This work addresses the lack of theoretical characterization of feature learning in differentially private stochastic gradient descent (DP-SGD). We establish the first theoretical framework from a feature-dynamics perspective, explicitly distinguishing the evolution of label-correlated signals from label-irrelevant noise during private training. Our method introduces a multi-patch analytical model based on a two-layer CNN with polynomial ReLU activations, modeling both signal learning and noise memorization under noisy gradient descent. We theoretically prove that private signal learning requires a higher signal-to-noise ratio (SNR), while noise memorization harms generalization. Experiments on synthetic and real-world datasets validate this mechanism and demonstrate that feature enhancement improves SNR and model performance. This work fills a critical theoretical gap in DP learning by formalizing feature dynamics, offering a novel paradigm for understanding the privacy–generalization trade-off.

Differentially private Stochastic Gradient Descent (DP-SGD) has become integral to privacy-preserving machine learning, ensuring robust privacy guarantees in sensitive domains. Despite notable empirical advances leveraging features from non-private, pre-trained models to enhance DP-SGD training, a theoretical understanding of feature dynamics in private learning remains underexplored. This paper presents the first theoretical framework to analyze private training through a feature learning perspective. Building on the multi-patch data structure from prior work, our analysis distinguishes between label-dependent feature signals and label-independent noise, a critical aspect overlooked by existing analyses in the DP community. Employing a two-layer CNN with polynomial ReLU activation, we theoretically characterize both feature signal learning and data noise memorization in private training via noisy gradient descent. Our findings reveal that (1) Effective private signal learning requires a higher signal-to-noise ratio (SNR) compared to non-private training, and (2) When data noise memorization occurs in non-private learning, it will also occur in private learning, leading to poor generalization despite small training loss. Our findings highlight the challenges of private learning and prove the benefit of feature enhancement to improve SNR. Experiments on synthetic and real-world datasets also validate our theoretical findings.