Fusheng Hao,Fengxiang He,Yikai Wang,Fuxiang Wu,Jing Zhang,Jun Cheng,Dacheng Tao

2023-06-06

Abstract:Massive human-related data is collected to train neural networks for computer vision tasks. A major conflict is exposed relating to software engineers between better developing AI systems and distancing from the sensitive training data. To reconcile this conflict, this paper proposes an efficient privacy-preserving learning paradigm, where images are first encrypted to become ``human-imperceptible, machine-recognizable'' via one of the two encryption strategies: (1) random shuffling to a set of equally-sized patches and (2) mixing-up sub-patches of the images. Then, minimal adaptations are made to vision transformer to enable it to learn on the encrypted images for vision tasks, including image classification and object detection. Extensive experiments on ImageNet and COCO show that the proposed paradigm achieves comparable accuracy with the competitive methods. Decrypting the encrypted images requires solving an NP-hard jigsaw puzzle or an ill-posed inverse problem, which is empirically shown intractable to be recovered by various attackers, including the powerful vision transformer-based attacker. We thus show that the proposed paradigm can ensure the encrypted images have become human-imperceptible while preserving machine-recognizable information. The code is available at \url{<a class="link-external link-https" href="https://github.com/FushengHao/PrivacyPreservingML" rel="external noopener nofollow">this https URL</a>.}

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning

Kouki Horio,Kiyoshi Nishikawa,Hitoshi Kiya

2024-08-16

Abstract:We propose a novel method for privacy-preserving fine-tuning vision transformers (ViTs) with encrypted images. Conventional methods using encrypted images degrade model performance compared with that of using plain images due to the influence of image encryption. In contrast, the proposed encryption method using restricted random permutation matrices can provide a higher performance than the conventional ones.

Computer Vision and Pattern Recognition

Zheng Qi,AprilPyone MaungMaung,Yuma Kinoshita,Hitoshi Kiya

DOI: https://doi.org/10.48550/arXiv.2205.12041

2022-05-24

Computer Vision and Pattern Recognition

Abstract:In this paper, we propose a privacy-preserving image classification method that is based on the combined use of encrypted images and the vision transformer (ViT). The proposed method allows us not only to apply images without visual information to ViT models for both training and testing but to also maintain a high classification accuracy. ViT utilizes patch embedding and position embedding for image patches, so this architecture is shown to reduce the influence of block-wise image transformation. In an experiment, the proposed method for privacy-preserving image classification is demonstrated to outperform state-of-the-art methods in terms of classification accuracy and robustness against various attacks.

Qihua Feng,Peiya Li,Zhixun Lu,Chaozhuo Li,Zefang Wang,Zhiquan Liu,Chunhui Duan,Feiran Huang

DOI: https://doi.org/10.1109/tcsvt.2024.3370668

IF: 5.859

2024-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Image retrieval systems help users to browse and search among extensive images in real-time. With the rise of cloud computing, retrieval tasks are usually outsourced to cloud servers. However, the cloud scenario brings a daunting challenge of privacy protection as cloud servers cannot be fully trusted. To this end, image-encryption-based privacy-preserving image retrieval schemes have been developed, which first extract features from cipher-images, and then build retrieval models based on these features. Yet, most existing approaches extract shallow features and design trivial retrieval models, resulting in insufficient expressiveness for the cipher-images. In this paper, we propose a novel paradigm named Encrypted Vision Transformer (EViT), which advances the discriminative representations capability of cipher-images. First, in order to capture comprehensive ruled information, we extract multi-level local length sequence and global Huffman-code frequency features from the cipher-images which are encrypted by stream cipher during JPEG compression process. Second, we design the Vision Transformer-based retrieval model to couple with the multi-level features, and propose two adaptive data augmentation methods to improve representation power of the retrieval model. Our proposal can be easily adapted to unsupervised and supervised settings via self-supervised contrastive learning manner. Extensive experiments reveal that EViT achieves both excellent encryption and retrieval performance, outperforming current schemes in terms of retrieval accuracy by large margins while protecting image privacy effectively. Code is publicly available at .

