Dongwoo Kim,Cyril Guyot

DOI: https://doi.org/10.1109/TIFS.2023.3263631

IF: 7.231

IEEE Transactions on Information Forensics and Security

Abstract:Inference of machine learning models with data privacy guarantees has been widely studied as privacy concerns are getting growing attention from the community. Among others, secure inference based on Fully Homomorphic Encryption (FHE) has proven its utility by providing stringent data privacy at sometimes affordable cost. Still, previous work was restricted to shallow and narrow neural networks and simple tasks due to the high computational cost incurred from FHE. In this paper, we propose a more efficient way of evaluating convolutions with FHE, where the cost remains constant regardless of the kernel size, resulting in 12–<inline-formula> <tex-math notation="LaTeX">$46\times $ </tex-math></inline-formula> timing improvement on various kernel sizes. Combining our methods with FHE bootstrapping, we achieve at least 18.9% (and 48.1%) timing reduction in homomorphic evaluation of 20-layer CNN classifiers (and a part of it) on CIFAR10/100 (and ImageNet, respectively) datasets. Furthermore, in consideration of our methods being effective for evaluating CNNs with intensive convolutional operations and exploring such CNNs, we achieve at least <inline-formula> <tex-math notation="LaTeX">$5\times $ </tex-math></inline-formula> faster inference on CIFAR10/100 with FHE than the prior works having the same or less accuracy.

Computer Science

Junghyun Lee,Eunsang Lee,Young-Sik Kim,Yongwoo Lee,Joon-Woo Lee,Yongjune Kim,Jong-Seon No

2024-05-29

Abstract:Recent studies have explored the deployment of privacy-preserving deep neural networks utilizing homomorphic encryption (HE), especially for private inference (PI). Many works have attempted the approximation-aware training (AAT) approach in PI, changing the activation functions of a model to low-degree polynomials that are easier to compute on HE by allowing model retraining. However, due to constraints in the training environment, it is often necessary to consider post-training approximation (PTA), using the pre-trained parameters of the existing plaintext model without retraining. Existing PTA studies have uniformly approximated the activation function in all layers to a high degree to mitigate accuracy loss from approximation, leading to significant time consumption. This study proposes an optimized layerwise approximation (OLA), a systematic framework that optimizes both accuracy loss and time consumption by using different approximation polynomials for each layer in the PTA scenario. For efficient approximation, we reflect the layerwise impact on the classification accuracy by considering the actual input distribution of each activation function while constructing the optimization problem. Additionally, we provide a dynamic programming technique to solve the optimization problem and achieve the optimized layerwise degrees in polynomial time. As a result, the OLA method reduces inference times for the ResNet-20 model and the ResNet-32 model by 3.02 times and 2.82 times, respectively, compared to prior state-of-the-art implementations employing uniform degree polynomials. Furthermore, we successfully classified CIFAR-10 by replacing the GELU function in the ConvNeXt model with only 3-degree polynomials using the proposed method, without modifying the backbone model.

Cryptography and Security,Artificial Intelligence

Aftab Akram,Fawad Khan,Shahzaib Tahir,Asif Iqbal,Syed Aziz Shah,Abdullah Baz

DOI: https://doi.org/10.1109/access.2024.3357145

IF: 3.9

2024-02-03

IEEE Access

Abstract:The application of machine learning in healthcare, financial, social media, and other sensitive sectors not only involves high accuracy but privacy as well. Due to the emergence of the Cloud as a computation and one-to-many access paradigm; training and classification/inference tasks have been outsourced to Cloud. However, its usage is limited due to legal and ethical constraints regarding privacy. In this work, we propose a privacy-preserving neural networks-based classification model based on Homomorphic Encryption (HE) where the user can send an encrypted instance to the cloud and receive an encrypted inference from it to preserve the user's query privacy. In contrast to existing works, we demonstrate the realistic limitations of HE for privacy-preserving machine learning by changing its parameters for enhanced security and accuracy. We showcase scenarios where the choice of HE parameters impedes accurate classification and present an optimized setting for achieving reliable classification. We present several results to demonstrate its effectiveness using MNIST dataset with highly improved inference time for a query as compared to the state of the art.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yuan Gao,Zehuan Hu,Wei-An Chen,Mingzhe Liu,Yingjun Ruan

