Zhang Qiao,Wang Cong,Xin Chunsheng,Wu Hongyi

2019-01-01

Abstract: Machine Learning as a Service (MLaaS) is enabling a wide range of smart applications on end devices. However, such convenience comes with a cost of privacy because users have to upload their private data to the cloud. This research aims to provide effective and efficient MLaaS such that the cloud server learns nothing about user data and the users cannot infer the proprietary model parameters owned by the server. This work makes the following contributions. First, it unveils the fundamental performance bottleneck of existing schemes due to the heavy permutations in computing linear transformation and the use of communication intensive Garbled Circuits for nonlinear transformation. Second, it introduces an ultra-fast secure MLaaS framework, CHEETAH, which features a carefully crafted secret sharing scheme that runs significantly faster than existing schemes without accuracy loss. Third, CHEETAH is evaluated on the benchmark of well-known, practical deep networks such as AlexNet and VGG-16 on the MNIST and ImageNet datasets. The results demonstrate more than 100x speedup over the fastest GAZELLE (Usenix Security'18), 2000x speedup over MiniONN (ACM CCS'17) and five orders of magnitude speedup over CryptoNets (ICML'16). This significant speedup enables a wide range of practical applications based on privacy-preserved deep neural networks.

Fei Dai,Guozhi Liu,Bi Huang,Xiaolong Xu,Chaochao Chen,Zhangbing Zhou,Xiaokang Zhou

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics55523.2022.00070

2022-01-01

Abstract:Industrial Internet of Things (IIoT) systems can leverage deep learning (DL) models to provide intelligent applications. However, the training process of such DL models tends to leak privacy when the training data contain sensitive operational and management information. Most studies about privacy-preserving DL require a trusted data collector and thus are not suitable in an untrusted environment. In this paper, we propose a distributed privacy-preserving framework for DL with edge-cloud computing, where direct privacy leakage and indirect privacy leakage of training data are both considered. First, a pre-trained convolutional neural network (CNN) is partitioned into two parts for limiting direct privacy leakage of raw data, namely the feature module and the classification module. The feature module consisting of the lower layers of the CNN is deployed on an edge server, which is used to attract the feature of raw data. The feature data is fed to the classification module consisting of the higher layers of the CNN, which is deployed on the cloud server to compute image classification tasks. Second, a perturbation module between the feature module and the classification module is designed for limiting indirect privacy leakage during feature data transmission. The perturbation module uses local differential privacy (LDP) to produce noise in the feature data. Third, to further improve the accuracy, we retrain the classification module with the randomized feature data from edge servers. Experimental results show that the proposed framework achieves high accuracy under low privacy budgets.

Longfei Zheng,Chaochao Chen,Yingting Liu,Bingzhe Wu,Xibin Wu,Li Wang,Lei Wang,Jun Zhou,Shuang Yang

2020-01-01

Abstract:Deep Neural Network (DNN) has been showing great potential in kinds of real-world applications such as fraud detection and distress prediction. Meanwhile, data isolation has become a serious problem currently, i.e., different parties cannot share data with each other. To solve this issue, most research leverages cryptographic techniques to train secure DNN models for multi-parties without compromising their private data. Although such methods have strong security guarantee, they are difficult to scale to deep networks and large datasets due to its high communication and computation complexities. To solve the scalability of the existing secure Deep Neural Network (DNN) in data isolation scenarios, in this paper, we propose an industrial scale privacy preserving neural network learning paradigm, which is secure against semi-honest adversaries. Our main idea is to split the computation graph of DNN into two parts, i.e., the computations related to private data are performed by each party using cryptographic techniques, and the rest computations are done by a neutral server with high computation ability. We also present a defender mechanism for further privacy protection. We conduct experiments on real-world fraud detection dataset and financial distress prediction dataset, the encouraging results demonstrate the practicalness of our proposal.

