Qiao Zhang,Cong Wang,Hongyi Wu,Chunsheng Xin,Tran V. Phuong

DOI: https://doi.org/10.24963/ijcai.2018/547

2018-01-01

Abstract:Privacy is a fundamental challenge for a variety of smart applications that depend on data aggregation and collaborative learning across different entities. In this paper, we propose a novel privacy-preserved architecture where clients can collaboratively train a deep model while preserving the privacy of each client's data. Our main strategy is to carefully partition a deep neural network to two non-colluding parties. One party performs linear computations on encrypted data utilizing a less complex homomorphic cryptosystem, while the other executes non-polynomial computations in plaintext but in a privacy-preserved manner. We analyze security and compare the communication and computation complexity with the existing approaches. Our extensive experiments on different datasets demonstrate not only stable training without accuracy loss, but also 14 to 35 times speedup compared to the state-of-the-art system.

Longfei Zheng,Chaochao Chen,Yingting Liu,Bingzhe Wu,Xibin Wu,Li Wang,Lei Wang,Jun Zhou,Shuang Yang

2020-01-01

Abstract:Deep Neural Network (DNN) has been showing great potential in kinds of real-world applications such as fraud detection and distress prediction. Meanwhile, data isolation has become a serious problem currently, i.e., different parties cannot share data with each other. To solve this issue, most research leverages cryptographic techniques to train secure DNN models for multi-parties without compromising their private data. Although such methods have strong security guarantee, they are difficult to scale to deep networks and large datasets due to its high communication and computation complexities. To solve the scalability of the existing secure Deep Neural Network (DNN) in data isolation scenarios, in this paper, we propose an industrial scale privacy preserving neural network learning paradigm, which is secure against semi-honest adversaries. Our main idea is to split the computation graph of DNN into two parts, i.e., the computations related to private data are performed by each party using cryptographic techniques, and the rest computations are done by a neutral server with high computation ability. We also present a defender mechanism for further privacy protection. We conduct experiments on real-world fraud detection dataset and financial distress prediction dataset, the encouraging results demonstrate the practicalness of our proposal.

Warit Sirichotedumrong,Yuma Kinoshita,Hitoshi Kiya

DOI: https://doi.org/10.48550/arXiv.1912.04746

2019-12-09

Abstract:This paper aims to evaluate the safety of a pixel-based image encryption method, which has been proposed to apply images with no visual information to deep neural networks (DNN), in terms of robustness against ciphertext-only attacks (COA). In addition, we propose a novel DNN-based COA that aims to reconstruct the visual information of encrypted images. The effectiveness of the proposed attack is evaluated under two encryption key conditions: same encryption key, and different encryption keys. The results show that the proposed attack can recover the visual information of the encrypted images if images are encrypted under same encryption key. Otherwise, the pixel-based image encryption method has robustness against COA.

Cryptography and Security

Tatsuya Chuman,Hitoshi Kiya

DOI: https://doi.org/10.1109/icce-tw52618.2021.9602969

2021-09-15

Abstract:In this paper, we propose a novel learnable image encryption method for privacy-preserving deep neural networks (DNNs). The proposed method is carried out on the basis of block scrambling used in combination with data augmentation techniques such as random cropping, horizontal flip and grid mask. The use of block scrambling enhances robustness against various attacks, and in contrast, the combination with data augmentation enables us to maintain a high classification accuracy even when using encrypted images. In an image classification experiment, the proposed method is demonstrated to be effective in privacy-preserving DNNs.

Hao Dong,Chao Wu,Zhen Wei,Yike Guo

DOI: https://doi.org/10.1109/tifs.2017.2763126

2017-01-01

Abstract:Deep learning methods can play a crucial role in anomaly detection, prediction, and supporting decision making for applications like personal health-care, pervasive body sensing, and so on. However, current architecture of deep networks suffers the privacy issue that users need to give out their data to the model (typically hosted in a server or a cluster on Cloud) for training or prediction. This problem is getting more severe for those sensitive health-care or medical data (e.g., fMRI or body sensors measures like EEG signals). In addition to this, there is also a security risk of leaking these data during the data transmission from user to the model (especially when it is through the Internet). Targeting at these issues, in this paper, we proposed a new architecture for deep network in which users do not reveal their original data to the model. In our method, feed-forward propagation and data encryption are combined into one process: we migrate the first layer of deep network to users’ local devices and apply the activation functions locally, and then use the “dropping activation output” method to make the output non-invertible. The resulting approach is able to make model prediction without accessing users’ sensitive raw data. The experiment conducted in this paper showed that our approach achieves the desirable privacy protection requirement and demonstrated several advantages over the traditional approach with encryption/decryption.