DOI: https://doi.org/10.1016/j.apenergy.2024.124844

IF: 11.2

2025-01-01

Applied Energy

Abstract:Deep learning models are increasingly being used to predict renewable energy-related variables, such as solar radiation and outdoor temperature. However, the black-box nature of these models results in a lack of interpretability in their predictions, and the design of deep network architectures significantly impacts the final prediction outcomes. The introduction of Kolmogorov–Arnold Network (KAN) provides an excellent solution to both of these issues. We hope that the KAN mechanism can provide fully interpretable neural network models, enhancing the potential for practical deployment. At the same time, KAN is capable of achieving good prediction results across various network architectures and neuron counts. We conducted case studies using real-world data from the Tokyo Meteorological Observatory to predict solar radiation and outdoor temperature, comparing the results with those of commonly used recurrent neural network baseline models. The results indicate that KAN can maintain model performance regardless of the chosen number of neurons. For instance, in the solar radiation prediction task, the KAN with a single hidden neuron reduces the MSE error by 75.33% compared to the baseline model. More importantly, KAN allows for the quantification of each step in the network’s computations, thereby enhancing overall interpretability.

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Rongxing Lu,Hui Li

DOI: https://doi.org/10.1016/j.ins.2023.119480

IF: 8.1

2023-08-12

Information Sciences

Abstract:Due to the excellent efficiency and high interpretability, coupled with the accuracy comparable to deep learning on tabular data, various tree-based models have been widely concerned and succeeded in many fields like medical diagnosis, credit evaluation, and fault detection. However, the model owner may face dilemmas such as compromised privacy and insufficient machine performance when providing tree-based inference services. Therefore, this paper proposes an efficient and privacy-preserving tree-based inference scheme, through which users can enjoy secure, high-accuracy, and transparent outsourcing inference services from one cloud. Specifically, by adopting additive homomorphic encryption as the underlying privacy-preserving technique, we design a suite of perturbation and recovery methods, processing cipher-based inference while masking the inference path. Meanwhile, without additional interactions, users can directly obtain high-accuracy results comparable to non-privacy inference, so the used privacy-preserving methods seem transparent to users. Moreover, through optimizing algorithm design and precalculating partial ciphertexts, the efficiency of our scheme is improved significantly. Formal security analysis demonstrates that our scheme achieves selective security under the honest-but-curious model. Extensive experimental evaluation shows the lossless accuracy, low complexity, and high efficiency of our scheme, which is practical to real-world scenes, especially for large-scale models.

computer science, information systems

Peng Zhang,Zhiyuan Hu,Yu Wang,Liquan Chen

DOI: https://doi.org/10.1109/WCCCT60665.2024.10541346

2024-04-12

Abstract:The utilization of convolutional neural network (CNN) inference models has gained widespread adoption across various domains; however, it raises concerns regarding user privacy and security due to the requirement of plaintext information during the inference process. Homomorphic encryption has been proposed as a viable solution to address CNN’s security issues. Nevertheless, this encryption algorithm encounters certain limitations such as significant ciphertext expansion, restricted nonlinear computing power, and limited number of multiplications, which hinder its application in CNN inference models. In this paper, we present an inference model framework that leverages the single instruction multiple data and ciphertext rotation functions of homomorphic encryption along with the additive secret sharing (ASS) concept to design and transform each network layer of CNN. Our approach effectively mitigates ciphertext expansion rate while enhancing computational efficiency and reducing communication volume without compromising on inference accuracy.

Computer Science

Nikita P. Kalinin,Simone Bombari,Hossein Zakerinia,Christoph H. Lampert

2024-07-17

Abstract:We study the Kolmogorov-Arnold Network (KAN), recently proposed as an alternative to the classical Multilayer Perceptron (MLP), in the application for differentially private model training. Using the DP-SGD algorithm, we demonstrate that KAN can be made private in a straightforward manner and evaluated its performance across several datasets. Our results indicate that the accuracy of KAN is not only comparable with MLP but also experiences similar deterioration due to privacy constraints, making it suitable for differentially private model training.