Rei Aso,Sayaka Shiota,Hitoshi Kiya

2024-08-11

Abstract:We propose a novel method for securely training the vision transformer (ViT) with sensitive data shared from multiple clients similar to privacy-preserving federated learning. In the proposed method, training images are independently encrypted by each client where encryption keys can be prepared by each client, and ViT is trained by using these encrypted images for the first time. The method allows clients not only to dispose of the keys but to also reduce the communication costs between a central server and the clients. In image classification experiments, we verify the effectiveness of the proposed method on the CIFAR-10 dataset in terms of classification accuracy and the use of restricted random permutation matrices.

Cryptography and Security

Rei Aso,Sayaka Shiota,Hitoshi Kiya

2023-08-01

Abstract:Federated learning is a learning method for training models over multiple participants without directly sharing their raw data, and it has been expected to be a privacy protection method for training data. In contrast, attack methods have been studied to restore learning data from model information shared with clients, so enhanced security against attacks has become an urgent problem. Accordingly, in this article, we propose a novel framework of federated learning on the bases of the embedded structure of the vision transformer by using the model information encrypted with a random sequence. In image classification experiments, we verify the effectiveness of the proposed method on the CIFAR-10 dataset in terms of classification accuracy and robustness against attacks.

Cryptography and Security

AprilPyone MaungMaung,Hitoshi Kiya

DOI: https://doi.org/10.48550/arXiv.2204.07707

2022-04-16

Computer Vision and Pattern Recognition

Abstract:In this paper, we propose a privacy-preserving image classification method that uses encrypted images and an isotropic network such as the vision transformer. The proposed method allows us not only to apply images without visual information to deep neural networks (DNNs) for both training and testing but also to maintain a high classification accuracy. In addition, compressible encrypted images, called encryption-then-compression (EtC) images, can be used for both training and testing without any adaptation network. Previously, to classify EtC images, an adaptation network was required before a classification network, so methods with an adaptation network have been only tested on small images. To the best of our knowledge, previous privacy-preserving image classification methods have never considered image compressibility and patch embedding-based isotropic networks. In an experiment, the proposed privacy-preserving image classification was demonstrated to outperform state-of-the-art methods even when EtC images were used in terms of classification accuracy and robustness against various attacks under the use of two isotropic networks: vision transformer and ConvMixer.

Zhangdong Wang,Jiaohua Qin,Xuyu Xiang,Yun Tan

DOI: https://doi.org/10.1155/2023/8931092

IF: 8.993

2023-09-21

International Journal of Intelligent Systems

Abstract:Frequent data breaches in the cloud environment have seriously affected cloud subscribers and providers. Privacy-preserving image retrieval methods can improve the security of cloud image retrieval; however, existing methods have limited accuracy on dynamically updated image databases and mobile lightweight devices. In this study, we propose a privacy-preserving image retrieval method based on disordered local histograms and vision transformer in cloud computing, by designing a multiple encryption method and transformer-based feature model to better mine the local feature value of encrypted images. Specifically, the user performs different value substitution, position substitution, and color substitution on the subblocks of the image to protect the image information. The cloud server extracts the unordered local histogram from the encrypted image and generates retrievable features using transformer. Experiments show that compared with similar CNN schemes, the retrieval accuracy of this method is improved by 8.5%, and the retrieval efficiency is improved by 54.8%.