AprilPyone MaungMaung,Hitoshi Kiya

DOI: https://doi.org/10.48550/arXiv.2204.07707

2022-04-16

Computer Vision and Pattern Recognition

Abstract:In this paper, we propose a privacy-preserving image classification method that uses encrypted images and an isotropic network such as the vision transformer. The proposed method allows us not only to apply images without visual information to deep neural networks (DNNs) for both training and testing but also to maintain a high classification accuracy. In addition, compressible encrypted images, called encryption-then-compression (EtC) images, can be used for both training and testing without any adaptation network. Previously, to classify EtC images, an adaptation network was required before a classification network, so methods with an adaptation network have been only tested on small images. To the best of our knowledge, previous privacy-preserving image classification methods have never considered image compressibility and patch embedding-based isotropic networks. In an experiment, the proposed privacy-preserving image classification was demonstrated to outperform state-of-the-art methods even when EtC images were used in terms of classification accuracy and robustness against various attacks under the use of two isotropic networks: vision transformer and ConvMixer.

Qi-Xian Huang,Wai Leong Yap,Min-Yi Chiu,Hung-Min Sun

DOI: https://doi.org/10.1109/ACCESS.2022.3185206

IF: 3.9

2022-01-01

IEEE Access

Abstract:The need for cloud servers for training deep neural network (DNN) models is increasing as more complex architecture designs of DNN models are developed. Nevertheless, cloud servers are considered semi-honest. With great attention to the privacy issues of medical diagnoses using a DNN, previous studies have proposed the idea of learnable image encryption. Though some methods have been presented to partially attack previous encryption schemes, there is still some space for improvement. We proposed a learnable image encryption scheme that is an enhanced version of previous methods and can be used to train a great DNN model and simultaneously keep the privacy of training images. We conducted an experiment on medical datasets from open sources and the result demonstrates the effectiveness of our proposed method in performance and privacy-preserving.

Ijaz Ahmad,Seokjoo Shin

DOI: https://doi.org/10.48550/arXiv.2203.16780

2022-03-31

Abstract:In the recent years, pixel-based perceptual algorithms have been successfully applied for privacy-preserving deep learning (DL) based applications. However, their security has been broken in subsequent works by demonstrating a chosen-plaintext attack. In this paper, we propose an efficient pixel-based perceptual encryption method. The method provides a necessary level of security while preserving the intrinsic properties of the original image. Thereby, can enable deep learning (DL) applications in the encryption domain. The method is substitution based where pixel values are XORed with a sequence (as opposed to a single value used in the existing methods) generated by a chaotic map. We have used logistic maps for their low computational requirements. In addition, to compensate for any inefficiency because of the logistic maps, we use a second key to shuffle the sequence. We have compared the proposed method in terms of encryption efficiency and classification accuracy of the DL models on them. We have validated the proposed method with CIFAR datasets. The analysis shows that when classification is performed on the cipher images, the model preserves accuracy of the existing methods while provides better security.

Cryptography and Security,Artificial Intelligence,Multimedia

Chen Wang,Ye Zhang

DOI: https://doi.org/10.1016/j.sigpro.2022.108536

IF: 4.729

2022-07-01

Signal Processing

Abstract:A novel image encryption algorithm based on deep neural network (DNN) is proposed. First, a new encryption unit with the deep neural network (EDNN) is designed. The EDNN is a multilayer forward neural network, and the weight matrices of the EDNN are composed of some scrambled discrete cosine transform (DCT) coefficients matrices to encrypt directly the original image. Then, the original image can be recovered by a decryption unit with the deep neural network (DDNN). For the DDNN, its network structure is symmetric with the EDNN, and the original image can be recovered with two pursuit algorithms corresponding to two activation functions of the EDNN, respectively. The experimental results show the effectiveness of the EDNN for image encryption, and demonstrate that the proposed method can effectively resist brute force attack, statistical attack, differential attack and cutting attack.

