Zhang Qiao,Wang Cong,Xin Chunsheng,Wu Hongyi

2019-01-01

Abstract: Machine Learning as a Service (MLaaS) is enabling a wide range of smart applications on end devices. However, such convenience comes with a cost of privacy because users have to upload their private data to the cloud. This research aims to provide effective and efficient MLaaS such that the cloud server learns nothing about user data and the users cannot infer the proprietary model parameters owned by the server. This work makes the following contributions. First, it unveils the fundamental performance bottleneck of existing schemes due to the heavy permutations in computing linear transformation and the use of communication intensive Garbled Circuits for nonlinear transformation. Second, it introduces an ultra-fast secure MLaaS framework, CHEETAH, which features a carefully crafted secret sharing scheme that runs significantly faster than existing schemes without accuracy loss. Third, CHEETAH is evaluated on the benchmark of well-known, practical deep networks such as AlexNet and VGG-16 on the MNIST and ImageNet datasets. The results demonstrate more than 100x speedup over the fastest GAZELLE (Usenix Security'18), 2000x speedup over MiniONN (ACM CCS'17) and five orders of magnitude speedup over CryptoNets (ICML'16). This significant speedup enables a wide range of practical applications based on privacy-preserved deep neural networks.

Wei Xu,Hui Zhu,Yandong Zheng,Fengwei Wang,Jiafeng Hua,Dengguo Feng,Hui Li

DOI: https://doi.org/10.1109/tifs.2024.3435493

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the rapid advancements in machine learning and the widespread adoption of Model-as-a-Service (MaaS) platforms, there has been significant attention on convolutional neural network (CNN) inference services. However, traditional inference services over plaintext data and models are susceptible to the risks of data and model leakage. Although several privacy-preserving CNN inference schemes utilizing trusted execution environment (TEE) and cryptography have been proposed, their security models and performance still have limitations in some scenarios. Aiming at the above challenges, we present an oblivious neural network prediction scheme with semi-honest TEE, namely ToNN, which ensures the security of users' inputs, outputs, and the model itself. Specifically, based on the limited memory of the TEE, we design secure protocols to perform CNN calculations securely and efficiently, which are friendly to support the single instruction multiple data technique. Additionally, we propose a look-up-table method to optimize the convolution and pooling layers calculations. A detailed security analysis under the simulation-based real/ideal worlds model shows that ToNN can achieve the desired security. Extensive simulation results further demonstrate that ToNN can improve the performance of linear calculations by 4.86x and non-linear calculation by 37.68x , and can be implemented effectively with low computation and communication costs.

Chuan Zhang,Chenfei Hu,Tong Wu,Liehuang Zhu,Ximeng Liu

DOI: https://doi.org/10.1109/TDSC.2022.3208706

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The neural network has been widely used to train predictive models for applications such as image processing, disease prediction, and face recognition. To produce more accurate models, powerful third parties (e.g., clouds) are usually employed to collect data from a large number of users, which however may raise concerns about user privacy. In this paper, we propose an Efficient and Privacy-preserving Neural Network scheme, named EPNN, to deal with the privacy issues in cloud-based neural networks. EPNN is designed based on a two-cloud model and techniques of data perturbation and additively homomorphic cryptosystem. This scheme enables two clouds to cooperatively perform neural network training and prediction in a privacy-preserving manner and significantly reduces the computation and communication overhead among participating entities. Through a detailed analysis, we demonstrate the security of EPNN. Extensive experiments based on real-world datasets show EPNN is more efficient than existing schemes in terms of computational costs and communication overhead.

Yuntao Wei,Xueyan Wang,Song Bian,Weisheng Zhao,Yier Jin

DOI: https://doi.org/10.1109/iccad57390.2023.10323851

2023-01-01

Abstract:Privacy-preserving machine learning (PPML) schemes aim at protecting client-side data privacy in two-party secure computing tasks such as private deep neural network (DNN) inference. While fully homomorphic encryption (FHE) can provide provable security for client data privacy, efficiently verifying that such homomorphic DNN inference protocol is honestly executed on the server presents to be challenging. In this work, we propose THE-V, a novel DNN inference framework that combines FHE and Trusted Execution Environment (TEE) to achieve data privacy, verifiable execution and efficient computation all at once. We first point out that, while the trivial solution of executing FHE entirely within TEE can ensure both private and verifiable computing, the limited resource within TEE becomes a severe computational bottleneck. To solve such dilemma, we devise a new strategy of securely outsourcing computation-heavy tasks in TEE to untrusted environments. By rigorous experiments, we show that we can achieve verifiable and private DNN inference with up to $15\times$ speedup compared with the state-of-the-art solution.