computer science, artificial intelligence

XiaoKai Cao,WenJin Mo,ChangDong Wang,JianHuang Lai,Qiong Huang

2024-11-25

Abstract:Vision is one of the essential sources through which humans acquire information. In this paper, we establish a novel framework for measuring image information content to evaluate the variation in information content during image transformations. Within this framework, we design a nonlinear function to calculate the neighboring information content of pixels at different distances, and then use this information to measure the overall information content of the image. Hence, we define a function to represent the variation in information content during image transformations. Additionally, we utilize this framework to prove the conclusion that swapping the positions of any two pixels reduces the image's information content. Furthermore, based on the aforementioned framework, we propose a novel image encryption algorithm called Random Vortex Transformation. This algorithm encrypts the image using random functions while preserving the neighboring information of the pixels. The encrypted images are difficult for the human eye to distinguish, yet they allow for direct training of the encrypted images using machine learning methods. Experimental verification demonstrates that training on the encrypted dataset using ResNet and Vision Transformers only results in a decrease in accuracy ranging from 0.3\% to 6.5\% compared to the original data, while ensuring the security of the data. Furthermore, there is a positive correlation between the rate of information loss in the images and the rate of accuracy loss, further supporting the validity of the proposed image information content measurement framework.

Cryptography and Security

Jiahao Lu,Xi Sheryl Zhang,Tianli Zhao,Xiangyu He,Jian Cheng

DOI: https://doi.org/10.48550/arXiv.2112.14087

2021-12-28

Abstract:Federated learning frameworks typically require collaborators to share their local gradient updates of a common model instead of sharing training data to preserve privacy. However, prior works on Gradient Leakage Attacks showed that private training data can be revealed from gradients. So far almost all relevant works base their attacks on fully-connected or convolutional neural networks. Given the recent overwhelmingly rising trend of adapting Transformers to solve multifarious vision tasks, it is highly valuable to investigate the privacy risk of vision transformers. In this paper, we analyse the gradient leakage risk of self-attention based mechanism in both theoretical and practical manners. Particularly, we propose APRIL - Attention PRIvacy Leakage, which poses a strong threat to self-attention inspired models such as ViT. Showing how vision Transformers are at the risk of privacy leakage via gradients, we urge the significance of designing privacy-safer Transformer models and defending schemes.

Computer Vision and Pattern Recognition

Teru Nagamori,Sayaka Shiota,Hitoshi Kiya

2024-02-09

Abstract:We propose a novel method for privacy-preserving deep neural networks (DNNs) with the Vision Transformer (ViT). The method allows us not only to train models and test with visually protected images but to also avoid the performance degradation caused from the use of encrypted images, whereas conventional methods cannot avoid the influence of image encryption. A domain adaptation method is used to efficiently fine-tune ViT with encrypted images. In experiments, the method is demonstrated to outperform conventional methods in an image classification task on the CIFAR-10 and ImageNet datasets in terms of classification accuracy.

Computer Vision and Pattern Recognition,Machine Learning

Tatsuya Chuman,Hitoshi Kiya

DOI: https://doi.org/10.48550/arXiv.2202.00806

2022-02-02

Abstract:The aim of this paper is to evaluate the security of a block-based image encryption for the vision transformer against jigsaw puzzle solver attacks. The vision transformer, a model for image classification based on the transformer architecture, is carried out by dividing an image into a grid of square patches. Some encryption schemes for the vision transformer have been proposed by applying block-based image encryption such as block scrambling and rotating to patches of the image. On the other hand, the security of encryption scheme for the vision transformer has never evaluated. In this paper, jigsaw puzzle solver attacks are utilized to evaluate the security of encrypted images by regarding the divided patches as pieces of a jigsaw puzzle. In experiments, an image is resized and divided into patches to apply block scrambling-based image encryption, and then the security of encrypted images for the vision transformer against jigsaw puzzle solver attacks is evaluated.

