pith. sign in

arxiv: 2603.01098 · v2 · submitted 2026-03-01 · 💻 cs.CV · cs.AI· cs.LG

Differential privacy representation geometry for medical image analysis

Soroosh Tayebi Arasteh , Marziyeh Mohammadi , Sven Nebelung , Daniel Truhn This is my paper

Pith reviewed 2026-05-15 18:01 UTC · model grok-4.3

classification 💻 cs.CV cs.AIcs.LG
keywords differential privacyrepresentation geometrymedical imagingchest x-rayutilization gaplinear separabilityspectral dimensionprivacy utility trade-off
0
0 comments X

The pith

Differential privacy creates a consistent utilization gap in medical image representations even when linear separability holds.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents a framework that treats differential privacy as a transformation on the geometry of learned representations in medical imaging models. It separates the resulting drop in performance into two parts: changes to the shape and spread of the encoder features, measured by how far they move from their starting point and by their effective spectral dimension, and a utilization gap that shows how much of the preserved linear structure the final task head actually exploits. Experiments across hundreds of thousands of chest X-ray images and several starting models find the utilization gap appears reliably under privacy, while the geometric shifts are irregular and depend on the initial model and the specific dataset. This decomposition explains why accuracy falls without the representations simply shrinking or becoming inseparable.

Core claim

DP-RGMI decomposes privacy-induced loss into encoder geometry (representation displacement from initialization and spectral effective dimension) and task-head utilization (linear-probe versus end-to-end gap). Across four chest X-ray datasets the utilization gap remains consistent even when linear separability is largely preserved, whereas displacement and spectral dimension reshape non-monotonically and depend on initialization and data, showing that privacy changes representation anisotropy rather than uniformly collapsing features.

What carries the argument

DP-RGMI framework that measures representation geometry through displacement from initialization and spectral effective dimension while measuring utilization as the gap between linear-probe accuracy and end-to-end accuracy.

If this is right

  • End-to-end performance correlates robustly with the utilization gap across datasets.
  • Geometric measures capture extra variation that depends on the starting model and the dataset.
  • Privacy changes feature anisotropy instead of producing uniform collapse.
  • The framework can diagnose which privacy settings produce which failure mode and guide selection of noise levels.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same separation of geometry and utilization could be applied to non-medical imaging tasks to test whether the utilization gap is domain-specific.
  • Tracking the utilization gap during training might allow early stopping or adjustment of privacy parameters without running full end-to-end evaluations.
  • If the non-monotonic geometric reshaping holds, there may exist intermediate privacy strengths that improve certain anisotropy properties while still limiting leakage.

Load-bearing premise

The chosen metrics of displacement, spectral dimension, and the linear-probe to end-to-end gap together fully account for performance loss without omitting other mechanisms.

What would settle it

A controlled run in which the utilization gap vanishes while end-to-end accuracy still drops, or in which accuracy falls without any measurable change in the reported geometric quantities.

Figures

Figures reproduced from arXiv: 2603.01098 by Daniel Truhn, Marziyeh Mohammadi, Soroosh Tayebi Arasteh, Sven Nebelung.

Figure 1
Figure 1. Figure 1: Overview of DP-RGMI framework decomposing DP training into repre [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Per-label utilization gaps G(ε) for different ε on the PadChest dataset [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Generalization results on CheXpert and ChestX-ray14 datasets. [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
read the original abstract