Pengtao Xie,Misha Bilenko,Tom Finley,Ran Gilad-Bachrach,Kristin Lauter,Michael Naehrig

DOI: https://doi.org/10.48550/arXiv.1412.6181

2014-12-24

Abstract:The problem we address is the following: how can a user employ a predictive model that is held by a third party, without compromising private information. For example, a hospital may wish to use a cloud service to predict the readmission risk of a patient. However, due to regulations, the patient's medical files cannot be revealed. The goal is to make an inference using the model, without jeopardizing the accuracy of the prediction or the privacy of the data. To achieve high accuracy, we use neural networks, which have been shown to outperform other learning models for many tasks. To achieve the privacy requirements, we use homomorphic encryption in the following protocol: the data owner encrypts the data and sends the ciphertexts to the third party to obtain a prediction from a trained model. The model operates on these ciphertexts and sends back the encrypted prediction. In this protocol, not only the data remains private, even the values predicted are available only to the data owner. Using homomorphic encryption and modifications to the activation functions and training algorithms of neural networks, we show that it is protocol is possible and may be feasible. This method paves the way to build a secure cloud-based neural network prediction services without invading users' privacy.

Machine Learning,Cryptography and Security,Neural and Evolutionary Computing

Wei Pan,Zepei Sun,Huanyu Sang,Zihao Wang

DOI: https://doi.org/10.24846/v32i1y202304

2023-01-01

Studies in Informatics and Control

Abstract:Machine learning services are widely used for big data, cloud computing, and distributed artificial intelligence applications. Multiple parties participating in the provision of these services may access the users' sensitive data because most machine learning models use and share plaintext directly. Therefore, it is necessary to utilize cryptographic mechanisms for protecting user privacy. Homomorphic encryption provides an important information security guarantee for machine learning models. However, the complexity of fully homomorphic encryption increases with the depth of neural networks. Especially with the increase in the number of ciphertext multiplications, the time and space costs will also raise exponentially. Using homomorphic encryption in order to protect the model and data security while ensuring the computational efficiency of the employed model over encrypted data is a challenging problem. This paper proposes a BFV-based cryptographic low-latency convolutional neural network (CLOL-CNN) for solving this problem. This new network model performs deep learning and prediction over encrypted data instead of sharing plaintext data. A series of optimization operations are elaborately presented and implemented, such as cryptographic batch normalization, polynomial approximation, cryptographic convolution, and full cryptographic connection. The performance of the proposed model is evaluated with regard to its accuracy and computational overhead obtained by employing deep learning for homomorphically encrypted data. The experiments were conducted on a MNIST image dataset. The obtained results demonstrated that the proposed model has a higher accuracy and a lower time cost than other models and that it is an effective privacy-preserving deep neural network.