Machine Learning,Cryptography and Security

Edward Chou,Josh Beal,Daniel Levy,Serena Yeung,Albert Haque,Li Fei-Fei

DOI: https://doi.org/10.48550/arXiv.1811.09953

2018-11-25

Abstract:Homomorphic encryption enables arbitrary computation over data while it remains encrypted. This privacy-preserving feature is attractive for machine learning, but requires significant computational time due to the large overhead of the encryption scheme. We present Faster CryptoNets, a method for efficient encrypted inference using neural networks. We develop a pruning and quantization approach that leverages sparse representations in the underlying cryptosystem to accelerate inference. We derive an optimal approximation for popular activation functions that achieves maximally-sparse encodings and minimizes approximation error. We also show how privacy-safe training techniques can be used to reduce the overhead of encrypted inference for real-world datasets by leveraging transfer learning and differential privacy. Our experiments show that our method maintains competitive accuracy and achieves a significant speedup over previous methods. This work increases the viability of deep learning systems that use homomorphic encryption to protect user privacy.

Cryptography and Security

Chen Song,Ruwei Huang

DOI: https://doi.org/10.3390/app13106117

2023-05-16

Applied Sciences

Abstract:Today, the rapid development of deep learning has spread across all walks of life, and it can be seen in various fields such as image classification, automatic driving, and medical imaging diagnosis. Convolution Neural Networks (CNNs) are also widely used by the public as tools for deep learning. In real life, if local customers implement large-scale model inference first, they need to upload local data to the cloud, which will cause problems such as data leakage and privacy disclosure. To solve this problem, we propose a framework using homomorphic encryption technology. Our framework has made improvements to the batch operation and reduced the complexity of layer connection. In addition, we provide a new perspective to deal with the impact of the noise caused by the homomorphic encryption scheme on the accuracy during the inference. In our scheme, users preprocess the images locally and then send them to the cloud for encrypted inference without worrying about privacy leakage during the inference process. Experiments show that our proposed scheme is safe and efficient, which provides a safe solution for users who cannot process data locally.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Takumi Ishiyama,Takuya Suzuki,Hayato Yamana

DOI: https://doi.org/10.48550/arXiv.2009.03727

2020-12-02

Abstract:In the big data era, cloud-based machine learning as a service (MLaaS) has attracted considerable attention. However, when handling sensitive data, such as financial and medical data, a privacy issue emerges, because the cloud server can access clients' raw data. A common method of handling sensitive data in the cloud uses homomorphic encryption, which allows computation over encrypted data without decryption. Previous research usually adopted a low-degree polynomial mapping function, such as the square function, for data classification. However, this technique results in low classification accuracy. In this study, we seek to improve the classification accuracy for inference processing in a convolutional neural network (CNN) while using homomorphic encryption. We adopt an activation function that approximates Google's Swish activation function while using a fourth-order polynomial. We also adopt batch normalization to normalize the inputs for the Swish function to fit the input range to minimize the error. We implemented CNN inference labeling over homomorphic encryption using the Microsoft's Simple Encrypted Arithmetic Library for the Cheon-Kim-Kim-Song (CKKS) scheme. The experimental evaluations confirmed classification accuracies of 99.22% and 80.48% for MNIST and CIFAR-10, respectively, which entails 0.04% and 4.11% improvements, respectively, over previous methods.

Machine Learning,Cryptography and Security

Parsa Ghazvinian,Robert Podschwadt,Prajwal Panzade,Mohammad H. Rafiei,Daniel Takabi

2024-12-11

Abstract:Due to the extensive application of machine learning (ML) in a wide range of fields and the necessity of data privacy, privacy-preserving machine learning (PPML) solutions have recently gained significant traction. One group of approaches relies on Homomorphic Encryption (HE), which enables us to perform ML tasks over encrypted data. However, even with state-of-the-art HE schemes, HE operations are still significantly slower compared to their plaintext counterparts and require a considerable amount of memory. Therefore, we propose MOFHEI, a framework that optimizes the model to make HE-based neural network inference, referred to as private inference (PI), fast and efficient. First, our proposed learning-based method automatically transforms a pre-trained ML model into its compatible version with HE operations, called the HE-friendly version. Then, our iterative block pruning method prunes the model's parameters in configurable block shapes in alignment with the data packing method. This allows us to drop a significant number of costly HE operations, thereby reducing the latency and memory consumption while maintaining the model's performance. We evaluate our framework through extensive experiments on different models using various datasets. Our method achieves up to 98% pruning ratio on LeNet, eliminating up to 93% of the required HE operations for performing PI, reducing latency and the required memory by factors of 9.63 and 4.04, respectively, with negligible accuracy loss.

Cryptography and Security

Peng Zhang,Ao Duan,Xianglu Zou,Yuhong Liu

2024-03-16

Abstract:Privacy-Preserving Neural Networks (PPNN) are advanced to perform inference without breaching user privacy, which can serve as an essential tool for medical diagnosis to simultaneously achieve big data utility and privacy protection. As one of the key techniques to enable PPNN, Fully Homomorphic Encryption (FHE) is facing a great challenge that homomorphic operations cannot be easily adapted for non-linear activation calculations. In this paper, batch-oriented element-wise data packing and approximate activation are proposed, which train linear low-degree polynomials to approximate the non-linear activation function - ReLU. Compared with other approximate activation methods, the proposed fine-grained, trainable approximation scheme can effectively reduce the accuracy loss caused by approximation errors. Meanwhile, due to element-wise data packing, a large batch of images can be packed and inferred concurrently, leading to a much higher utility ratio of ciphertext slots. Therefore, although the total inference time increases sharply, the amortized time for each image actually decreases, especially when the batch size increases. Furthermore, knowledge distillation is adopted in the training process to further enhance the inference accuracy. Experiment results show that when ciphertext inference is performed on 4096 input images, compared with the current most efficient channel-wise method, the inference accuracy is improved by 1.65%, and the amortized inference time is reduced by 99.5%.

Cryptography and Security

Jianming Tong,Jingtian Dang,Anupam Golder,Callie Hao,Arijit Raychowdhury,Tushar Krishna

2024-05-08

Abstract:As machine learning (ML) permeates fields like healthcare, facial recognition, and blockchain, the need to protect sensitive data intensifies. Fully Homomorphic Encryption (FHE) allows inference on encrypted data, preserving the privacy of both data and the ML model. However, it slows down non-secure inference by up to five magnitudes, with a root cause of replacing non-polynomial operators (ReLU and MaxPooling) with high-degree Polynomial Approximated Function (PAF). We propose SmartPAF, a framework to replace non-polynomial operators with low-degree PAF and then recover the accuracy of PAF-approximated model through four techniques: (1) Coefficient Tuning (CT) -- adjust PAF coefficients based on the input distributions before training, (2) Progressive Approximation (PA) -- progressively replace one non-polynomial operator at a time followed by a fine-tuning, (3) Alternate Training (AT) -- alternate the training between PAFs and other linear operators in the decoupled manner, and (4) Dynamic Scale (DS) / Static Scale (SS) -- dynamically scale PAF input value within (-1, 1) in training, and fix the scale as the running max value in FHE deployment. The synergistic effect of CT, PA, AT, and DS/SS enables SmartPAF to enhance the accuracy of the various models approximated by PAFs with various low degrees under multiple datasets. For ResNet-18 under ImageNet-1k, the Pareto-frontier spotted by SmartPAF in latency-accuracy tradeoff space achieves 1.42x ~ 13.64x accuracy improvement and 6.79x ~ 14.9x speedup than prior works. Further, SmartPAF enables a 14-degree PAF (f1^2 g_1^2) to achieve 7.81x speedup compared to the 27-degree PAF obtained by minimax approximation with the same 69.4% post-replacement accuracy. Our code is available at

Cryptography and Security

Wei-Hsing Huang,Jianwei Jia,Yuyao Kong,Faaiq Waqar,Tai-Hao Wen,Meng-Fan Chang,Shimeng Yu