Differential privacy (DP)'s effect in medical imaging is typically evaluated only through end-to-end performance, leaving the mechanism of privacy-induced utility loss unclear. We introduce Differential Privacy Representation Geometry for Medical Imaging (DP-RGMI), a framework that interprets DP as a structured transformation of representation space and decomposes performance degradation into encoder geometry and task-head utilization. Geometry is quantified by representation displacement from initialization and spectral effective dimension, while utilization is measured as the gap between linear-probe and end-to-end utility. Across over 594,000 images from four chest X-ray datasets and multiple pretrained initializations, we show that DP is consistently associated with a utilization gap even when linear separability is largely preserved. At the same time, displacement and spectral dimension exhibit non-monotonic, initialization- and dataset-dependent reshaping, indicating that DP alters representation anisotropy rather than uniformly collapsing features. Correlation analysis reveals that the association between end-to-end performance and utilization is robust across datasets but can vary by initialization, while geometric quantities capture additional prior- and dataset-conditioned variation. These findings position DP-RGMI as a reproducible framework for diagnosing privacy-induced failure modes and informing privacy model selection.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript introduces the DP-RGMI framework to analyze differential privacy effects on representation geometry in medical image analysis. It decomposes DP-induced performance degradation into encoder geometry changes, quantified by representation displacement from initialization and spectral effective dimension, and task-head utilization measured by the gap between linear-probe and end-to-end utility. Large-scale experiments on over 594,000 chest X-ray images from four datasets show that DP is associated with a utilization gap despite preserved linear separability, while displacement and spectral dimension show non-monotonic, dataset- and initialization-dependent changes, suggesting DP alters representation anisotropy rather than causing uniform collapse.

Significance. If the results hold, this work provides a valuable empirical framework for diagnosing how differential privacy impacts learned representations in medical imaging, beyond end-to-end performance metrics. The scale of the experiments across multiple datasets and initializations offers robust evidence for the observed patterns, and the distinction between geometric and utilization effects could inform better privacy-utility trade-offs in sensitive domains.

major comments (2)
  1. [Methods and Results] The central claim attributes the utilization gap and non-monotonic geometric reshaping to DP-induced changes in representation anisotropy. However, because DP is realized exclusively via DP-SGD, the observed effects may instead reflect impaired joint optimization under noisy gradients rather than properties of the final encoder geometry. Without an ablation that applies matched non-private gradient noise (or equivalent perturbation without privacy accounting), the decomposition into geometry versus utilization cannot be isolated from training-dynamics confounds.
  2. [Results] The reported correlations between end-to-end performance and utilization gap are described as robust across datasets but variable by initialization. The manuscript does not report the precise statistical tests, confidence intervals, or correction for multiple comparisons used to support these claims, which is load-bearing for the assertion that geometric quantities capture additional prior- and dataset-conditioned variation.
minor comments (1)
  1. [Abstract] The abstract states that linear separability is 'largely preserved' but does not define the threshold or metric used for this assessment; adding this detail would improve reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments, which help clarify the scope and robustness of our DP-RGMI framework. We address each major point below and commit to revisions that strengthen the isolation of DP effects and the statistical reporting.

read point-by-point responses

  1. Referee: [Methods and Results] The central claim attributes the utilization gap and non-monotonic geometric reshaping to DP-induced changes in representation anisotropy. However, because DP is realized exclusively via DP-SGD, the observed effects may instead reflect impaired joint optimization under noisy gradients rather than properties of the final encoder geometry. Without an ablation that applies matched non-private gradient noise (or equivalent perturbation without privacy accounting), the decomposition into geometry versus utilization cannot be isolated from training-dynamics confounds.

    Authors: We agree that DP-SGD couples privacy noise with gradient perturbation, and an ablation isolating privacy accounting from generic noisy optimization would strengthen causal attribution. In the revised manuscript we will add a controlled ablation on two datasets (CheXpert and MIMIC-CXR) that applies Gaussian noise to gradients at the same per-sample variance as the DP runs but without privacy accounting or clipping. This will allow direct comparison of utilization gap and geometric metrics under matched noise levels, clarifying whether the observed anisotropy changes are DP-specific. revision: yes

  2. Referee: [Results] The reported correlations between end-to-end performance and utilization gap are described as robust across datasets but variable by initialization. The manuscript does not report the precise statistical tests, confidence intervals, or correction for multiple comparisons used to support these claims, which is load-bearing for the assertion that geometric quantities capture additional prior- and dataset-conditioned variation.