Qifan Wang,Lei Zhou,Jianli Bai,Yun Sing Koh,Shujie Cui,Giovanni Russello

DOI: https://doi.org/10.1016/j.cose.2023.103509

IF: 5.105

2023-09-28

Computers & Security

Abstract:Outsourcing Machine Learning (ML) tasks to cloud servers is a cost-effective solution when dealing with distributed data. However, outsourcing these tasks to cloud servers could lead to data breaches. Secure computing methods, such as Homomorphic Encryption (HE) and Trusted Execution Environments (TEE), have been used to protect outsourced data. Nevertheless, HE remains inefficient in processing complicated functions (e.g., non-linear functions) and TEE (e.g., Intel SGX) is not ideal for directly processing ML tasks due to side-channel attacks and parallel-unfriendly computation. In this paper, we propose a hybrid framework integrating SGX and HE, called HT2ML , to protect user's data and models. In HT2ML , HE-friendly functions are protected with HE and performed outside the enclave, while the remaining operations are performed inside the enclave obliviously. HT2ML leverages optimised HE matrix multiplications to accelerate HE computations outside the enclave while using oblivious blocks inside the enclave to prevent access-pattern-based attacks. We evaluate HT2ML using Linear Regression (LR) training and Convolutional Neural Network (CNN) inference as two instantiations. The performance results show that HT2ML is up to ∼11× faster than HE only baseline with 6-dimensional data in LR training. For CNN inference, HT2ML is ∼196× faster than the most recent approach (Xiao et al., ICDCS'21).

computer science, information systems

Xu Ma,Xiaofeng Chen,Xiaoyu Zhang

DOI: https://doi.org/10.1016/j.ins.2018.12.015

IF: 8.1

2019-01-01

Information Sciences

Abstract:Neural network is a particular machine learning framework which has gained widespread popularity due to its superior performance in many applications, such as complex board games, face recognition and disease diagnosis. A new service paradigm which offers online neural-network-based prediction to clients is increasingly popular. Although the prediction service has clear benefits, serious privacy issues have also emerged from the clients’ sensitive data and the neural network model itself. In this paper, we present a new outsourcing model for privacy-preserving neural network prediction under two non-colluding servers framework. In this model, the original neural network owner can securely outsource an existing neural network model to the two servers who will thereafter provide prediction service to the public users utilize encrypted input data. We propose the first fully non-interactive privacy-preserving neural network prediction scheme. Extensive security and efficiency analysis demonstrate that the proposed scheme satisfies the security requirement of model privacy and data privacy, and highly efficient with respect to computation and communication overhead.

Jialu Chen,Jun Zhou,Zhenfu Cao,Athanasios Vasilakos,Xiaolei Dong,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/jiot.2019.2942165

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:Machine learning, particularly the neural network (NN), is extensively exploited in dizzying applications. In order to reduce the burden of computing for resource-constrained clients, a large number of historical private datasets are required to be outsourced to the semi-trusted or malicious cloud for model training and evaluation. To achieve privacy preservation, most of the existing work either exploited the technique of public key fully homomorphic encryption (FHE) resulting in considerable computational cost and ciphertext expansion, or secure multiparty computation (SMC) requiring multiple rounds of interactions between user and cloud. To address these issues, in this article, a lightweight privacy-preserving model training and evaluation scheme LPTE for discretized NNs (DiNNs) is proposed. First, we put forward an efficient single key fully homomorphic data encapsulation mechanism (SFH-DEM) without exploiting public key FHE. Based on SFH-DEM, a series of atomic calculations over the encrypted domain, including multivariate polynomial, nonlinear activation function, gradient function, and maximum operations are devised as building blocks. Furthermore, a lightweight privacy-preserving model training and evaluation scheme LPTE for DiNNs is proposed, which can also be extended to convolutional NN. Finally, we give the formal security proofs for dataset privacy, model training privacy, and model evaluation privacy under the semi-honest environment and implement the experiment on real dataset MNIST for recognizing handwritten numbers in DiNN to demonstrate the high efficiency and accuracy of our proposed LPTE.

ZHAO Min,TIAN Youliang,XIONG Jinbo,BI Renwan,XIE Hongtao

DOI: https://doi.org/10.11896/jsjkx.220300239

2023-01-01

Computer Science

Abstract:Aiming at the problem of data privacy leakage in cloud environment and insufficient accuracy in the privacy-preserving neural network based on homomorphic encryption, a privacy-preserving neural network training scheme（PPNT） is proposed for collaborative dual cloud servers, to achieve the goal of data transmission, computing security and model parameter under the collaborative training process of dual cloud servers.Firstly, in order to avoid using polynomial approximation method to realize nonlinear functions such as exponent and comparison, and improve the calculation accuracy of nonlinear function, a series of secure computing protocols are designed based on Paillier partially homomorphic encryption technology and additive secret sharing scheme.Furthermore, corresponding secure computing protocols of full connection layer, activation layer, softmax layer and back propagation in neural network are constructed to realize PPNT based on the designed secure computing protocols.Finally, theoretical and security analysis guarantees the correctness and security of PPNT.The actual performance results show that compared with the dual server scheme--privacy protection machine learning as a service（PPMLaaS）,the model accuracy of PPNT improves by 1.7%,and supports the client offline in the process of secure computing.