2024-09-10

Abstract:Recently, a novel model named Kolmogorov-Arnold Networks (KAN) has been proposed with the potential to achieve the functionality of traditional deep neural networks (DNNs) using orders of magnitude fewer parameters by parameterized B-spline functions with trainable coefficients. However, the B-spline functions in KAN present new challenges for hardware acceleration. Evaluating the B-spline functions can be performed by using look-up tables (LUTs) to directly map the B-spline functions, thereby reducing computational resource requirements. However, this method still requires substantial circuit resources (LUTs, MUXs, decoders, etc.). For the first time, this paper employs an algorithm-hardware co-design methodology to accelerate KAN. The proposed algorithm-level techniques include Alignment-Symmetry and PowerGap KAN hardware aware quantization, KAN sparsity aware mapping strategy, and circuit-level techniques include N:1 Time Modulation Dynamic Voltage input generator with analog-CIM (ACIM) circuits. The impact of non-ideal effects, such as partial sum errors caused by the process variations, has been evaluated with the statistics measured from the TSMC 22nm RRAM-ACIM prototype chips. With the best searched hyperparameters of KAN and the optimized circuits implemented in 22 nm node, we can reduce hardware area by 41.78x, energy by 77.97x with 3.03% accuracy boost compared to the traditional DNN hardware.

Hardware Architecture

Qian Chen,Lin Yao,Yulin Wu,Xuan Wang,Weizhe Zhang,Zoe L. Jiang,Yang Liu,Mamoun Alazab

DOI: https://doi.org/10.1109/ICDIS55630.2022.00027

2022-01-01

Abstract:Deep learning inference provides inference service by service provider with model for client with input of personal data. Due to the huge commercial value inside, on one hand, both client's original data and inference output should be kept secret from others, even including service provider. On the other hand, service provider's model should be kept secret, especially from his competitor. Current research on privacy-preserving deep learning inference focuses on building models with specific data. This paper proposes a generic framework PyHENet of privacy-preserving deep learning inference based on Pytorch and lattice-based FHE, such that crypto library can be flexibly embedded into network. Firstly, raw data is encrypted by lattice-based FHE and uploaded to service provider. Secondly, convolutional computation over float-point ciphertext data is proposed for service provider to execute low accuracy loss inference with aided parallel method SIMD. Thirdly, inference result in ciphertext format is sent back to client for decryption. To improve efficiency, inference procedure can be further divided into two phases. All the computations during the second phase are in plaintext format with GPU acceleration, while keeping the first phase unchanged. Using the same model and parameters, the relative accuracy of PyHENet is almost 100% compared to the plaintext inference. This paper is the first to propose a general framework of neural networks for fully homomorphic cryptographic inference, and is based on mainstream deep learning frameworks, which is both secure and more conducive to development.

Ziming Liu,Yixuan Wang,Sachin Vaidya,Fabian Ruehle,James Halverson,Marin Soljačić,Thomas Y. Hou,Max Tegmark

2024-06-16

Abstract:Inspired by the Kolmogorov-Arnold representation theorem, we propose Kolmogorov-Arnold Networks (KANs) as promising alternatives to Multi-Layer Perceptrons (MLPs). While MLPs have fixed activation functions on nodes ("neurons"), KANs have learnable activation functions on edges ("weights"). KANs have no linear weights at all -- every weight parameter is replaced by a univariate function parametrized as a spline. We show that this seemingly simple change makes KANs outperform MLPs in terms of accuracy and interpretability. For accuracy, much smaller KANs can achieve comparable or better accuracy than much larger MLPs in data fitting and PDE solving. Theoretically and empirically, KANs possess faster neural scaling laws than MLPs. For interpretability, KANs can be intuitively visualized and can easily interact with human users. Through two examples in mathematics and physics, KANs are shown to be useful collaborators helping scientists (re)discover mathematical and physical laws. In summary, KANs are promising alternatives for MLPs, opening opportunities for further improving today's deep learning models which rely heavily on MLPs.

Machine Learning,Disordered Systems and Neural Networks,Artificial Intelligence

Engin Zeydan,Cristian J. Vaca-Rubio,Luis Blanco,Roberto Pereira,Marius Caus,Abdullah Aydeger

2024-07-30

Abstract:In this paper, we present an innovative federated learning (FL) approach that utilizes Kolmogorov-Arnold Networks (KANs) for classification tasks. By utilizing the adaptive activation capabilities of KANs in a federated framework, we aim to improve classification capabilities while preserving privacy. The study evaluates the performance of federated KANs (F- KANs) compared to traditional Multi-Layer Perceptrons (MLPs) on classification task. The results show that the F-KANs model significantly outperforms the federated MLP model in terms of accuracy, precision, recall, F1 score and stability, and achieves better performance, paving the way for more efficient and privacy-preserving predictive analytics.