engineering, electrical & electronic

Xiaoyu Kou,Fengwei Wang,Hui Zhu,Yandong Zheng,Xiaopeng Yang,Zhe Liu

DOI: https://doi.org/10.1007/s12083-024-01718-7

IF: 3.488

2024-05-23

Peer-to-Peer Networking and Applications

Abstract:With the widespread use of the internet and advancements in computing and data storage technologies, large amounts of data can be collected and analyzed to explore hidden knowledge and patterns in various areas. Among different data types, images have become an increasingly important information carrier, especially in computer vision research. However, the image data often contains valuable sensitive information of users, such as personal identifiers and biometric information. During the transmission process, once adversaries obtain the image data, it may lead to severe consequences. To solve the image data leakage problem, a lot of image privacy-preserving schemes are proposed. Nevertheless, in most existing schemes, the utility of an image will also be broken while ensuring data privacy. Meanwhile, how to balance privacy and utility is always a nerve-wracking challenge in image privacy protection. In this paper, we focus on designing a privacy-preserving scheme that protects the visual content of an image while retaining its availability for convolutional neural networks (CNN) training and prediction. Specifically, we first use the edge detection technique to discover original image features. Then, we carefully design a noise generation method in which the generated noises can guarantee distance-based indistinguishability while minimally affecting image features. Therefore, with the proposed scheme, the visual content of an image can be protected, and it can still be used for CNN training and prediction. Moreover, we empirically evaluate our proposed scheme with various evaluation criteria. The results demonstrate that the visual content of an image is indeed protected while the accuracy of the trained CNN model is available.

computer science, information systems,telecommunications

Zheng Qi,AprilPyone MaungMaung,Hitoshi Kiya

DOI: https://doi.org/10.48550/arXiv.2301.04875

2023-01-12

Cryptography and Security

Abstract:In recent years, with the development of cloud computing platforms, privacy-preserving methods for deep learning have become an urgent problem. NeuraCrypt is a private random neural network for privacy-preserving that allows data owners to encrypt the medical data before the data uploading, and data owners can train and then test their models in a cloud server with the encrypted data directly. However, we point out that the performance of NeuraCrypt is heavily degraded when using color images. In this paper, we propose a Color-NeuraCrypt to solve this problem. Experiment results show that our proposed Color-NeuraCrypt can achieve a better classification accuracy than the original one and other privacy-preserving methods.

Alex Habeen Chang,Benjamin M. Case

DOI: https://doi.org/10.48550/arXiv.2004.13263

2020-04-29

Abstract:Privacy preserving machine learning is an active area of research usually relying on techniques such as homomorphic encryption or secure multiparty computation. Recent novel encryption techniques for performing machine learning using deep neural nets on images have recently been proposed by Tanaka and Sirichotedumrong, Kinoshita, and Kiya. We present new chosen-plaintext and ciphertext-only attacks against both of these proposed image encryption schemes and demonstrate the attacks' effectiveness on several examples.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Fabian Perez,Jhon Lopez,Henry Arguello

DOI: https://doi.org/10.1109/ICASSP48485.2024.10446218

2024-04-09

Abstract:In the era of cloud computing and data-driven applications, it is crucial to protect sensitive information to maintain data privacy, ensuring truly reliable systems. As a result, preserving privacy in deep learning systems has become a critical concern. Existing methods for privacy preservation rely on image encryption or perceptual transformation approaches. However, they often suffer from reduced task performance and high computational costs. To address these challenges, we propose a novel Privacy-Preserving framework that uses a set of deformable operators for secure task learning. Our method involves shuffling pixels during the analog-to-digital conversion process to generate visually protected data. Those are then fed into a well-known network enhanced with deformable operators. Using our approach, users can achieve equivalent performance to original images without additional training using a secret key. Moreover, our method enables access control against unauthorized users. Experimental results demonstrate the efficacy of our approach, showcasing its potential in cloud-based scenarios and privacy-sensitive applications.