Yichuan Liu,Chungen Xu,Lei Xu,Lin Mei,Xing Zhang,Cong Zuo

DOI: https://doi.org/10.32604/jihpp.2021.026944

2021-01-01

Journal of Information Hiding and Privacy Protection

Abstract:The widespread acceptance of machine learning, particularly of neural networks leads to great success in many areas, such as recommender systems, medical predictions, and recognition. It is becoming possible for any individual with a personal electronic device and Internet access to complete complex machine learning tasks using cloud servers. However, it must be taken into consideration that the data from clients may be exposed to cloud servers. Recent work to preserve data confidentiality has allowed for the outsourcing of services using homomorphic encryption schemes. But these architectures are based on honest but curious cloud servers, which are unable to tell whether cloud servers have completed the computation delegated to the cloud server. This paper proposes a verifiable neural network framework which focuses on solving the problem of data confidentiality and training integrity in machine learning. Specifically, we first leverage homomorphic encryption and extended diagonal packing method to realize a privacy-preserving neural network model efficiently, it enables the user training over encrypted data, thereby protecting the user’s private data. Then, considering the problem that malicious cloud servers are likely to return a wrong result for saving cost, we also integrate a training validation modular Proof-of-Learning, a strategy for verifying the correctness of computations performed during training. Moreover, we introduce practical byzantine fault tolerance to complete the verification progress without a verifiable center. Finally, we conduct a series of experiments to evaluate the performance of the proposed framework, the results show that our construction supports the verifiable training of PPNN based on HE without introducing much computational cost.

Aftab Akram,Fawad Khan,Shahzaib Tahir,Asif Iqbal,Syed Aziz Shah,Abdullah Baz

DOI: https://doi.org/10.1109/access.2024.3357145

IF: 3.9

2024-02-03

IEEE Access

Abstract:The application of machine learning in healthcare, financial, social media, and other sensitive sectors not only involves high accuracy but privacy as well. Due to the emergence of the Cloud as a computation and one-to-many access paradigm; training and classification/inference tasks have been outsourced to Cloud. However, its usage is limited due to legal and ethical constraints regarding privacy. In this work, we propose a privacy-preserving neural networks-based classification model based on Homomorphic Encryption (HE) where the user can send an encrypted instance to the cloud and receive an encrypted inference from it to preserve the user's query privacy. In contrast to existing works, we demonstrate the realistic limitations of HE for privacy-preserving machine learning by changing its parameters for enhanced security and accuracy. We showcase scenarios where the choice of HE parameters impedes accurate classification and present an optimized setting for achieving reliable classification. We present several results to demonstrate its effectiveness using MNIST dataset with highly improved inference time for a query as compared to the state of the art.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Rongxing Lu,Hui Li

DOI: https://doi.org/10.1109/globecom54140.2023.10437155

2023-01-01

Abstract:The explosive growth of data scales has recently drawn extensive attention to machine learning (ML) prediction services for achieving effective and efficient decision-making. However, the potential risk of model or data leakage, as well as vertically partitioned query data in real-world scenes, bring many challenges to ML prediction. Therefore, this paper proposes an efficient and privacy-preserving logistic regression prediction scheme, through which query institutions with vertically partitioned data can enjoy secure, fast, and high-accuracy prediction services from one cloud service provider. Specifically, we take the efficiency advantage of the trusted execution environments (TEE) technique under a semi-honest model, and design a series of masking and recovery methods based on homomorphic encryption to guarantee privacy inside and outside the enclave. Moreover, the ciphertext packing technique is integrated into our scheme for processing predictions parallelly, which further reduces communication and computational overhead. As a result, our scheme will not introduce additional strong security assumptions to TEE; meanwhile, it achieves a trade-off between security and efficiency. Based on the simulation-based paradigm, we formally prove the selective security of our scheme. Extensive experiments on real-world and synthetic datasets show that our prediction accuracy is comparable with plaintext prediction, and our scheme has at least a 30x running speedup compared to the existing representative schemes.