Machine Learning,Artificial Intelligence,Cryptography and Security,Networking and Internet Architecture

Qiao Zhang,Tao Xiang,Chunsheng Xin,Biwen Chen,Hongyi Wu

DOI: https://doi.org/10.48550/arxiv.2209.01637

2022-01-01

Abstract:While it is encouraging to witness the recent development in privacy-preserving Machine Learning as a Service (MLaaS), there still exists a significant performance gap for its deployment in real-world applications. We observe the state-of-the-art frameworks follow a compute-and-share principle for every function output where the summing in linear functions, which is the last of two steps for function output, involves all rotations (which is the most expensive HE operation), and the multiplexing in nonlinear functions, which is also the last of two steps for function output, introduces noticeable communication rounds. Therefore, we challenge the conventional compute-and-share logic and introduce the first joint linear and nonlinear computation across functions that features by 1) the PHE triplet for computing the nonlinear function, with which the multiplexing is eliminated; 2) the matrix encoding to calculate the linear function, with which all rotations for summing is removed; and 3) the network adaptation to reassemble the model structure, with which the joint computation module is utilized as much as possible. The boosted efficiency is verified by the numerical complexity, and the experiments demonstrate up to 13x speedup for various functions used in the state-of-the-art models and up to 5x speedup over mainstream neural networks.

Bernardo Pulido-Gaytan,Andrei Tchernykh

DOI: https://doi.org/10.1371/journal.pone.0306420

IF: 3.7

2024-07-22

PLoS ONE

Abstract:The widespread adoption of cloud computing necessitates privacy-preserving techniques that allow information to be processed without disclosure. This paper proposes a method to increase the accuracy and performance of privacy-preserving Convolutional Neural Networks with Homomorphic Encryption (CNN-HE) by Self-Learning Activation Functions (SLAF). SLAFs are polynomials with trainable coefficients updated during training, together with synaptic weights, for each polynomial independently to learn task-specific and CNN-specific features. We theoretically prove its feasibility to approximate any continuous activation function to the desired error as a function of the SLAF degree. Two CNN-HE models are proposed: CNN-HE-SLAF and CNN-HE-SLAF-R. In the first model, all activation functions are replaced by SLAFs, and CNN is trained to find weights and coefficients. In the second one, CNN is trained with the original activation, then weights are fixed, activation is substituted by SLAF, and CNN is shortly re-trained to adapt SLAF coefficients. We show that such self-learning can achieve the same accuracy 99.38% as a non-polynomial ReLU over non-homomorphic CNNs and lead to an increase in accuracy (99.21%) and higher performance (6.26 times faster) than the state-of-the-art CNN-HE CryptoNets on the MNIST optical character recognition benchmark dataset.

Tianyu Chen,Hangbo Bao,Shaohan Huang,Li Dong,Binxing Jiao,Daxin Jiang,Haoyi Zhou,Jianxin Li,Furu Wei

DOI: https://doi.org/10.18653/v1/2022.findings-acl.277

2022-01-01

Abstract:As more and more pre-trained language models adopt on-cloud deployment, the privacy issues grow quickly, mainly for the exposure of plain-text user data (e.g., search history, medical record, bank account). Privacy-preserving inference of transformer models is on the demand of cloud service users. To protect privacy, it is an attractive choice to compute only with ciphertext in homomorphic encryption (HE). However, enabling pre-trained models inference on ciphertext data is difficult due to the complex computations in transformer blocks, which are not supported by current HE tools yet. In this work, we introduce THE-X, an approximation approach for transformers, which enables privacy-preserving inference of pre-trained models developed by popular frameworks. THE-X proposes a workflow to deal with complex computation in transformer networks, including all the non-polynomial functions like GELU, softmax, and Layer-Norm. Experiments reveal our proposed THE-X can enable transformer inference on encrypted data for different downstream tasks, all with negligible performance drop but enjoying the theory-guaranteed privacy-preserving advantage.