    Authors: We acknowledge the omission of formal statistical details. In the revision we will report Pearson correlation coefficients with 95% bootstrap confidence intervals, exact p-values, and apply Bonferroni correction across the 12 initialization–dataset combinations. These statistics will be added to a new supplementary table and referenced in the main text when discussing robustness and initialization dependence. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical decomposition with independent measurements

full rationale

The paper defines DP-RGMI as a measurement framework that quantifies encoder geometry via post-training displacement from initialization and spectral effective dimension, plus a utilization gap between linear-probe and end-to-end accuracy. These quantities are computed directly from trained models on held-out datasets (over 594k images across four chest X-ray collections and multiple initializations). No equations, fitted parameters, or self-citations are used to derive the reported associations; the non-monotonic patterns and correlation results are presented as observed outcomes rather than predictions forced by construction. The central claim therefore rests on external data rather than reducing to its own inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No explicit free parameters, axioms, or invented entities are stated in the abstract; the metrics appear derived from standard representation-learning quantities without new postulates.

pith-pipeline@v0.9.0 · 5517 in / 1185 out tokens · 65549 ms · 2026-05-15T18:01:26.913041+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

22 extracted references · 22 canonical work pages · 1 internal anchor

  1. [1]

    In: SIGSAC 2016

    Abadi, M., Chu, A., Goodfellow, I., McMahan, H.B., Mironov, I., Talwar, K., Zhang, L.: Deep learning with differential privacy. In: SIGSAC 2016. pp. 308–318

    work page 2016

  2. [2]

    In: NeurIPS 2019

    Ansuini, A., Laio, A., Macke, J.H., Zoccolan, D.: Intrinsic dimension of data rep- resentations in deep neural networks. In: NeurIPS 2019. vol. 32

    work page 2019

  3. [3]

    arXiv preprint arXiv:2601.19618 (2026)

    Arasteh, S.T., Farajiamiri, M., Lotfinia, M., et al.: The role of self-supervised pretraining in differentially private medical image analysis. arXiv preprint arXiv:2601.19618 (2026)

    work page arXiv 2026

  4. [4]

    Medical image anal- ysis66, 101797 (2020)

    Bustos, A., Pertusa, A., Salinas, J.M., De La Iglesia-Vaya, M.: Padchest: A large chest x-ray image dataset with multi-label annotated reports. Medical image anal- ysis66, 101797 (2020)

    work page 2020

  5. [5]

    In: ICML 2020

    Chen, T., Kornblith, S., Norouzi, M., Hinton, G.: A simple framework for con- trastive learning of visual representations. In: ICML 2020

    work page 2020

  6. [6]

    In: CVPR 2009

    Deng, J., Dong, W., Socher, R., Li, L.J., Li, K., Fei-Fei, L.: Imagenet: A large-scale hierarchical image database. In: CVPR 2009. pp. 248–255

    work page 2009

  7. [7]

    founda- tions and trends®in theoretical computer science 9 (3-4), 211–407 (2014)

    Dwork, C., Roth, A.: The algorithmic foundations of differential privacy. founda- tions and trends®in theoretical computer science 9 (3-4), 211–407 (2014)

    work page 2014

  8. [8]

    In: Proceedings of the AAAI conference on artificial intelligence

    Irvin, J., Rajpurkar, P., et al.: Chexpert: A large chest radiograph dataset with uncertainty labels and expert comparison. In: Proceedings of the AAAI conference on artificial intelligence. vol. 33, pp. 590–597 (2019)

    work page 2019

  9. [9]

    Sci Data6, 317 (2019)

    Johnson, A.E., Pollard, T.J., Berkowitz, S.J., Greenbaum, N.R., Lungren, M.P., Deng, C.y., Mark, R.G., Horng, S.: Mimic-cxr, a de-identified publicly available database of chest radiographs with free-text reports. Sci Data6, 317 (2019)

    work page 2019

  10. [10]

    Nat Mach Intell 3(6), 473–484 (2021) 10 Tayebi Arasteh et al

    Kaissis, G., Ziller, A., Passerat-Palmbach, J., Ryffel, T., Usynin, D., Trask, A., LimaJr,I.,Mancuso,J.,Jungmann,F.,Steinborn,M.M.,etal.:End-to-endprivacy preserving deep learning on multi-institutional medical imaging. Nat Mach Intell 3(6), 473–484 (2021) 10 Tayebi Arasteh et al

    work page 2021

  11. [11]

    In: CVPR 2022

    Liu, Z., Mao, H., Wu, C.Y., Feichtenhofer, C., Darrell, T., Xie, S.: A convnet for the 2020s. In: CVPR 2022. pp. 11976–11986

    work page 2022

  12. [12]

    In: 2017 IEEE 30th CSF

    Mironov, I.: Rényi differential privacy. In: 2017 IEEE 30th CSF. pp. 263–275

    work page 2017

  13. [13]

    npj Digit

    Mohammadi, M., Vejdanihemmat, M., Lotfinia, M., Rusu, M., Truhn, D., Maier, A., Tayebi Arasteh, S.: Differential privacy for medical deep learning: methods, tradeoffs, and deployment implications. npj Digit. Med.9, 93 (2026)

    work page 2026

  14. [14]

    Quantitative Applications in the Social Sciences (1993)

    Mooney, C.Z., Duval, R.D.: Bootstrapping: A Nonparametric Approach to Statis- tical Inference. Quantitative Applications in the Social Sciences (1993)

    work page 1993

  15. [15]

    DINOv3

    Siméoni, O., Vo, H.V., Seitzer, M., Baldassarre, F., Oquab, M., Jose, C., Khali- dov, V., Szafraniec, M., Yi, S., Ramamonjisoa, M., et al.: Dinov3. arXiv preprint arXiv:2508.10104 (2025)

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  16. [16]

    Radi- ology: Artificial Intelligence6(1), e230212 (2023)

    Tayebi Arasteh, S., Lotfinia, M., Nolte, T., Sähn, M.J., Isfort, P., Kuhl, C., Nebelung, S., Kaissis, G., Truhn, D.: Securing collaborative medical ai by using differential privacy: Domain transfer for classification of chest radiographs. Radi- ology: Artificial Intelligence6(1), e230212 (2023)

    work page 2023

  17. [17]

    npj Artif

    Tayebi Arasteh, S., Lotfinia, M., Perez-Toro, P.A., et al.: Differential privacy en- ables fair and accurate ai-based analysis of speech disorders while protecting pa- tient data. npj Artif. Intell.1, 37 (2025)

    work page 2025

  18. [18]

    Commun Med4(1), 46 (2024)

    Tayebi Arasteh, S., Ziller, A., Kuhl, C., Makowski, M., Nebelung, S., Braren, R., Rueckert, D., Truhn, D., Kaissis, G.: Preserving fairness and diagnostic accuracy in private large-scale ai models for medical imaging. Commun Med4(1), 46 (2024)

    work page 2024

  19. [19]

    Nat Mach Intell3(9), 749–758 (2021)

    Usynin, D., Ziller, A., Makowski, M., Braren, R., Rueckert, D., Glocker, B., Kaissis, G., Passerat-Palmbach, J.: Adversarial interference and its mitigations in privacy- preserving collaborative machine learning. Nat Mach Intell3(9), 749–758 (2021)

    work page 2021

  20. [20]

    NeurIPS 201730

    Vaswani, A.: Attention is all you need. NeurIPS 201730

    work page

  21. [21]

    In: CVPR 2017

    Wang, X., Peng, Y., Lu, L., Lu, Z., Bagheri, M., Summers, R.M.: Chestx-ray8: Hospital-scale chest x-ray database and benchmarks on weakly-supervised classifi- cation and localization of common thorax diseases. In: CVPR 2017. pp. 2097–2106

    work page 2017

  22. [22]

    Nat Mach Intell6(7), 764–774 (2024)

    Ziller, A., Mueller, T.T., Stieger, S., Feiner, L.F., Brandt, J., Braren, R., Rueckert, D., Kaissis, G.: Reconciling privacy and accuracy in ai for medical imaging. Nat Mach Intell6(7), 764–774 (2024)

    work page 2024