Qiushi Li,Ju Ren,Yan Zhang,Chengru Song,Yiqiao Liao,Yaoxue Zhang

DOI: https://doi.org/10.1109/DAC56929.2023.10247964

2023-01-01

Abstract:The embedded software may migrate the collected data to the server for DNN computation acceleration, which may compromise privacy. We propose a DNN computation framework that combines TEE and NNA to address the privacy leakage problem. We design an NNA-friendly encryption method that enables NNA to correctly compute the encrypted linear input. Facing the overhead of TEE-NNA interaction, we design a pipeline-based prefetch mechanism that can reduce the TEE interaction overhead. Experimentally, our approach proves to be compatible with a wide range of NPUs and TPUs, and improves the performance by 8-19 times over the TEE scheme.

Minghui Li,Yuejing Yan,Qian Wang,Minxin Du,Zhan Qin,Cong Wang

DOI: https://doi.org/10.1109/mnet.011.2000293

IF: 10.294

2021-01-01

IEEE Network

Abstract:Neural networks have attracted much attention due to their excellent performance in providing insightful predictions. The trained neural network models usually have millions of parameters requiring massive storage resources, which motivates the model owner to deploy their models to cloud servers for relieving the storage burden. The client can also directly enjoy the prediction service provided by the cloud server. Albeit convenient, untrusted cloud servers may violate the privacy of the model owners and the clients, which hinders the wide applications of such a prediction service. This survey reviews various privacy-preserving neural network prediction services, which protect the privacy of the model and the query. Many protocols are in the basic secure two-party computation (S2C) setting, which protects the secret of the querier and the model owner against the counterparty. Secure outsourcing further protects the privacy of the model against the cloud hosting it for the prediction service. We compare the existing approaches in terms of security, accuracy, and efficiency. We then propose an optimized neural network prediction scheme in the outsourcing setting, which simultaneously achieves high accuracy, model privacy, and low overheads, and conduct an experimental evaluation for computation time and communication costs. Finally, we highlight several future research directions and provide new insights into open problems in strengthening security and improving efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Hongxiao Wang,Zoe Lin Jiang,Yanmin Zhao,Siu-Ming Yiu,Peng Yang,Zejiu Tan,Bohan Jin,Shiyuan Xu,Shimin Pan

DOI: https://doi.org/10.48550/arxiv.2211.09353

2022-01-01

Abstract:In recent years, distributed machine learning has garnered significant attention. However, privacy continues to be an unresolved issue within this field. Multi-key homomorphic encryption over torus (MKTFHE) is one of the promising candidates for addressing this concern. Nevertheless, there may be security risks in the decryption of MKTFHE. Moreover, to our best known, the latest works about MKTFHE only support Boolean operation and linear operation which cannot directly compute the non-linear function like Sigmoid. Therefore, it is still hard to perform common machine learning such as logistic regression and neural networks in high performance. In this paper, we first discover a possible attack on the existing distributed decryption protocol for MKTFHE and subsequently introduce secret sharing to propose a securer one. Next, we design a new MKTFHE-friendly activation function via \emph{homogenizer} and \emph{compare quads}. Finally, we utilize them to implement logistic regression and neural network training in MKTFHE. Comparing the efficiency and accuracy between using Taylor polynomials of Sigmoid and our proposed function as an activation function, the experiments show that the efficiency of our function is 10 times higher than using 7-order Taylor polynomials straightly and the accuracy of the training model is similar to using a high-order polynomial as an activation function scheme.