Computer Vision and Pattern Recognition,Cryptography and Security,Image and Video Processing

Meng Li,Liangzhen Lai,Naveen Suda,Vikas Chandra,David Z. Pan

DOI: https://doi.org/10.48550/arxiv.1709.06161

2017-01-01

Abstract:Massive data exist among user local platforms that usually cannot support deep neural network (DNN) training due to computation and storage resource constraints. Cloud-based training schemes provide beneficial services but suffer from potential privacy risks due to excessive user data collection. To enable cloud-based DNN training while protecting the data privacy simultaneously, we propose to leverage the intermediate representations of the data, which is achieved by splitting the DNNs and deploying them separately onto local platforms and the cloud. The local neural network (NN) is used to generate the feature representations. To avoid local training and protect data privacy, the local NN is derived from pre-trained NNs. The cloud NN is then trained based on the extracted intermediate representations for the target learning task. We validate the idea of DNN splitting by characterizing the dependency of privacy loss and classification accuracy on the local NN topology for a convolutional NN (CNN) based image classification task. Based on the characterization, we further propose PrivyNet to determine the local NN topology, which optimizes the accuracy of the target learning task under the constraints on privacy loss, local computation, and storage. The efficiency and effectiveness of PrivyNet are demonstrated with the CIFAR-10 dataset.

Qiang Zhu,Xixiang Lv

DOI: https://doi.org/10.48550/arXiv.1807.08459

2018-07-23

Cryptography and Security

Abstract:Machine Learning as a Service (MLaaS), such as Microsoft Azure, Amazon AWS, offers an effective DNN model to complete the machine learning task for small businesses and individuals who are restricted to the lacking data and computing power. However, here comes an issue that user privacy is ex-posed to the MLaaS server, since users need to upload their sensitive data to the MLaaS server. In order to preserve their privacy, users can encrypt their data before uploading it. This makes it difficult to run the DNN model because it is not designed for running in ciphertext domain. In this paper, using the Paillier homomorphic cryptosystem we present a new Privacy-Preserving Deep Neural Network model that we called 2P-DNN. This model can fulfill the machine leaning task in ciphertext domain. By using 2P-DNN, MLaaS is able to provide a Privacy-Preserving machine learning ser-vice for users. We build our 2P-DNN model based on LeNet-5, and test it with the encrypted MNIST dataset. The classification accuracy is more than 97%, which is close to the accuracy of LeNet-5 running with the MNIST dataset and higher than that of other existing Privacy-Preserving machine learning models

Jun Liu,Jiantao Zhou,Jinyu Tian,Weiwei Sun

2023-10-19

Abstract:With the increasing prevalence of cloud computing platforms, ensuring data privacy during the cloud-based image related services such as classification has become crucial. In this study, we propose a novel privacypreserving image classification scheme that enables the direct application of classifiers trained in the plaintext domain to classify encrypted images, without the need of retraining a dedicated classifier. Moreover, encrypted images can be decrypted back into their original form with high fidelity (recoverable) using a secret key. Specifically, our proposed scheme involves utilizing a feature extractor and an encoder to mask the plaintext image through a newly designed Noise-like Adversarial Example (NAE). Such an NAE not only introduces a noise-like visual appearance to the encrypted image but also compels the target classifier to predict the ciphertext as the same label as the original plaintext image. At the decoding phase, we adopt a Symmetric Residual Learning (SRL) framework for restoring the plaintext image with minimal degradation. Extensive experiments demonstrate that 1) the classification accuracy of the classifier trained in the plaintext domain remains the same in both the ciphertext and plaintext domains; 2) the encrypted images can be recovered into their original form with an average PSNR of up to 51+ dB for the SVHN dataset and 48+ dB for the VGGFace2 dataset; 3) our system exhibits satisfactory generalization capability on the encryption, decryption and classification tasks across datasets that are different from the training one; and 4) a high-level of security is achieved against three potential threat models. The code is available at <a class="link-external link-https" href="https://github.com/csjunjun/RIC.git" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Fusheng Hao,Fengxiang He,Yikai Wang,Fuxiang Wu,Jing Zhang,Jun Cheng,Dacheng Tao

2023-06-06

Abstract:Massive human-related data is collected to train neural networks for computer vision tasks. A major conflict is exposed relating to software engineers between better developing AI systems and distancing from the sensitive training data. To reconcile this conflict, this paper proposes an efficient privacy-preserving learning paradigm, where images are first encrypted to become ``human-imperceptible, machine-recognizable'' via one of the two encryption strategies: (1) random shuffling to a set of equally-sized patches and (2) mixing-up sub-patches of the images. Then, minimal adaptations are made to vision transformer to enable it to learn on the encrypted images for vision tasks, including image classification and object detection. Extensive experiments on ImageNet and COCO show that the proposed paradigm achieves comparable accuracy with the competitive methods. Decrypting the encrypted images requires solving an NP-hard jigsaw puzzle or an ill-posed inverse problem, which is empirically shown intractable to be recovered by various attackers, including the powerful vision transformer-based attacker. We thus show that the proposed paradigm can ensure the encrypted images have become human-imperceptible while preserving machine-recognizable information. The code is available at \url{<a class="link-external link-https" href="https://github.com/FushengHao/PrivacyPreservingML" rel="external noopener nofollow">this https URL</a>.}

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning

Jun Zhou,Longfei Zheng,Chaochao Chen,Yan Wang,Xiaolin Zheng,Bingzhe Wu,Cen Chen,Li Wang,Jianwei Yin,Chaochao Chen*

DOI: https://doi.org/10.1145/3501809

IF: 5

2022-02-04

ACM Transactions on Intelligent Systems and Technology

Abstract:Deep Neural Networks (DNNs) have achieved remarkable progress in various real-world applications, especially when abundant training data are provided. However, data isolation has become a serious problem currently. Existing works build privacy preserving DNN models from either algorithmic perspective or cryptographic perspective. The former mainly splits the DNN computation graph between data holders or between data holders and server, which demonstrates good scalability but suffers from accuracy loss and potential privacy risks. In contrast, the latter leverages time-consuming cryptographic techniques, which has strong privacy guarantee but poor scalability. In this paper, we propose SPNN — a S calable and P rivacy-preserving deep N eural N etwork learning framework, from algorithmic-cryptographic co-perspective. From algorithmic perspective, we split the computation graph of DNN models into two parts, i.e., the private data related computations that are performed by data holders and the rest heavy computations that are delegated to a semi-honest server with high computation ability. From cryptographic perspective, we propose using two types of cryptographic techniques, i.e., secret sharing and homomorphic encryption, for the isolated data holders to conduct private data related computations privately and cooperatively. Furthermore, we implement SPNN in a decentralized setting and introduce user-friendly APIs. Experimental results conducted on real-world datasets demonstrate the superiority of our proposed SPNN.

computer science, information systems, artificial intelligence

Jun Zhou,Longfei Zheng,Chaochao Chen,Yan Wang,Xiaolin Zheng,Bingzhe Wu,Cen Chen,Li Wang,Jianwei Yin

DOI: https://doi.org/10.1145/3501809

IF: 5

2022-01-01

ACM Transactions on Intelligent Systems and Technology

Abstract:Deep Neural Networks (DNNs) have achieved remarkable progress in various real-world applications, especially when abundant training data are provided. However, data isolation has become a serious problem currently. Existing works build privacy-preserving DNN models from either algorithmic perspective or cryptographic perspective. The former mainly splits the DNN computation graph between data holders or between data holders and server, which demonstrates good scalability but suffers from accuracy loss and potential privacy risks. In contrast, the latter leverages time-consuming cryptographic techniques, which has strong privacy guarantee but poor scalability. In this article, we propose SPNN-a Scalable and Privacy-preserving deep Neural Network learning framework, from an algorithmic-cryptographic co-perspective. From algorithmic perspective, we split the computation graph of DNN models into two parts, i.e., the private-data-related computations that are performed by data holders and the rest heavy computations that are delegated to a semi-honest server with high computation ability. From cryptographic perspective, we propose using two types of cryptographic techniques, i.e., secret sharing and homomorphic encryption, for the isolated data holders to conduct private-data-related computations privately and cooperatively. Furthermore, we implement SPNN in a decentralized setting and introduce user-friendly APIs. Experimental results conducted on real-world datasets demonstrate the superiority of our proposed SPNN.

Yi Liu,Gang Cen,Bijun Xu,Xiaogang Wang

DOI: https://doi.org/10.1155/2022/6047349

IF: 1.968

2022-10-28

Security and Communication Networks

Abstract:Because of the advent of the information age, digital multimedia data are mainly transmitted through the Internet. Image is one of the most popular digital multimedia data. Therefore, this paper proposes a block-based key embedding method and a color image encryption scheme based on deep learning with this method. By using a neural network model to predict the initial chaotic sequence, the key data generated by prediction are encrypted to the color image in layers and blocks. This paper proposed the color image encryption scheme time complexity O n 2 , which is simple and effective. Simulation results show that the proposed scheme exhibits good statistical properties with information entropy mean close to eight and correlation coefficient close to zero. Good robustness to common image attacks like noise addition and cropping. Excellent encryption performance includes enormous key space and low PSNR.

computer science, information systems,telecommunications