Ehsan Hesamifard,Hassan Takabi,Mehdi Ghasemi

DOI: https://doi.org/10.48550/arXiv.1711.05189

2017-11-14

Cryptography and Security

Abstract:Machine learning algorithms based on deep neural networks have achieved remarkable results and are being extensively used in different domains. However, the machine learning algorithms requires access to raw data which is often privacy sensitive. To address this issue, we develop new techniques to provide solutions for running deep neural networks over encrypted data. In this paper, we develop new techniques to adopt deep neural networks within the practical limitation of current homomorphic encryption schemes. More specifically, we focus on classification of the well-known convolutional neural networks (CNN). First, we design methods for approximation of the activation functions commonly used in CNNs (i.e. ReLU, Sigmoid, and Tanh) with low degree polynomials which is essential for efficient homomorphic encryption schemes. Then, we train convolutional neural networks with the approximation polynomials instead of original activation functions and analyze the performance of the models. Finally, we implement convolutional neural networks over encrypted data and measure performance of the models. Our experimental results validate the soundness of our approach with several convolutional neural networks with varying number of layers and structures. When applied to the MNIST optical character recognition tasks, our approach achieves 99.52\% accuracy which significantly outperforms the state-of-the-art solutions and is very close to the accuracy of the best non-private version, 99.77\%. Also, it can make close to 164000 predictions per hour. We also applied our approach to CIFAR-10, which is much more complex compared to MNIST, and were able to achieve 91.5\% accuracy with approximation polynomials used as activation functions. These results show that CryptoDL provides efficient, accurate and scalable privacy-preserving predictions.

Payman Mohassel,Yupeng Zhang

DOI: https://doi.org/10.1109/sp.2017.12

2017-05-01

Abstract:Machine learning is widely used in practice to produce predictive models for applications such as image processing, speech and text recognition. These models are more accurate when trained on large amount of data collected from different sources. However, the massive data collection raises privacy concerns. In this paper, we present new and efficient protocols for privacy preserving machine learning for linear regression, logistic regression and neural network training using the stochastic gradient descent method. Our protocols fall in the two-server model where data owners distribute their private data among two non-colluding servers who train various models on the joint data using secure two-party computation (2PC). We develop new techniques to support secure arithmetic operations on shared decimal numbers, and propose MPC-friendly alternatives to nonlinear functions such as sigmoid and softmax that are superior to prior work. We implement our system in C++. Our experiments validate that our protocols are several orders of magnitude faster than the state of the art implementations for privacy preserving linear and logistic regressions, and scale to millions of data samples with thousands of features. We also implement the first privacy preserving system for training neural networks.

Qiang Zhu,Xixiang Lv

DOI: https://doi.org/10.48550/arXiv.1807.08459

2018-07-23

Cryptography and Security

Abstract:Machine Learning as a Service (MLaaS), such as Microsoft Azure, Amazon AWS, offers an effective DNN model to complete the machine learning task for small businesses and individuals who are restricted to the lacking data and computing power. However, here comes an issue that user privacy is ex-posed to the MLaaS server, since users need to upload their sensitive data to the MLaaS server. In order to preserve their privacy, users can encrypt their data before uploading it. This makes it difficult to run the DNN model because it is not designed for running in ciphertext domain. In this paper, using the Paillier homomorphic cryptosystem we present a new Privacy-Preserving Deep Neural Network model that we called 2P-DNN. This model can fulfill the machine leaning task in ciphertext domain. By using 2P-DNN, MLaaS is able to provide a Privacy-Preserving machine learning ser-vice for users. We build our 2P-DNN model based on LeNet-5, and test it with the encrypted MNIST dataset. The classification accuracy is more than 97%, which is close to the accuracy of LeNet-5 running with the MNIST dataset and higher than that of other existing Privacy-Preserving machine learning models

