Kaiyan Chang,Wei Jiang,Jinyu Zhan,Zicheng Gong,Weijia Pan

DOI: https://doi.org/10.1016/j.sysarc.2020.101912

2020-05-31

Abstract:Integrating idle embedded devices into cloud computing is a promising approach to support distributed machine learning. In this paper, we approach to address the data hiding problem in such distributed machine learning systems. For the purpose of the data encryption in the distributed machine learning systems, we propose the Tripartite Asymmetric Encryption theorem and give mathematical proof. Based on the theorem, we design a general image encryption scheme <a class="link-external link-http" href="http://ArchNet.The" rel="external noopener nofollow">this http URL</a> scheme has been implemented on MNIST, Fashion-MNIST and Cifar-10 datasets to simulate real situation. We use different base models on the encrypted datasets and compare the results with the RC4 algorithm and differential privacy policy. Experiment results evaluated the efficiency of the proposed design. Specifically, our design can improve the accuracy on MNIST up to 97.26% compared with <a class="link-external link-http" href="http://RC4.The" rel="external noopener nofollow">this http URL</a> accuracies on the datasets encrypted by ArchNet are 97.26%, 84.15% and 79.80%, and they are 97.31%, 82.31% and 80.22% on the original datasets, which shows that the encrypted accuracy of ArchNet has the same performance as the base model. It also shows that ArchNet can be deployed on the distributed system with embedded devices.

Machine Learning,Cryptography and Security

Qiao Zhang,Cong Wang,Hongyi Wu,Chunsheng Xin,Tran V. Phuong

DOI: https://doi.org/10.24963/ijcai.2018/547

2018-01-01

Abstract:Privacy is a fundamental challenge for a variety of smart applications that depend on data aggregation and collaborative learning across different entities. In this paper, we propose a novel privacy-preserved architecture where clients can collaboratively train a deep model while preserving the privacy of each client's data. Our main strategy is to carefully partition a deep neural network to two non-colluding parties. One party performs linear computations on encrypted data utilizing a less complex homomorphic cryptosystem, while the other executes non-polynomial computations in plaintext but in a privacy-preserved manner. We analyze security and compare the communication and computation complexity with the existing approaches. Our extensive experiments on different datasets demonstrate not only stable training without accuracy loss, but also 14 to 35 times speedup compared to the state-of-the-art system.

Zhang Qiao,Wang Cong,Xin Chunsheng,Wu Hongyi

2019-01-01

Abstract: Machine Learning as a Service (MLaaS) is enabling a wide range of smart applications on end devices. However, such convenience comes with a cost of privacy because users have to upload their private data to the cloud. This research aims to provide effective and efficient MLaaS such that the cloud server learns nothing about user data and the users cannot infer the proprietary model parameters owned by the server. This work makes the following contributions. First, it unveils the fundamental performance bottleneck of existing schemes due to the heavy permutations in computing linear transformation and the use of communication intensive Garbled Circuits for nonlinear transformation. Second, it introduces an ultra-fast secure MLaaS framework, CHEETAH, which features a carefully crafted secret sharing scheme that runs significantly faster than existing schemes without accuracy loss. Third, CHEETAH is evaluated on the benchmark of well-known, practical deep networks such as AlexNet and VGG-16 on the MNIST and ImageNet datasets. The results demonstrate more than 100x speedup over the fastest GAZELLE (Usenix Security'18), 2000x speedup over MiniONN (ACM CCS'17) and five orders of magnitude speedup over CryptoNets (ICML'16). This significant speedup enables a wide range of practical applications based on privacy-preserved deep neural networks.