Cryptography and Security

Seungeun Oh,Sihun Baek,Jihong Park,Hyelin Nam,Praneeth Vepakomma,Ramesh Raskar,Mehdi Bennis,Seong-Lyun Kim

2024-08-02

Abstract:In computer vision, the vision transformer (ViT) has increasingly superseded the convolutional neural network (CNN) for improved accuracy and robustness. However, ViT's large model sizes and high sample complexity make it difficult to train on resource-constrained edge devices. Split learning (SL) emerges as a viable solution, leveraging server-side resources to train ViTs while utilizing private data from distributed devices. However, SL requires additional information exchange for weight updates between the device and the server, which can be exposed to various attacks on private training data. To mitigate the risk of data breaches in classification tasks, inspired from the CutMix regularization, we propose a novel privacy-preserving SL framework that injects Gaussian noise into smashed data and mixes randomly chosen patches of smashed data across clients, coined DP-CutMixSL. Our analysis demonstrates that DP-CutMixSL is a differentially private (DP) mechanism that strengthens privacy protection against membership inference attacks during forward propagation. Through simulations, we show that DP-CutMixSL improves privacy protection against membership inference attacks, reconstruction attacks, and label inference attacks, while also improving accuracy compared to DP-SL and DP-MixSL.

Distributed, Parallel, and Cluster Computing,Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Prajwal Panzade,Daniel Takabi,Zhipeng Cai

2024-02-14

Abstract:In today's machine learning landscape, fine-tuning pretrained transformer models has emerged as an essential technique, particularly in scenarios where access to task-aligned training data is limited. However, challenges surface when data sharing encounters obstacles due to stringent privacy regulations or user apprehension regarding personal information disclosure. Earlier works based on secure multiparty computation (SMC) and fully homomorphic encryption (FHE) for privacy-preserving machine learning (PPML) focused more on privacy-preserving inference than privacy-preserving training. In response, we introduce BlindTuner, a privacy-preserving fine-tuning system that enables transformer training exclusively on homomorphically encrypted data for image classification. Our extensive experimentation validates BlindTuner's effectiveness by demonstrating comparable accuracy to non-encrypted models. Notably, our findings highlight a substantial speed enhancement of 1.5x to 600x over previous work in this domain.

Machine Learning,Artificial Intelligence,Cryptography and Security

Xiaoyu Kou,Fengwei Wang,Hui Zhu,Yandong Zheng,Xiaopeng Yang,Zhe Liu

DOI: https://doi.org/10.1007/s12083-024-01718-7

IF: 3.488

2024-05-23

Peer-to-Peer Networking and Applications

Abstract:With the widespread use of the internet and advancements in computing and data storage technologies, large amounts of data can be collected and analyzed to explore hidden knowledge and patterns in various areas. Among different data types, images have become an increasingly important information carrier, especially in computer vision research. However, the image data often contains valuable sensitive information of users, such as personal identifiers and biometric information. During the transmission process, once adversaries obtain the image data, it may lead to severe consequences. To solve the image data leakage problem, a lot of image privacy-preserving schemes are proposed. Nevertheless, in most existing schemes, the utility of an image will also be broken while ensuring data privacy. Meanwhile, how to balance privacy and utility is always a nerve-wracking challenge in image privacy protection. In this paper, we focus on designing a privacy-preserving scheme that protects the visual content of an image while retaining its availability for convolutional neural networks (CNN) training and prediction. Specifically, we first use the edge detection technique to discover original image features. Then, we carefully design a noise generation method in which the generated noises can guarantee distance-based indistinguishability while minimally affecting image features. Therefore, with the proposed scheme, the visual content of an image can be protected, and it can still be used for CNN training and prediction. Moreover, we empirically evaluate our proposed scheme with various evaluation criteria. The results demonstrate that the visual content of an image is indeed protected while the accuracy of the trained CNN model is available.

computer science, information systems,telecommunications

Hengyuan Xu,Liyao Xiang,Hangyu Ye,Dixi Yao,Pengzhi Chu

2023-01-01

Abstract:Conventional split learning faces the challenge of preserving training data and model privacy as a part of the training is beyond the data owner's control. We tackle this problem by introducing blind training, i.e., training without being aware of the data or the model, realized by shuffled Transformers. This is attributed to our intriguing findings that the inputs and the model weights of the Transformer encoder blocks, the backbone of Transformer, can be shuffled without degrading the model performance. We not only have proven the shuffling invariance property in theory, but also designs a privacy-preserving split learning framework following the property, with little modification to the original Transformer architecture. We carry out verification of the properties through experiments, and also show our proposed framework successfully defends privacy attacks to split learning with superiority.

Wu Hao-Tian,Jia Ruoyan,Dugelay Jean-Luc,He Junhui

DOI: https://doi.org/10.1007/s11042-020-09985-1

IF: 2.577

2020-01-01

Multimedia Tools and Applications

Abstract:In this paper, a novel image transformation scheme is proposed to protect the visual information. By mimicking an arbitrarily chosen reference image, a secret image is visually changed and can be exactly recovered from the transformed image when needed. Unlike the block-wise visual encryption methods, the proposed transformation scheme modifies the secret image by bit plane replacement and reordering so that no block effect is introduced. In particular, one or more bit planes are hidden into the other bit planes so that the most significant one(s) can be vacated. Besides replacing the vacated bit plane(s) and reordering the others according to the reference image, histogram modification may be performed to conceal the secret content if needed. To exactly recover the secret image, the required information is recorded and reversibly hidden into the transformed image by adopting a reversible data hiding algorithm. The experimental results on three image sets show that their content can be semantically changed to prevent leakage of visual information. Moreover, the applicability and efficiency of the proposed scheme have been validated by comparing the existing visual encryption schemes.

Qihua Feng,Peiya Li,ZhiXun Lu,Guan Liu,Feiran Huang

2021-01-01

Abstract:Traditional image encryption methods impede the process of extracting features from cipher-images, which makes next step's retrieval become difficult. There are some encrypted image retrieval works that extract features from encrypted images by human initially, then build model to enforce retrieval by these features. In the paper, we propose end-to-end encrypted image retrieval, using deep learning model to extract features from cipher-images and conducting retrieval. We do not need to extract hand-craft features from cipher-images, because our retrieval model can extract features by end-to-end learning. Images are encrypted by block permutation and color value substitution operation for partial blocks. Our retrieval model uses Vision Transformer (ViT) as BackBone, combines triplet loss and cross entropy loss when training. In experiments, we compare different BackBones - ViT and ResNet50, and the results show that the retrieval performance is better when using ViT as BackBone. Our scheme not only achieves end-to-end encrypted image retrieval, but also obtains significant improvement on retrieval performance when compared with current methods.

Dixi Yao,Liyao Xiang,Hengyuan Xu,Hangyu Ye,Yingqi Chen

DOI: https://doi.org/10.1109/icdm54844.2022.00074

2022-01-01

Abstract:We focus on the privacy-preserving problem in split learning in this work. In vanilla split learning, a neural network is split to different devices to be trained, risking leaking the private training data in the process. We novelly propose a patch shuffling scheme on transformers to preserve training data privacy, yet without degrading overall model performance. Formal privacy guarantees are provided and we further introduce the batch shuffling and the spectral shuffling schemes to enhance the guarantee. We show through experiments that our methods successfully defend the black-box, white-box, and adaptive attacks in split learning, with superior performance over baselines, and are efficient to deploy with negligible overhead compared to the vanilla split learning.

Tatsuya Chuman,Hitoshi Kiya

DOI: https://doi.org/10.48550/arXiv.2207.08109

2022-07-17

Cryptography and Security

Abstract:The security of learnable image encryption schemes for image classification using deep neural networks against several attacks has been discussed. On the other hand, block scrambling image encryption using the vision transformer has been proposed, which applies to lossless compression methods such as JPEG standard by dividing an image into permuted blocks. Although robustness of the block scrambling image encryption against jigsaw puzzle solver attacks that utilize a correlation among the blocks has been evaluated under the condition of a large number of encrypted blocks, the security of encrypted images with a small number of blocks has never been evaluated. In this paper, the security of the block scrambling image encryption against ciphertext-only attacks is evaluated by using jigsaw puzzle solver attacks.