Ganglin Zhang,Yongjian Liao,Shijie Zhou

DOI: https://doi.org/10.1109/dasc-picom-cbdcom-cyberscitech52372.2021.00017

2021-01-01

Abstract:With the gradual maturity of deep learning, it is possible to make deep learning models as a service on the cloud. However, privacy issues are the key problem of making deep learning models as cloud services. According to the service mode of cloud computing, the service mode of deep learning is divided into software-as-a-service-based systems and non-software-as-a -service- based systems. In non -software-as-a-service-based systems, the cloud computing provider can hold the deep learning model, but the deep learning model can be revoked by the model owner. Many solutions have been proposed to protect privacy in a cloud server that makes deep learning models as cloud services. However, there is no study on how to revoke the cloud server's authority to use the deep learning model. To solve the privacy issues and support the revocability of the model in non-software-as-a-service-based systems, we propose a privacy-preserving revocable framework based on fully homomorphic encryption and digital signature. This framework not only protects the privacy of input data, output results, and model parameters but also allows the model owner to revoke the cloud's right to use the model. Then, the framework is proved to conform to our security definition through security analysis. Next, an instance based on the existing fully homomorphic encryption scheme and the digital signature scheme is constructed. At last, experiments are used to prove that the framework is feasible in practice and estimate the computing time cost of the framework.

Jiang Han,Liu Yiran,Song Xiangfu,Wang Hao,Zheng Zhihua,Xu Qiuliang

DOI: https://doi.org/10.11999/jeit190887

2020-01-01

Abstract:The characteristics of the new generation of artificial intelligence technology are shown as follows: with the help of GPU computing, cloud computing and other high-performance distributed computing capabilities, machine learning algorithms represented by deep learning algorithms are used for learning and training on big data to simulate, extend and expand human intelligence. Different data sources and computing physical locations make the current machine learning face serious privacy leakage problem, so the Privacy Protection of Machine (PPM) Learning has become a widely concerned research area. Using cryptography technology to solve the problem of privacy in machine learning is an important technology to protect the privacy of machine learning. Cryptographic tools used in privacy-preserving machine learning are introduced, such as general Secure Multi-Party Computing (SMPC), privacy protection set operation and Homomorphic Encryption (HE), describes the status and developments applying the tools to solving the problems of privacy protection in various stages of machine learning, such as data processing, model training, model testing, and data prediction.

Qiao Zhang,Tao Xiang,Yifei Cai,Zhichao Zhao,Ning Wang,Hongyi Wu

DOI: https://doi.org/10.1109/mnet.127.2200342

IF: 10.294

2023-01-01

IEEE Network

Abstract:Privacy-preserving machine learning as a service (PP-MLaaS) can achieve the secure model computation towards the client's private input through a series of privacy-preserving operations. However, existing PP-MLaaS schemes are suffering from low computational efficiency thwarting their application in real-world scenarios. To mitigate this issue, this article seeks to identify the main algorithmic problems biting computation efficiency and present possible enablers to accelerate the process of secure model computation. The investigation consists of four hierarchical parts. In the first part, existing PP-MLaaS frameworks are reviewed, and the problem statement is discussed in the next part, in which the possible issues that lead to inefficient computation are illustrated from computational logic and computational model, respectively. In the third part, we investigate two potential strategies to improve the calculation efficiency of privacy-preserving neural computing, involving the optimization of cost hierarchy in the calculation process and the crypto-friendly pruning in the neural computation model. Research directions and open topics for efficient PP-MLaaS are discussed in the last part, including rotation-free, neural architecture searching, hardware-aware, and nonlinearity-efficient PPMLaaS.

Eugene Frimpong,Khoa Nguyen,Mindaugas Budzys,Tanveer Khan,Antonis Michalas

2024-01-26

Abstract:Machine Learning (ML) has emerged as one of data science's most transformative and influential domains. However, the widespread adoption of ML introduces privacy-related concerns owing to the increasing number of malicious attacks targeting ML models. To address these concerns, Privacy-Preserving Machine Learning (PPML) methods have been introduced to safeguard the privacy and security of ML models. One such approach is the use of Homomorphic Encryption (HE). However, the significant drawbacks and inefficiencies of traditional HE render it impractical for highly scalable scenarios. Fortunately, a modern cryptographic scheme, Hybrid Homomorphic Encryption (HHE), has recently emerged, combining the strengths of symmetric cryptography and HE to surmount these challenges. Our work seeks to introduce HHE to ML by designing a PPML scheme tailored for end devices. We leverage HHE as the fundamental building block to enable secure learning of classification outcomes over encrypted data, all while preserving the privacy of the input data and ML model. We demonstrate the real-world applicability of our construction by developing and evaluating an HHE-based PPML application for classifying heart disease based on sensitive ECG data. Notably, our evaluations revealed a slight reduction in accuracy compared to inference on plaintext data. Additionally, both the analyst and end devices experience minimal communication and computation costs, underscoring the practical viability of our approach. The successful integration of HHE into PPML provides a glimpse into a more secure and privacy-conscious future for machine learning on relatively constrained end devices.

Machine Learning,Cryptography and Security

Jaewoo Park,Chenghao Quan,Hyungon Moon,Jongeun Lee

DOI: https://doi.org/10.48550/arXiv.2310.06840

2023-08-17

Abstract:Machine learning models are often provisioned as a cloud-based service where the clients send their data to the service provider to obtain the result. This setting is commonplace due to the high value of the models, but it requires the clients to forfeit the privacy that the query data may contain. Homomorphic encryption (HE) is a promising technique to address this adversity. With HE, the service provider can take encrypted data as a query and run the model without decrypting it. The result remains encrypted, and only the client can decrypt it. All these benefits come at the cost of computational cost because HE turns simple floating-point arithmetic into the computation between long (degree over 1024) polynomials. Previous work has proposed to tailor deep neural networks for efficient computation over encrypted data, but already high computational cost is again amplified by HE, hindering performance improvement. In this paper we show hyperdimensional computing can be a rescue for privacy-preserving machine learning over encrypted data. We find that the advantage of hyperdimensional computing in performance is amplified when working with HE. This observation led us to design HE-HDC, a machine-learning inference system that uses hyperdimensional computing with HE. We carefully structure the machine learning service so that the server will perform only the HE-friendly computation. Moreover, we adapt the computation and HE parameters to expedite computation while preserving accuracy and security. Our experimental result based on real measurements shows that HE-HDC outperforms existing systems by 26~3000 times with comparable classification accuracy.

Cryptography and Security,Machine Learning

Robert Podschwadt,Daniel Takabi,Peizhao Hu,Mohammad H. Rafiei,Zhipeng Cai

DOI: https://doi.org/10.1109/access.2022.3219049

IF: 3.9

2022-11-18

IEEE Access

Abstract:Outsourced computation for neural networks allows users access to state-of-the-art models without investing in specialized hardware and know-how. The problem is that the users lose control over potentially privacy-sensitive data. With homomorphic encryption (HE), a third party can perform computation on encrypted data without revealing its content. In this paper, we reviewed scientific articles and publications in the particular area of Deep Learning Architectures for Privacy-Preserving Machine Learning (PPML) with Fully HE. We analyzed the changes to neural network models and architectures to make them compatible with HE and how these changes impact performance. Next, we find numerous challenges to HE-based privacy-preserving deep learning, such as computational overhead, usability, and limitations posed by the encryption schemes. Furthermore, we discuss potential solutions to the HE PPML challenges. Finally, we propose evaluation metrics that allow for a better and more meaningful comparison of PPML solutions.

computer science, information systems,telecommunications,engineering, electrical & electronic

Harry Chandra Tanuwidjaja,Rakyong Choi,Seunggeun Baek,Kwangjo Kim

DOI: https://doi.org/10.1109/access.2020.3023084

IF: 3.9

2020-01-01

IEEE Access

Abstract:The exponential growth of big data and deep learning has increased the data exchange traffic in society. Machine Learning as a Service, (MLaaS) which leverages deep learning techniques for predictive analytics to enhance decision-making, has become a hot commodity. However, the adoption of MLaaS introduces data privacy challenges for data owners and security challenges for deep learning model owners. Data owners are concerned about the safety and privacy of their data on MLaaS platforms, while MLaaS platform owners worry that their models could be stolen by adversaries who pose as clients. Consequently, Privacy-Preserving Deep Learning (PPDL) arises as a possible solution to this problem. Recently, several papers about PPDL for MLaaS have been published. However, to the best of our knowledge, no previous paper has summarized the existing literature on PPDL and its specific applicability to the MLaaS environment. In this paper, we present a comprehensive survey of privacy-preserving techniques, starting from classical privacy-preserving techniques to well-known deep learning techniques. Additionally, we present a detailed description of PPDL and address the issue of using PPDL for MLaaS. Furthermore, we undertake detailed comparisons between state-of-the-art PPDL methods. Subsequently, we classify an adversarial model on PPDL by highlighting possible PPDL attacks and their potential solutions. Ultimately, our paper serves as a single point of reference for detailed knowledge on PPDL and its applicability to MLaaS environments for both new and experienced researchers.

Daniel Takabi,Robert Podschwadt,Jeff Druce,Curt Wu,Kevin Procopio

DOI: https://doi.org/10.48550/arXiv.1911.11377

2019-11-26

Cryptography and Security

Abstract:Machine Learning as a Service (MLaaS) has become a growing trend in recent years and several such services are currently offered. MLaaS is essentially a set of services that provides machine learning tools and capabilities as part of cloud computing services. In these settings, the cloud has pre-trained models that are deployed and large computing capacity whereas the clients can use these models to make predictions without having to worry about maintaining the models and the service. However, the main concern with MLaaS is the privacy of the client's data. Although there have been several proposed approaches in the literature to run machine learning models on encrypted data, the performance is still far from being satisfactory for practical use. In this paper, we aim to accelerate the performance of running machine learning on encrypted data using combination of Fully Homomorphic Encryption (FHE), Convolutional Neural Networks (CNNs) and Graphics Processing Units (GPUs). We use a number of optimization techniques, and efficient GPU-based implementation to achieve high performance. We evaluate a CNN whose architecture is similar to AlexNet to classify homomorphically encrypted samples from the Cars Overhead With Context (COWC) dataset. To the best of our knowledge, it is the first time such a complex network and large dataset is evaluated on encrypted data. Our approach achieved reasonable classification accuracy of 95% for the COWC dataset. In terms of performance, our results show that we could achieve several thousands times speed up when we implement GPU-accelerated FHE operations on encrypted floating point numbers.

Aftab Akram,Fawad Khan,Shahzaib Tahir,Asif Iqbal,Syed Aziz Shah,Abdullah Baz

DOI: https://doi.org/10.1109/access.2024.3357145

IF: 3.9

2024-02-03

IEEE Access

Abstract:The application of machine learning in healthcare, financial, social media, and other sensitive sectors not only involves high accuracy but privacy as well. Due to the emergence of the Cloud as a computation and one-to-many access paradigm; training and classification/inference tasks have been outsourced to Cloud. However, its usage is limited due to legal and ethical constraints regarding privacy. In this work, we propose a privacy-preserving neural networks-based classification model based on Homomorphic Encryption (HE) where the user can send an encrypted instance to the cloud and receive an encrypted inference from it to preserve the user's query privacy. In contrast to existing works, we demonstrate the realistic limitations of HE for privacy-preserving machine learning by changing its parameters for enhanced security and accuracy. We showcase scenarios where the choice of HE parameters impedes accurate classification and present an optimized setting for achieving reliable classification. We present several results to demonstrate its effectiveness using MNIST dataset with highly improved inference time for a query as compared to the state of the art.

computer science, information systems,telecommunications,engineering, electrical & electronic

Khoa Nguyen,Mindaugas Budzys,Eugene Frimpong,Tanveer Khan,Antonis Michalas

2024-09-10

Abstract:Machine Learning (ML) has become one of the most impactful fields of data science in recent years. However, a significant concern with ML is its privacy risks due to rising attacks against ML models. Privacy-Preserving Machine Learning (PPML) methods have been proposed to mitigate the privacy and security risks of ML models. A popular approach to achieving PPML uses Homomorphic Encryption (HE). However, the highly publicized inefficiencies of HE make it unsuitable for highly scalable scenarios with resource-constrained devices. Hence, Hybrid Homomorphic Encryption (HHE) -- a modern encryption scheme that combines symmetric cryptography with HE -- has recently been introduced to overcome these challenges. HHE potentially provides a foundation to build new efficient and privacy-preserving services that transfer expensive HE operations to the cloud. This work introduces HHE to the ML field by proposing resource-friendly PPML protocols for edge devices. More precisely, we utilize HHE as the primary building block of our PPML protocols. We assess the performance of our protocols by first extensively evaluating each party's communication and computational cost on a dummy dataset and show the efficiency of our protocols by comparing them with similar protocols implemented using plain BFV. Subsequently, we demonstrate the real-world applicability of our construction by building an actual PPML application that uses HHE as its foundation to classify heart disease based on sensitive ECG data.

Cryptography and Security

Yingying Yao,Zhendong Zhao,Xiaolin Chang,Jelena Misic,Vojislav B. Misic,Jianhua Wang

DOI: https://doi.org/10.1109/icc42927.2021.9500795

2021-01-01

Abstract:Electronic health (e-health) information system relies on cloud computing technologies to provide massive medical data computing and storage services. Especially, the recently proposed Machine Learning as a Service (MLaaS) on these medical data can not only effectively improve the healthcare service quality, but also support the end users with limited computing resources. However, MLaaS on the massive medical data faces the challenge of privacy. Homomorphic encryption technology has been explored to assure the privacy of medical data owners in MLaaS but with the weaknesses of limited homomorphic operations and low efficiency. To alleviate these weaknesses, this paper proposes a novel privacy-preserving non-collusion dualcloud (NCDC) model-based e-health information system using neural network (NN) computing. The system can not only assure medical data privacy through adopting homomorphic encryption technology but also assure NN model privacy by adding fake neurons to the NN. In addition, the proposed e-health information system also has the following advantages: (i) Simple key generation. (ii) No constraint on the size of medical data to be encrypted. (iii) The less loss of prediction accuracy between encrypted and original medical data. (iv) Supporting more homomorphic operations and having better computing efficiency through experiment verification.

Kwok-Yan Lam,Xianhui Lu,Linru Zhang,Xiangning Wang,Huaxiong Wang,Si Qi Goh

DOI: https://doi.org/10.1109/tdsc.2024.3353536

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:AI-as-a-Service has emerged as an important trend for supporting the growth of the digital economy. Digital service providers make use of their vast amount of customer data to train AI models (such as image recognition, financial modelling and pandemic modelling etc) and offer them as a service on the cloud. While there are convincing advantages for using such third-party models, the fact that model users are required to upload their data to the cloud is bound to raise serious privacy concerns, especially in the face of increasingly stringent privacy regulations and legislation. To promote the adoption of AI-as-a-Service while addressing privacy issues, we propose a practical approach for constructing privacy-enhanced neural networks by designing an efficient implementation of fully homomorphic encryption. With this approach, an existing neural network can be converted to process FHE-encrypted data and produce encrypted output which are only accessible by the model users, and more importantly, within an operationally acceptable time (e.g. within 1 second for facial recognition in typical border control systems). Experimental results show that in many practical tasks such as facial recognition, text classification and so on, we obtained the state-of-the-art inference accuracy in less than one second on a 16 cores CPU.

computer science, information systems, software engineering, hardware & architecture

Owusu-Agyemang Kwabena,Zhen Qin,Tianming Zhuang,Zhiguang Qin

DOI: https://doi.org/10.1109/access.2019.2901219

IF: 3.9

2019-01-01

IEEE Access

Abstract:Privacy in the Internet of Things is a fundamental challenge for the Ubiquitous healthcare systems that depend on the data aggregated and collaborative deep learning among different parties. This paper proposes the MSCryptoNet, a novel framework that enables the scalable execution and the conversion of the state-of-the-art learned neural network to the MSCryptoNet models in the privacy-preservation setting. We also design a method for approximation of the activation function basically used in the convolutional neural network (i.e., Sigmoid and Rectified linear unit) with low degree polynomials, which is vital for computations in the homomorphic encryption schemes. Our model seems to target the following scenarios: 1) the practical way to enforce the evaluation of classifier whose inputs are encrypted with possibly different encryption schemes or even different keys while securing all operations including intermediate results and 2) the minimization of the communication and computational cost of the data providers. The MSCryptoNet is based on the multi-scheme fully homomorphic encryption. We also prove that the MSCryptoNet as a privacy-preserving deep learning scheme over the aggregated encrypted data is secured.