Longfei Zheng,Chaochao Chen,Yingting Liu,Bingzhe Wu,Xibin Wu,Li Wang,Lei Wang,Jun Zhou,Shuang Yang

2020-01-01

Abstract:Deep Neural Network (DNN) has been showing great potential in kinds of real-world applications such as fraud detection and distress prediction. Meanwhile, data isolation has become a serious problem currently, i.e., different parties cannot share data with each other. To solve this issue, most research leverages cryptographic techniques to train secure DNN models for multi-parties without compromising their private data. Although such methods have strong security guarantee, they are difficult to scale to deep networks and large datasets due to its high communication and computation complexities. To solve the scalability of the existing secure Deep Neural Network (DNN) in data isolation scenarios, in this paper, we propose an industrial scale privacy preserving neural network learning paradigm, which is secure against semi-honest adversaries. Our main idea is to split the computation graph of DNN into two parts, i.e., the computations related to private data are performed by each party using cryptographic techniques, and the rest computations are done by a neutral server with high computation ability. We also present a defender mechanism for further privacy protection. We conduct experiments on real-world fraud detection dataset and financial distress prediction dataset, the encouraging results demonstrate the practicalness of our proposal.

Qiang Geng,Huifeng Yan,Xingru Lu

DOI: https://doi.org/10.1155/2022/3394475

2022-03-08

Abstract:With the rapid development of communication technology, digital technology has been widely used in all walks of life. Nevertheless, with the wide dissemination of digital information, there are many security problems. Aiming at preventing privacy disclosure and ensuring the safe storage and sharing of image and video data in the cloud platform, the present work proposes an encryption algorithm against neural cryptography based on deep learning. Primarily, the image saliency detection algorithm is used to identify the significant target of the video image. According to the significant target, the important region and nonimportant region are divided adaptively, and the encrypted two regions are reorganized to obtain the final encrypted image. Then, after demonstrating how attackers conduct attacks to the network under the ciphertext attack mode, an improved encryption algorithm based on selective ciphertext attack is proposed to improve the existing encryption algorithm of the neural network. Besides, a secure encryption algorithm is obtained through detailed analysis and comparison of the security ability of the algorithm. The experimental results show that Bob's decryption error rate will decrease over time. The average classification error rate of Eve increases over time, but when Bob and Alice learn a secure encryption network structure, Eve's classification accuracy is not superior to random prediction. Chosen ciphertext attack-advantageous neural cryptography (CCA-ANC) has an encryption time of 14s and an average speed of 69mb/s, which has obvious advantages over other encryption algorithms. The self-learning secure encryption algorithm proposed here significantly improves the security of the password and ensures data security in the video image.

Pengtao Xie,Misha Bilenko,Tom Finley,Ran Gilad-Bachrach,Kristin Lauter,Michael Naehrig

DOI: https://doi.org/10.48550/arXiv.1412.6181

2014-12-24

Abstract:The problem we address is the following: how can a user employ a predictive model that is held by a third party, without compromising private information. For example, a hospital may wish to use a cloud service to predict the readmission risk of a patient. However, due to regulations, the patient's medical files cannot be revealed. The goal is to make an inference using the model, without jeopardizing the accuracy of the prediction or the privacy of the data. To achieve high accuracy, we use neural networks, which have been shown to outperform other learning models for many tasks. To achieve the privacy requirements, we use homomorphic encryption in the following protocol: the data owner encrypts the data and sends the ciphertexts to the third party to obtain a prediction from a trained model. The model operates on these ciphertexts and sends back the encrypted prediction. In this protocol, not only the data remains private, even the values predicted are available only to the data owner. Using homomorphic encryption and modifications to the activation functions and training algorithms of neural networks, we show that it is protocol is possible and may be feasible. This method paves the way to build a secure cloud-based neural network prediction services without invading users' privacy.

Machine Learning,Cryptography and Security,Neural and Evolutionary Computing

Fusheng Hao,Fengxiang He,Yikai Wang,Fuxiang Wu,Jing Zhang,Jun Cheng,Dacheng Tao

2023-06-06

Abstract:Massive human-related data is collected to train neural networks for computer vision tasks. A major conflict is exposed relating to software engineers between better developing AI systems and distancing from the sensitive training data. To reconcile this conflict, this paper proposes an efficient privacy-preserving learning paradigm, where images are first encrypted to become ``human-imperceptible, machine-recognizable'' via one of the two encryption strategies: (1) random shuffling to a set of equally-sized patches and (2) mixing-up sub-patches of the images. Then, minimal adaptations are made to vision transformer to enable it to learn on the encrypted images for vision tasks, including image classification and object detection. Extensive experiments on ImageNet and COCO show that the proposed paradigm achieves comparable accuracy with the competitive methods. Decrypting the encrypted images requires solving an NP-hard jigsaw puzzle or an ill-posed inverse problem, which is empirically shown intractable to be recovered by various attackers, including the powerful vision transformer-based attacker. We thus show that the proposed paradigm can ensure the encrypted images have become human-imperceptible while preserving machine-recognizable information. The code is available at \url{<a class="link-external link-https" href="https://github.com/FushengHao/PrivacyPreservingML" rel="external noopener nofollow">this https URL</a>.}

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning

Adam Yala,Homa Esfahanizadeh,Rafael G. L. D' Oliveira,Ken R. Duffy,Manya Ghobadi,Tommi S. Jaakkola,Vinod Vaikuntanathan,Regina Barzilay,Muriel Medard

DOI: https://doi.org/10.48550/arXiv.2106.02484

2021-06-04

Abstract:Balancing the needs of data privacy and predictive utility is a central challenge for machine learning in healthcare. In particular, privacy concerns have led to a dearth of public datasets, complicated the construction of multi-hospital cohorts and limited the utilization of external machine learning resources. To remedy this, new methods are required to enable data owners, such as hospitals, to share their datasets publicly, while preserving both patient privacy and modeling utility. We propose NeuraCrypt, a private encoding scheme based on random deep neural networks. NeuraCrypt encodes raw patient data using a randomly constructed neural network known only to the data-owner, and publishes both the encoded data and associated labels publicly. From a theoretical perspective, we demonstrate that sampling from a sufficiently rich family of encoding functions offers a well-defined and meaningful notion of privacy against a computationally unbounded adversary with full knowledge of the underlying data-distribution. We propose to approximate this family of encoding functions through random deep neural networks. Empirically, we demonstrate the robustness of our encoding to a suite of adversarial attacks and show that NeuraCrypt achieves competitive accuracy to non-private baselines on a variety of x-ray tasks. Moreover, we demonstrate that multiple hospitals, using independent private encoders, can collaborate to train improved x-ray models. Finally, we release a challenge dataset to encourage the development of new attacks on NeuraCrypt.

Cryptography and Security,Artificial Intelligence

Qiang Zhu,Xixiang Lv

DOI: https://doi.org/10.48550/arXiv.1807.08459

2018-07-23

Cryptography and Security

Abstract:Machine Learning as a Service (MLaaS), such as Microsoft Azure, Amazon AWS, offers an effective DNN model to complete the machine learning task for small businesses and individuals who are restricted to the lacking data and computing power. However, here comes an issue that user privacy is ex-posed to the MLaaS server, since users need to upload their sensitive data to the MLaaS server. In order to preserve their privacy, users can encrypt their data before uploading it. This makes it difficult to run the DNN model because it is not designed for running in ciphertext domain. In this paper, using the Paillier homomorphic cryptosystem we present a new Privacy-Preserving Deep Neural Network model that we called 2P-DNN. This model can fulfill the machine leaning task in ciphertext domain. By using 2P-DNN, MLaaS is able to provide a Privacy-Preserving machine learning ser-vice for users. We build our 2P-DNN model based on LeNet-5, and test it with the encrypted MNIST dataset. The classification accuracy is more than 97%, which is close to the accuracy of LeNet-5 running with the MNIST dataset and higher than that of other existing Privacy-Preserving machine learning models

Jun Zhou,Longfei Zheng,Chaochao Chen,Yan Wang,Xiaolin Zheng,Bingzhe Wu,Cen Chen,Li Wang,Jianwei Yin,Chaochao Chen*

DOI: https://doi.org/10.1145/3501809

IF: 5

2022-02-04

ACM Transactions on Intelligent Systems and Technology

Abstract:Deep Neural Networks (DNNs) have achieved remarkable progress in various real-world applications, especially when abundant training data are provided. However, data isolation has become a serious problem currently. Existing works build privacy preserving DNN models from either algorithmic perspective or cryptographic perspective. The former mainly splits the DNN computation graph between data holders or between data holders and server, which demonstrates good scalability but suffers from accuracy loss and potential privacy risks. In contrast, the latter leverages time-consuming cryptographic techniques, which has strong privacy guarantee but poor scalability. In this paper, we propose SPNN — a S calable and P rivacy-preserving deep N eural N etwork learning framework, from algorithmic-cryptographic co-perspective. From algorithmic perspective, we split the computation graph of DNN models into two parts, i.e., the private data related computations that are performed by data holders and the rest heavy computations that are delegated to a semi-honest server with high computation ability. From cryptographic perspective, we propose using two types of cryptographic techniques, i.e., secret sharing and homomorphic encryption, for the isolated data holders to conduct private data related computations privately and cooperatively. Furthermore, we implement SPNN in a decentralized setting and introduce user-friendly APIs. Experimental results conducted on real-world datasets demonstrate the superiority of our proposed SPNN.

computer science, information systems, artificial intelligence

Yaling Zhang,Yicheng Zou,Chao Wang,Chengcheng Huang,Shiqun Yin

DOI: https://doi.org/10.1007/978-3-031-40286-9_17

2023-01-01

Abstract:In the era of cloud computing, many people pay attention to privacy protection issues while transferring data to the cloud, leading to the emergence of Reversible Data Hiding in Encrypted Images (RDHEI). The main difficulty in RDHEI is how to fully use the redundant room in the image to improve the Embedding Rate (ER). To solve this problem, an efficient RDHEI method based on Multi-Granularity Adaptive Classification (MGAC) mechanism is proposed in this paper. In image encryption, a block-based image encryption algorithm based on Cellular Neural Networks (CNN) hyper-chaotic system is utilized, including confusion and diffusion. The room reservation part uses the MGAC mechanism based on the block’s global correlation and local correlation. Specifically, each block is classified according to the quantitative characteristics of the same bit plane in this block. Afterward, different room reservation strategies are applied to different types of blocks adaptively. The multi-granularity is reflected in each block’s rough reservation and refined reservation operations. The image decryption part realizes the separability of data extraction and image recovery. Extensive experimental results show that the average ER of the proposed method on the datasets BOSSbase, BOWS-2, and UCID is about 0.16bpp higher than that of the baseline method on average. Meanwhile, the image security performance of the proposed method has also been improved.

Yi Ding,Guozheng Wu,Dajiang Chen,Ning Zhang,Linpeng Gong,Mingsheng Cao,Zhiguang Qin

DOI: https://doi.org/10.1109/jiot.2020.3012452

IF: 10.6

2021-02-01

IEEE Internet of Things Journal

Abstract:Internet of Medical Things (IoMT) can connect many medical imaging equipment to the medical information network to facilitate the process of diagnosing and treating doctors. As medical image contains sensitive information, it is of importance yet very challenging to safeguard the privacy or security of the patient. In this work, a deep-learning-based image encryption and decryption network (DeepEDN) is proposed to fulfill the process of encrypting and decrypting the medical image. Specifically, in DeepEDN, the cycle-generative adversarial network (Cycle-GAN) is employed as the main learning network to transfer the medical image from its original domain into the target domain. The target domain is regarded as "hidden factors" to guide the learning model for realizing the encryption. The encrypted image is restored to the original (plaintext) image through a reconstruction network to achieve image decryption. In order to facilitate the data mining directly from the privacy-protected environment, a region of interest (ROI)-mining network is proposed to extract the interesting object from the encrypted image. The proposed DeepEDN is evaluated on the chest X-ray data set. Extensive experimental results and security analysis show that the proposed method can achieve a high level of security with a good performance in efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhendong Wang,Xiaoming Zeng,Xulong Tang,Danfeng Zhang,Xing Hu,Yang Hu

DOI: https://doi.org/10.48550/arXiv.2208.13720

2022-08-30

Abstract:The deep neural network (DNN) models are deemed confidential due to their unique value in expensive training efforts, privacy-sensitive training data, and proprietary network characteristics. Consequently, the model value raises incentive for adversary to steal the model for profits, such as the representative model extraction attack. Emerging attack can leverage timing-sensitive architecture-level events (i.e., