipschitz-continuous with respect to the parameters of the model. This result is a consequence of a more general statement on the probability that a decision function makes a negative prediction conditioned on an arbitrary event (such as membership to a sensitive group), which may be of independent interest. We use the aforementioned Lipschitz property to prove a high probability bound showing that, given enough examples, the fairness level of private models is close to the one of their non-private counterparts.

FairGrad: Fairness Aware Gradient Descent, 43

We tackle the problem of group fairness in classification, where the objective is to learn models that do not unjustly discriminate against subgroups of the population. Most existing approaches are limited to simple binary tasks or involve difficult to implement training mechanisms. This reduces their practical applicability. In this paper, we propose FairGrad, a method to enforce fairness based on a reweighting scheme that iteratively learns group specific weights based on whether they are advantaged or not. FairGrad is easy to implement and can accommodate various standard fairness definitions. Furthermore, we show that it is comparable to standard baselines over various datasets including ones used in natural language processing and computer vision.

Linear Programs with Conjunctive Queries, 23

In this paper, we study the problem of optimizing a linear program whose variables are answers to a conjunctive query. For this we propose the language LP(CQ) for specifying linear programs whose constraints and objective functions depend on the answer sets of conjunctive queries. We contribute an efficient algorithm for solving programs in a fragment of LP(CQ). The naive approach constructs a linear program having as many variables as elements in the answer set of the queries. Our approach constructs a linear program having the same optimal value but fewer variables. This is done by exploiting the structure of the conjunctive queries using hypertree decompositions ofsmall width to group elements of the answer set together. We illustrate the various applications of LP(CQ) programs on three examples: optimizing deliveries of resources, minimizing noise for differential privacy,and computing the s-measure of patterns in graphs as needed for datamining.

A Revenue Function for Comparison-Based Hierarchical Clustering, 44

Comparison-based learning addresses the problem of learning when, instead of explicit features or pairwise similarities, one only has access to comparisons of the form: Object $A$ is more similar to $B$ than to $C$. Recently, it has been shown that, in Hierarchical Clustering, single and complete linkage can be directly implemented using only such comparisons while several algorithms have been proposed to emulate the behaviour of average linkage. Hence, finding hierarchies (or dendrograms) using only comparisons is a well understood problem. However, evaluating their meaningfulness when no ground-truth nor explicit similarities are available remains an open question. In this paper, we bridge this gap by proposing a new revenue function that allows one to measure the goodness of dendrograms using only comparisons. We show that this function is closely related to Dasgupta's cost for hierarchical clustering that uses pairwise similarities. On the theoretical side, we use the proposed revenue function to resolve the open problem of whether one can approximately recover a latent hierarchy using few triplet comparisons. On the practical side, we present principled algorithms for comparison-based hierarchical clustering based on the maximisation of the revenue and we empirically compare them with existing methods.

Limits of Multi-relational Graphs, 13

Graphons are limits of large graphs. Motivated by a theoretical problem from statistical relational learning, we develop a generalization of basic results from graphon theory into the ”multi-relational” setting. We show that their multi-relational counterparts, which we call multi-relational graphons, are analogically limits of large multi-relational graphs. We extend the cutdistance topology for graphons to multi-relational graphons and prove its compactness and the density of multi-relational graphs in this topology. In turn, compactness enables to prove the large deviation principle for Multi-Relational Graphs (LDP) which enables to prove the most typical random graphs constrained by marginal statistics converge asymptotically to constrained multirelational graphons with maximum entropy. We show the equivalence between a restricted version of Markov Logic Network and Multi-Relational Graphons with maximum entropy.

Optimal Tensor Transport, 27

Optimal Transport (OT) has become a popular tool in machine learning to align finite datasets typically lying in the same vector space. To expand the range of possible applications, Co-Optimal Transport (Co-OT) jointly estimates two distinct transport plans, one for the rows (points) and one for the columns (features), to match two data matrices that might use different features. On the other hand, Gromov Wasserstein (GW) looks for a single transport plan from two pairwise intra-domain distance matrices. Both Co-OT and GW can be seen as specific extensions of OT to more complex data. In this paper, we propose a unified framework, called Optimal Tensor Transport (OTT), which takes the form of a generic formulation that encompasses OT, GW and CoOT and can handle tensors of any order by learning possibly multiple transport plans. We derive theoretical results for the resulting new distance and present an efficient way for computing it. We further illustrate the interest of such a formulation in Domain Adaptation and Comparison-based Clustering.

Robust Kernel Density Estimation with Median-of-Means principle, 26

In this paper, we introduce a robust nonparametric density estimator combining the popular Kernel Density Estimation method and the Median-of-Means principle (MoM-KDE). This estimator is shown to achieve robustness to any kind of anomalous data, even in the case of adversarial contamination. In particular, while previous works only prove consistency results under known contamination model, this work provides finite-sample high-probability error-bounds without a priori knowledge on the outliers. Finally, when compared with other robust kernel estimators, we show that MoM-KDE achieves competitive results while having significant lower computational complexity.

9.1.1 Associate Teams in the framework of an Inria International Lab or in the framework of an Inria International Program

9.1.2 Participation in other International Programs

9.2.1 Horizon Europe

9.3.1 ANR Pamela (2016–2022)

Participants: Marc Tommasi [contact person], Aurélien Bellet, Rémi Gilleron, Jan Ramon, Mahsa Asadi.

The Pamela project aims at developing machine learning theories and algorithms in order to learn local and personalized models from data distributed over networked infrastructures. Our project seeks to provide first answers to modern information systems built by interconnecting many personal devices holding private user data in the search of personalized suggestions and recommendations. More precisely, we will focus on learning in a collaborative way with the help of neighbors in a network. We aim to lay the first blocks of a scientific foundation for these new types of systems, in effect moving from graphs of data to graphs of data and learned models. We argue that this shift is necessary in order to address the new constraints arising from the decentralization of information that is inherent to the emergence of big data. We will in particular focus on the question of learning under communication and privacy constraints. A significant asset of the project is the quality of its industrial partners, Snips and Mediego, who bring in their expertise in privacy protection and distributed computing as well as use cases and datasets. They will contribute to translate this fundamental research effort into concrete outcomes by developing personalized and privacy-aware assistants able to provide contextualized recommendations on small devices and smartphones.

9.3.2 ANR DEEP-Privacy (2019–2023)

Participants: Marc Tommasi [contact person], Aurélien Bellet, Pascal Denis, Jan Ramon, Brij Mohan Lal Srivastava, Rishabh Gupta.

DEEP-PRIVACY proposes a new paradigm based on a distributed, personalized, and privacy-preserving approach for speech processing, with a focus on machine learning algorithms for speech recognition. To this end, we propose to rely on a hybrid approach: the device of each user does not share its raw speech data and runs some private computations locally, while some cross-user computations are done by communicating through a server (or a peer-to-peer network). To satisfy privacy requirements at the acoustic level, the information communicated to the server should not expose sensitive speaker information.

9.3.3 ANR-JCJC PRIDE (2020–2025)

Participants: Aurélien Bellet [contact person], Marc Tommasi, Jan Ramon, Edwige Cyffers, Batiste Le Bars, Paul Mangold, Tudor Cebere.

Machine learning (ML) is ubiquitous in AI-based services and data-oriented scientific fields but raises serious privacy concerns when training on personal data. The starting point of PRIDE is that personal data should belong to the individual who produces it. This requires to revisit ML algorithms to learn from many decentralized personal datasets while preventing the reconstruction of raw data. Differential Privacy (DP) provides a strong notion of protection, but current decentralized ML algorithms are not able to learn useful models under DP. The goal of PRIDE is to develop theoretical and algorithmic tools that enable differentially-private ML methods operating on decentralized datasets, through two complementary objectives: (1) prove that gossip protocols naturally reinforce DP guarantees; (2) propose algorithms at the intersection of decentralized ML and secure multi-party computation.

9.3.4 ANR PMR (2020-2024)

Participants: Jan Ramon [contact person], Aurélien Bellet, Marc Tommasi, Cesar Sabater.

Given the growing awareness of privacy risks of data processing, there is an increasing interest in privacy-preserving learning. However, shortcomings in the state of the art limit the applicability of the privacy-preserving learning paradigm. First, most approaches assume too optimistically a honest-but-curious setting. Second, most approaches consider one learning task in isolation, not accounting for the context where querying is a recurring activity. We will investigate new algorithms and models that address these shortcomings. Among others, (i) our algorithms will combine privacy-preserving properties of differential privacy with security offered by cryptography and (ii) based on models of information flows in integrated data handling processes, we will build more refined models analyzing the implications of repeated querying. We will demonstrate the utility of our new theory and algorithms by proposing strategies to realistically apply them in significant real-world problems illustrated through use cases in the medical domain

9.3.5 FedMalin. INRIA Defi (2021-2024)

Participants: Aurélien Bellet [contact person], Jan Ramon, Marc Tommasi, Michaël Perrot, Batiste Le Bars, Edwige Cyffers, Paul Mangold, Tudor Cebere.

In many use-cases of Machine Learning (ML), data is naturally decentralized: medical data is collected and stored by different hospitals, crowdsensed data is generated by personal devices, etc. Federated Learning (FL) has recently emerged as a novel paradigm where a set of entities with local datasets collaboratively train ML models while keeping their data decentralized.

FedMalin is a research project that spans 10 Inria research teams and aims to push FL research and concrete use-cases through a multidisciplinary consortium involving expertise in ML, distributed systems, privacy and security, networks, and medicine. We propose to address a number of challenges that arise when FL is deployed over the Internet, including privacy and fairness, energy consumption, personalization, and location/time dependencies.

FedMalin will also contribute to the development of open-source tools for FL experimentation and real-world deployments, and use them for concrete applications in medicine and crowdsensing.

9.3.6 FLAMED: Federated Learning and Analytics on Medical Data. INRIA Action Exploratoire (2020-2024)

Participants: Aurélien Bellet [contact person], Marc Tommasi, Paul Mangold, Nathan Bigaud, Paul André.

Flamed is about decentralized approaches for AI in medicine. The main objective is to operate data analysis and machine learning tasks in a network of hospital units without any data exchange. This approach helps to solve data privacy and sovereignty issues while taking advantage of the statistical power of federation and collaboration. This research is done in collaboration with the Lille Hospital.

9.3.7 COMANCHE: Computational Models of Lexical Meaning and Change. INRIA Action Exploratoire (2022-2026)

Participants: Pascal Denis [contact person], Mikaela Keller, Bastien Liétard.

Comanche proposes to transfer and adapt recent Natural Language representation learning algorithms from deep learning to model the evolution of the meaning of words, and to confront these computational models to theories on language acquisition and the diachrony of languages. At the crossroads between machine learning, psycholinguistics and historical linguistics, this project will make it possible to validate or revise some of these theories, but also to bring out computational models that are more sober in terms of data and computations because they exploit new inductive biases inspired by these disciplines.

In collaboration with UMR SCALAB (CNRS, Université de Lille), l’Unité de Recherche STIH (Sorbonne Université), et l’UMR ATILF (CNRS, Université de Lorraine).

9.3.8 IPoP, Projet interdisciplinaire sur la protection des données personnelles, PEPR Cybersécurité (2022-2028).

Participants: Aurélien Bellet [contact person], Jan Ramon, Marc Tommasi, Michaël Perrot, Cesar Sabater, Edwige Cyffers, Paul Mangold, Tudor Cebere.

Digital technologies provide services which can greatly increase quality of life (e.g. connected e-health devices, location based services, or personal assistants). However, these services can also raise major privacy risks, as they involve personal data, or even sensitive data. Indeed, this notion of personal data is the cornerstone of French and European regulations, since processing such data triggers a series of obligations that the data controller must abide by. This raises many multidisciplinary issues, as the challenges are not only technological, but also societal, judiciary, economic, political and ethical.

The objectives of this project are thus to study the threats on privacy that have been introduced by these new services, and to conceive theoretical and technical privacy-preserving solutions that are compatible with French and European regulations, that preserve the quality of experience of the users. These solutions will be deployed and assessed, both on the technological and legal sides, and on their societal acceptability. In order to achieve these objectives, we adopt an interdisciplinary approach, bringing together many diverse fields: computer science, technology, engineering, social sciences, economy and law.

The project’s scientific program focuses on new forms of personal information collection, on Artificial Intelligence (AI) and its governance, data anonymization techniques, personal data management and distributed calculation protocol privacy preserving infrastructures, differential privacy, personal data legal protection and compliance, and all the associated societal and ethical considerations. This unifying interdisciplinary research program brings together internationally recognized research teams (from universities, engineering schools and institutions) working on privacy, and the French Data Protection Authority (CNIL).

This holistic vision of the issues linked to personal data protection will on the one hand let us propose solutions to the scientific and technological challenges and on the other help us confront these solutions in many different ways, in the context of interdisciplinary collaborations, thus leading to recommendations and proposals in the field of regulations or legal frameworks. This comprehensive consideration of all the issues aims at encouraging the adoption and acceptability of the solutions proposed by all stakeholders, legislators, data controllers, data processors, solution designers, developers all the way to end-users.

9.3.9 HyAIAI. INRIA Defi (2019-2022)

Participants: Jan Ramon [contact person], Marc Tommasi.

Recent progress in Machine Learning (ML) and especially Deep Learning has made ML pervasive in a wide range of applications. However, current approaches rely on complex numerical models: their decisions, as accurate as they may be, cannot be easily explained to the layman that may depend on these decisions (ex: get a loan or not). In the HyAIAI IPL, we tackle the problem of making “Interpretable ML” through the study and design of hybrid approaches that combine state of the art numeric models with explainable symbolic models. More precisely, our goal is to be able to integrate high level (domain) constraints in ML models, to give model designers information on ill-performing parts of the model, and to give the layman/practitioner understandable explanations on the results of the ML model.

9.4.1 Chaire TIP: Transparent artificial Intelligence preserving Privacy

Participants: Jan Ramon [contact person], Cesar Sabater, Jean-Paul Lam, Antonin Duez, Sophie Villerot.

The overall goal of the TIP project is to develop, exploit and explain a sound understanding of privacy-preserving strategies in larger AI-based processes involving massive numbers of agents among whom part may be malicious.

9.4.2 Fairness in Decentralized and Privacy Preserving Machine Learning STaRS (2021-2023)

Participants: Michaël Perrot [contact person].

Machine Learning is becoming ubiquitous in our everyday lives. It is now used in digital assistants, for medical diagnosis, for autonomous vehicles, .... Its success can be explained by the good performances of learned models, sometimes reaching human-level capabilities. However, simply being accurate is not sufficient to ensure that the learning approaches are socially acceptable, in particular if the models are to be largely deployed. Hence, Fairness and Privacy have been extensively studied as standalone trustworthiness notions. However, in practice, it is often mandatory that a model has both properties and thus, jointly studying the two notions is important. This is particularly relevant in decentralized settings where the data is owned by multiple entities that would like to collaborate to learn efficient and fair models but wish to keep their own data private. The goal of this project is twofold: (i) propose new approaches to learn fair and privacy preserving models in a decentralized setting and (ii) provide theoretical guarantees on the trustworthiness level of the learned models that may serve as certificates for the stakeholders.

9.4.3 CAPS'UL: CAmpus Participatif en Santé numérique du site Universitaire de Lille. Santé numérique, PIA4. (2022-2027)

Participant: Marc Tommasi [contact person].

Participation to this regional initiative about training in the health domain. Magnet contributes by the design of algorithms for data anonymization and data generation for specfic software training.

10.1.1 Scientific events: organisation

• Aurélien Bellet co-organized the Privacy Preserving Machine Learning (PPML'22) workshop at FOCS 2022.
• Since May 2020, Aurélien Bellet is co-organizing the Federated Learning One World webinar (900+ registered attendees).

10.1.2 Scientific events: selection

• Aurélien Bellet served as Area Chair for ICML'22, NeurIPS'22, AISTATS'23 and AFCP@NeurIPS'22, and as PC member for SaTML, PPAI@AAAI'23, FL@NeurIPS'22, CAp'22, APVP'22.
• Jan Ramon was PC member of AAAI'22, AFCI@Neurips'22, AISTATS'22, BigData'22, BNAIC'22, DS'22, ECMLPKDD'22, PhDforum@ECML'22, ICDM'22, ICLR'22, ICML'22, IDA'22, IJCAI'22, doctoral program @ IJCAI'22, MLG@KDD'22, MLG@ECMLPKDD'22, NeurIPS'22, PPAI@AAAI'22, SDM'22, UAI'22 and XKDD'22.
• Pascal Denis was Action Editor for ACL Rolling Review, as well as Area Chair for ACL'22 and NAACL'22. He was also PC member of COLING'22, EMNLP'22, and CODI@COLING'22.
• Marc Tommasi served as Area Chair for ECML'22 and as PC member of NeurIPS'22, CAP'22.
• Michaël Perrot served as PC member of ICML'22, ECML'22, NeurIPS'22, AISTATS'23.
• Mikaela Keller was PC member of TALN'22
• Rémi Gilleron served as PC member of ICML'22, ICLR'22, CAp'22, NeurIPS'22, AISTATS'22.
• Marc Damie served as reviewer for PETS'22.
• Paul Mangold served as reviewer for ECML'22 PhD forum, NeurIPS'22, AISTATS'22.

10.1.3 Journal

10.1.4 Invited talks

• Aurélien Bellet gave invited talks at Google Federated Learning and Analytics Workshop 2022, CAp'22 (keynote speaker), JDS'22 (keynote speaker), DeepMind Paris, Learning and Optimization in Luminy (LOL2022), OpenMined Medical Federated Learning Program, Privaski'22, Journée Private Math-Stat'22, Comète Workshop on Ethical AI, Qarma seminar, Séminaire Scientifique STIC AmSud, GDR IA, Qwant seminar, AXA seminar, Idemia seminar, Seminar “Machine Learning in Montpellier”, Fairness in Machine Learning Day at Lille
• Michaël Perrot presented his work of Fairness in Machine Learning during the Comète Workshop on Ethical AI in September, 2022.
• Batiste Le Bars presented his work 42 at the EPFL-INRIA workshop, in the MILES team of the Lamsade lab in PSL and in the Federated Learning Workshop at NeurIPS'22.
• Marc Damie gave a talk for the Dutch Cyber Security Best Research Paper award ceremony (paper accepted at USENIX Security 21).

10.1.5 Scientific expertise

• Aurélien Bellet reviewed for the European Research Council (ERC - Starting Grants), and was a member of the recruitment committee of junior researchers at Inria Lyon and of associate professors at Saint-Etienne.
• Jan Ramon made reviews for the European Commission (review final report of 1 project), and was a member of the comité emploi recherche (CER) of INRIA-Lille.
• Marc Tommasi was a member (scientific expert) of the recruitment committee of associate professors at Saint-Etienne and Lille.
• Mikaela Keller was a member (scientific expert) of the recruitment committee of associate professors at Saint-Etienne and Lille.

10.1.6 Research administration

• Aurélien Bellet is member of the Operational Committee for the assessment of Legal and Ethical risks (COERLE).
• Marc Tommasi is co-head of the DatInG group (4 teams, about 100 persons), member of the Conseil Scientifique du laboratoire CRIStAL and member of the Commission mixte CRIStAL/Faculty of Science, Lille University.
• Pascal Denis is a standing member of TALN-RECITAL permanent conference committee ("CPerm").
• Pascal Denis is a member of the CNRS GDR NLP Group.
• Pascal Denis is a member of the network "référents données" at Inria and Université de Lille
• Pascal Denis is administrator of Inria membership to Linguistic Data Consortium (LDC).

10.2.1 Teaching

• Licence MIASHS: Marc Tommasi, Data Science, 24h, L2, Université de Lille.
• Licence Informatique: Marc Tommasi, Introduction to AI, 24h, L2, Université de Lille.
• Licence MIASHS: Mikaela Keller, Data Science, 12h, L2, Université de Lille.
• Licence MIASHS: Mikaela Keller, Data Science 2, 24h, L3, Université de Lille.
• Licence MIASHS: Mikaela Keller, Traitement de données, 24h, L2, Université de Lille.
• Master MIASHS: Mikaela Keller, Algorithmes fondamentaux de la fouille de données, 27h, M1, Université de Lille.
• Master Data Science: Mikaela Keller, Machine Learning 1, 24h, M1, Université de Lille.
• Master Computer Science: Mikaela Keller, Apprentissage profond, 24h, M1, Université de Lille.
• Master Computer Science: Mikaela Keller, Machine learning pour le traitement automatique du language naturel, 24h, M2, Université de Lille.
• Master MIASHS: Michaël Perrot, Algorithmes fondamentaux de la fouille de données, 27h, M1, Université de Lille.
• Master Computer Science: Marc Tommasi, Data Science, 48h, M1, Université de Lille.
• Master Computer Science: Marc Tommasi, Semi-supervised learning and Graphs, 24h, M2, Université de Lille.
• Master Data Science: Marc Tommasi Seminars 24h.
• Master Data Science: Aurélien Bellet, Privacy Preserving Machine Learning, 24h, M2, Université de Lille and Ecole Centrale de Lille.
• Parcours Science des Données et Intelligence Artificielle: Aurélien Bellet, Advanced Machine Learning, 6h, Ecole Centrale de Lille.
• Peyresq Summer School 2022: Aurélien Bellet, Privacy-Preserving Machine Learning, 5h, PhD-level.
• Training in Privacy-Preserving and Federated Machine Learning, 3 days, researchers from L'Oréal R&D.
• Master Informatique: Pascal Denis, Foundations of Machine Learning, 46h, M1, Université de Lille.
• Master Sciences Cognitives: Michaël Perrot, Machine Learning for Cognitive Sciences, 8h, M2, Université de Lille.
• Marc Tommasi is directeur des études for the Machine Learning master of Computer Science.

10.2.2 Supervision

• Postdoc: Vitalii Emilianov. On the interactions between fairness and privacy in machine learning. November 2022. Michaël Perrot.
• Postdoc: Batiste Le Bars. On collaboration graph design for decentralized learning. October 2021-. Aurélien Bellet and Marc Tommasi
• PhD defended in December 2022: Mahsa Asadi, On Decentralized Machine Learning, since Oct 2018. Aurélien Bellet and Marc Tommasi. (See 40)
• PhD in progress: Nicolas Crosetti, Privacy Risks of Aggregates in Data Centric-Workflows, since Oct 2018. Florent Capelli and Sophie Tison and Joachim Niehren and Jan Ramon.
• Phd in progress: Arijus Pleska, Tractable Probabilistic Models for Large Scale Networks, since Oct 2018. Jan Ramon
• PhD in progress: Moitree Basu, Integrated privacy-preserving AI, since 2019. Jan Ramon.
• PhD defended in June 2022: César Sabater, Privacy Preserving Machine Learning, since 2019. Jan Ramon. (See 41)
• PhD in progress: Paul Mangold. Decentralized Optimization and privacy. Aurélien Bellet and Marc Tommasi and Joseph Salmon, since October 2020.
• Phd in progress: Gaurav Maheshwari. Trustworthy Representations for Natural Language Processing, since Nov 2020. Aurélien Bellet, Mikaela Keller, and Pascal Denis
• Phd in progress: Priyansh Trivedi. Enriching Linguistic Representations with External Knowledge, since Nov 2020. Philippe de Groote (Loria, Nancy) and Pascal Denis
• Phd in progress: Edwige Cyffers. Decentralized learning and privacy amplification, since Oct. 2021. Aurélien Bellet
• Phd in progress: Marc Damie. Secure protocols for verifiable decentralized machine learning, since May 2022. Jan Ramon with Andreas Peter (U. Twente, NL & U. Oldenburg, DE) Florian Hahn (University of Twente, NL).
• Phd in progress: Tudor Cebere. Privacy-Preserving Machine Learning, since Nov. 2022. Aurélien Bellet
• Phd in progress: Bastien Liétard. Computational Models of Lexical Semantic Change, since Nov. 2022. Anne Carlier (Université Paris Sorbonne), Pascal Denis and Mikaela Keller
• Phd in progress: Dinh-Viet-Toan Le. Natural Language Processing approaches in the musical domain : suitability, performance and limits, since Oct. 2022. Mikaela Keller and Louis Bigo
• Phd in progress: Aleksei Korneev. Trustworthy multi-site privacy-enhancing technologies, since Dec. 2022. Jan Ramon
• PhD in progress: Antoine Barczewski. Transparent privacy-preserving machine learning, since May 2022. Jan Ramon.
• Engineer: Jean-Paul Lam. Transparent privacy-preserving machine learning. Jan Ramon
• Engineer: Antonin Duez. Transparent privacy-preserving machine learning. Jan Ramon
• Engineer Sophie Villerot, ADT project Tailed: Trustworthy AI Library for Environments which are Decentralized, since Nov. 2020. Jan Ramon
• Engineer Joseph Renner, Improving Word Representations with Semantic Knowledge, since Nov. 2020. Pascal Denis and Rémi Gilleron
• Engineer Rishabh Gupta, Disentanglement approaches for speech data. Aurélien Bellet and Marc Tommasi.
• Engineer Paul Andrey, Decentralized and Federated Learning with DecLearn. Aurélien Bellet and Marc Tommasi.
• Engineer Nathan Bigaud, Decentralized and Federated Learning with DecLearn. Aurélien Bellet and Marc Tommasi.

10.2.3 Juries

• Aurélien Bellet was reviewer for the PhD thesis of Théo Ryffel (ENS/Inria) and Raphael Ettedgui (PSL), and member of the PhD defense committee of Evrard Garcelon (FAIR Paris and CREST, ENSAE).
• Marc Tommasi was member of the habilitation of Romain Azaïs (ENS Lyon).
• Pascal Denis was member of the PhD defense committee of Tom Bourgeade at IRIT, Université de Toulouse.
• Pascal Denis was member of the PhD award committee at TALN'22.

10.3.1 Articles and contents

• Aurélien Bellet participated to a round table organized by Le Cycle de la Voix (Le Voice Lab) and was interviewed by CNIL.
• Michaël Perrot was interviewed for the article L'Impasse de l'IA, Alexandra Pihen, Epsiloon, June 2022.
• Marc Tommasi was interviewed by CNIL.

International journals

• 13 articleJ. A.Juan Aurelio Alvarado, Y.Yuyi Wang and J.Jan Ramon. Limits of Multi-relational Graphs.Machine LearningNovember 2022
  HALback to text
• 14 articleM.Mahsa Asadi, A.Aurélien Bellet, O.-A.Odalric-Ambrym Maillard and M.Marc Tommasi. Collaborative Algorithms for Online Personalized Mean Estimation.Transactions on Machine Learning Research2022
  HALback to text
• 15 articleY.Yacine Belal, A.Aurélien Bellet, S.Sonia Ben Mokhtar and V.Vlad Nitu. PEPPER: Empowering User-Centric Recommender Systems over Gossip Learning.Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 63September 2022, 1-27
  HALDOIback to text
• 16 articleC.César Sabater, A.Aurélien Bellet and J.Jan Ramon. An Accurate, Scalable and Verifiable Protocol for Federated Differentially Private Averaging.Machine LearningOctober 2022
  HALDOIback to text
• 17 articleC.César Sabater, F.Florian Hahn, A.Andreas Peter and J.Jan Ramon. Private Sampling with Identifiable Cheaters.Proceedings on Privacy Enhancing Technologies202322022
  HALback to text
• 18 articleA. S.Ali Shahin Shamsabadi, B. M.Brij Mohan Lal Srivastava, A.Aurélien Bellet, N.Nathalie Vauquier, E.Emmanuel Vincent, M.Mohamed Maouche, M.Marc Tommasi and N.Nicolas Papernot. Differentially private speaker anonymization.Proceedings on Privacy Enhancing Technologies20231January 2023
  HALback to text
• 19 articleB. M.Brij Mohan Lal Srivastava, M.Mohamed Maouche, M.Md Sahidullah, E.Emmanuel Vincent, A.Aurélien Bellet, M.Marc Tommasi, N.Natalia Tomashenko, X.Xin Wang and J.Junichi Yamagishi. Privacy and utility of x-vector based speaker anonymization.IEEE/ACM Transactions on Audio, Speech and Language ProcessingJune 2022
  HALback to text
• 20 articleN.Natalia Tomashenko, X.Xin Wang, E.Emmanuel Vincent, J.Jose Patino, B. M.Brij Mohan Lal Srivastava, P.-G.Paul-Gauthier Noé, A.Andreas Nautsch, N.Nicholas Evans, J.Junichi Yamagishi, B.Benjamin O'Brien, A.Anaïs Chanclu, J.-F.Jean-François Bonastre, M.Massimiliano Todisco and M.Mohamed Maouche. The VoicePrivacy 2020 Challenge: Results and findings.Computer Speech and Language74July 2022, 101362
  HALDOIback to text

International peer-reviewed conferences

• 21 inproceedingsT.Tatiana Anikina, N.Natalia Skachkova, J.Joseph Renner and P.Priyansh Trivedi. Anaphora Resolution in Dialogue: System Description (CODI-CRAC 2022 Shared Task).CODI-CRAC 2022Gyeongju, South KoreaOctober 2022
  HALback to text
• 22 inproceedingsA.Aurélien Bellet, A.-M.Anne-Marie Kermarrec and E.Erick Lavoie. D-Cliques: Compensating for Data Heterogeneity with Topology in Decentralized Federated Learning.41st International Symposium on Reliable Distributed Systems (SRDS)Vienna, Austria2022
  HALback to text
• 23 inproceedingsF.Florent Capelli, N.Nicolas Crosetti, J.Joachim Niehren and J.Jan Ramon. Linear Programs with Conjunctive Queries.25th Internationcal Conference on Database Theory (ICDT 2022)Edinburgh, United KingdomMarch 2022
  HALback to text
• 24 inproceedingsE.Edwige Cyffers and A.Aurélien Bellet. Privacy Amplification by Decentralization.Proceedings of The 25th International Conference on Artificial Intelligence and Statistics,Virtual, Spain2022
  HALback to text
• 25 inproceedingsE.Edwige Cyffers, M.Mathieu Even, A.Aurélien Bellet and L.Laurent Massoulié. Muffliato: Peer-to-Peer Privacy Amplification for Decentralized Optimization and Averaging.Advances in Neural Information Processing Systems 35 (NeurIPS)New Orleans, United States2022
  HALback to text
• 26 inproceedingsP.Pierre Humbert, B.Batiste Le Bars and L.Ludovic Minvielle. Robust Kernel Density Estimation with Median-of-Means principle.Proceedings of the 39th International Conference on Machine Learning (ICML)162Proceedings of Machine Learning ResearchBaltimore, United StatesJuly 2022
  HALback to text
• 27 inproceedingsT.Tanguy Kerdoncuff, M.Michaël Perrot, R.Rémi Emonet and M.Marc Sebban. Optimal Tensor Transport.Proceedings of the AAAI Conference on Artificial IntelligenceAAAIVancouver, CanadaFebruary 2022
  HALback to text
• 28 inproceedingsG.Gaurav Maheshwari, P.Pascal Denis, M.Mikaela Keller and A.Aurélien Bellet. Fair NLP Models with Differentially Private Text Encoders.Findings of the Association for Computational Linguistics: EMNLP 2022Abu Dhabi, United Arab Emirates2022
  HALback to text
• 29 inproceedingsP.Paul Mangold, A.Aurélien Bellet, J.Joseph Salmon and M.Marc Tommasi. Differentially Private Coordinate Descent for Composite Empirical Risk Minimization.ICML 2022 - 39th International Conference on Machine Learning162Baltimore, United StatesPMLR2022, 14948-14978
  HALback to text
• 30 inproceedingsM.Mohamed Maouche, B. M.Brij Mohan Lal Srivastava, N.Nathalie Vauquier, A.Aurélien Bellet, M.Marc Tommasi and E.Emmanuel Vincent. Enhancing speech privacy with slicing.Interspeech 2022 - Human and Humanizing Speech TechnologyIncheon, South KoreaSeptember 2022
  HALback to text
• 31 inproceedingsS.Salima Mdhaffar, J.-F.Jean-François Bonastre, M.Marc Tommasi, N.Natalia Tomashenko and Y.Yannick Estève. Retrieving Speaker Information from Personalized Acoustic Models for Speech Recognition.IEEE ICASSP 2022Singapour, Singapore2022
  HALback to text
• 32 inproceedingsM.Maxence Noble, A.Aurélien Bellet and A.Aymeric Dieuleveut. Differentially Private Federated Learning on Heterogeneous Data.Proceedings of The 25th International Conference on Artificial Intelligence and Statistics (AISTATS)Virtual, Spain2022
  HALback to text
• 33 inproceedingsC.Cennet Oguz, I.Ivana Kruijff-Korbayová, P.Pascal Denis, E.Emmanuel Vincent and J.Josef van Genabith. Chop and change: Anaphora resolution in instructional cooking videos.Findings of AACL-IJCNLP 2022 - 2nd Conference of the Asia-Pacific Chapter of the Association for Computational Linguistics - 12th International Joint Conference on Natural Language ProcessingTaipeh, TaiwanNovember 2022
  HALback to text
• 34 inproceedingsS.Sina Sajadmanesh, A. S.Ali Shahin Shamsabadi, A.Aurélien Bellet and D.Daniel Gatica-Perez. GAP: Differentially Private Graph Neural Networks with Aggregation Perturbation.32nd USENIX Security SymposiumAnaheim, United States2023
  HALback to text
• 35 inproceedingsJ. O.Jean Ogier Du Terrail, S.-S.Samy-Safwan Ayed, E.Edwige Cyffers, F.Felix Grimberg, C.Chaoyang He, R.Regis Loeb, P.Paul Mangold, T.Tanguy Marchand, O.Othmane Marfoq, E.Erum Mushtaq, B.Boris Muzellec, C.Constantin Philippenko, S.Santiago Silva, M.Maria Teleńczuk, S.Shadi Albarqouni, S.Salman Avestimehr, A.Aurélien Bellet, A.Aymeric Dieuleveut, M.Martin Jaggi, S. P.Sai Praneeth Karimireddy, M.Marco Lorenzi, G.Giovanni Neglia, M.Marc Tommasi and M.Mathieu Andreux. FLamby: Datasets and Benchmarks for Cross-Silo Federated Learning in Realistic Healthcare Settings.NeurIPS 2022 - Thirty-sixth Conference on Neural Information Processing SystemsProceedings of NeurIPSNew Orleans, United StatesNovember 2022
  HALback to text
• 36 inproceedingsN.Natalia Tomashenko, S.Salima Mdhaffar, M.Marc Tommasi, Y.Yannick Estève and J.-F.Jean-François Bonastre. Privacy attacks for automatic speech recognition acoustic models in a federated learning framework.ICASSP 2022Singapour, Singapore2022
  HALback to text

National peer-reviewed Conferences

• 37 inproceedingsS.Salima Mdhaffar, J.-F. A.Jean-François A Bonastre, M.Marc Tommasi, N.Natalia Tomashenko and Y.Yannick Estève. Extraction d'informations liées au locuteur depuis un modèle acoustique personnalisé.JEP 2022JEP 2022île de Noirmoutier, FranceJune 2022
  HALback to text
• 38 inproceedingsN.Natalia Tomashenko, S.Salima Mdhaffar, M.Marc Tommasi, Y.Yannick Estève and J.-F.Jean-François Bonastre. On speaker verification from the neural network footprint of personalized acoustic models.Journées d'Études sur la Parole - JEP2022Île de Noirmoutier, FranceJune 2022
  HALback to text

Scientific book chapters

• 39 inbookM.Marco Dijkslag, M.Marc Damie, F.Florian Hahn and A.Andreas Peter. Passive Query-Recovery Attack Against Secure Conjunctive Keyword Search Schemes.13269Applied Cryptography and Network SecurityLecture Notes in Computer ScienceSpringer International PublishingJune 2022, 126-146
  HALDOIback to text

Doctoral dissertations and habilitation theses

• 40 thesisM.Mahsa Asadi. Identifying structure in online and collaborative learning problems.Lille UniversityNovember 2022
  HALback to textback to text
• 41 thesisC.César Sabater. Efficient and Robust Protocols for Privacy-Preserving Semi-Decentralized Machine Learning.Université de LilleJune 2022
  HALback to textback to text

Reports & preprints

• 42 miscB. L.Batiste Le Bars, A.Aurélien Bellet, M.Marc Tommasi, E.Erick Lavoie and A.-M.Anne-Marie Kermarrec. Refined Convergence and Topology Learning for Decentralized SGD with Heterogeneous Data.December 2022
  HALback to textback to text
• 43 miscG.Gaurav Maheshwari and M.Michaël Perrot. FairGrad: Fairness Aware Gradient Descent.June 2022
  HALback to text
• 44 miscA.Aishik Mandal, M.Michaël Perrot and D.Debarghya Ghoshdastidar. A Revenue Function for Comparison-Based Hierarchical Clustering.November 2022
  HALback to text
• 45 miscP.Paul Mangold, A.Aurélien Bellet, J.Joseph Salmon and M.Marc Tommasi. High-Dimensional Private Empirical Risk Minimization by Greedy Coordinate Descent.2022
  HALback to text
• 46 miscP.Paul Mangold, M.Michaël Perrot, A.Aurélien Bellet and M.Marc Tommasi. Fairness Certificates for Differentially Private Classification.October 2022
  HALback to text
• 47 miscN.Natalia Tomashenko, X.Xin Wang, E.Emmanuel Vincent, J.Jose Patino, B. M.Brij Mohan Lal Srivastava, P.-G.Paul-Gauthier Noé, A.Andreas Nautsch, N.Nicholas Evans, J.Junichi Yamagishi, B.Benjamin O'Brien, A.Anaïs Chanclu, J.-F.Jean-François Bonastre, M.Massimiliano Todisco and M.Mohamed Maouche. Supplementary material to the paper The VoicePrivacy 2020 Challenge: Results and findings.September 2022
  HALback to text

Other scientific publications

• 48 inproceedingsM.Mathieu Kermarec, L.Louis Bigo and M.Mikaela Keller. Improving Tokenization Expressiveness With Pitch Intervals.23rd International Society for Music Information Retrieval Conference (ISMIR 2022), Late-Breaking Demo SessionBangaluru, IndiaDecember 2022
  HALback to text