Yingying Yao,Zhendong Zhao,Xiaolin Chang,Jelena Misic,Vojislav B. Misic,Jianhua Wang

DOI: https://doi.org/10.1109/icc42927.2021.9500795

2021-01-01

Abstract:Electronic health (e-health) information system relies on cloud computing technologies to provide massive medical data computing and storage services. Especially, the recently proposed Machine Learning as a Service (MLaaS) on these medical data can not only effectively improve the healthcare service quality, but also support the end users with limited computing resources. However, MLaaS on the massive medical data faces the challenge of privacy. Homomorphic encryption technology has been explored to assure the privacy of medical data owners in MLaaS but with the weaknesses of limited homomorphic operations and low efficiency. To alleviate these weaknesses, this paper proposes a novel privacy-preserving non-collusion dualcloud (NCDC) model-based e-health information system using neural network (NN) computing. The system can not only assure medical data privacy through adopting homomorphic encryption technology but also assure NN model privacy by adding fake neurons to the NN. In addition, the proposed e-health information system also has the following advantages: (i) Simple key generation. (ii) No constraint on the size of medical data to be encrypted. (iii) The less loss of prediction accuracy between encrypted and original medical data. (iv) Supporting more homomorphic operations and having better computing efficiency through experiment verification.

Qiang Zhu,Xixiang Lv

DOI: https://doi.org/10.48550/arXiv.1807.08459

2018-07-23

Cryptography and Security

Abstract:Machine Learning as a Service (MLaaS), such as Microsoft Azure, Amazon AWS, offers an effective DNN model to complete the machine learning task for small businesses and individuals who are restricted to the lacking data and computing power. However, here comes an issue that user privacy is ex-posed to the MLaaS server, since users need to upload their sensitive data to the MLaaS server. In order to preserve their privacy, users can encrypt their data before uploading it. This makes it difficult to run the DNN model because it is not designed for running in ciphertext domain. In this paper, using the Paillier homomorphic cryptosystem we present a new Privacy-Preserving Deep Neural Network model that we called 2P-DNN. This model can fulfill the machine leaning task in ciphertext domain. By using 2P-DNN, MLaaS is able to provide a Privacy-Preserving machine learning ser-vice for users. We build our 2P-DNN model based on LeNet-5, and test it with the encrypted MNIST dataset. The classification accuracy is more than 97%, which is close to the accuracy of LeNet-5 running with the MNIST dataset and higher than that of other existing Privacy-Preserving machine learning models

Yuxuan Cai,Wenxiu Ding,Yuxuan Xiao,Zheng Yan,Ximeng Liu,Zhiguo Wan

DOI: https://doi.org/10.1109/tdsc.2023.3336977

2024-01-01

Abstract:Federated Learning (FL) is widely used in various industries because it effectively addresses the predicament of isolated data island. However, eavesdroppers is capable of inferring user privacy from the gradients or models transmitted in FL. Homomorphic Encryption (HE) can be applied in FL to protect sensitive data owing to its computability over ciphertexts. However, traditional HE as a single-key system cannot prevent dishonest users from intercepting and decrypting the ciphertexts from cooperative users in FL. Guaranteeing privacy and efficiency in this multi-user scenario is still a challenging target. In this paper, we propose a secure and efficient Federated Learning scheme (SecFed) based on multi-key HE to preserve user privacy and delegate some operations to TEE to improve efficiency while ensuring security. Specifically, we design the first TEE-based multi-key HE cryptosystem (EMK-BFV) to support privacy-preserving FL and optimize operation efficiency. Furthermore, we provide an offline protection mechanism to ensure the normal operation of system with disconnected participants. Finally, we give their security proofs and show their efficiency and superiority through comprehensive simulations and comparisons with existing schemes. SecFed offers a 3x performance improvement over TEE-based scheme and a 2x performance improvement over HE-based solution.

Ayoub Benaissa,Bilal Retiat,Bogdan Cebere,Alaa Eddine Belfedhal

DOI: https://doi.org/10.48550/arXiv.2104.03152

2021-04-28

Abstract:Machine learning algorithms have achieved remarkable results and are widely applied in a variety of domains. These algorithms often rely on sensitive and private data such as medical and financial records. Therefore, it is vital to draw further attention regarding privacy threats and corresponding defensive techniques applied to machine learning models. In this paper, we present TenSEAL, an open-source library for Privacy-Preserving Machine Learning using Homomorphic Encryption that can be easily integrated within popular machine learning frameworks. We benchmark our implementation using MNIST and show that an encrypted convolutional neural network can be evaluated in less than a second, using less than half a megabyte of communication.

Cryptography and Security,Machine Learning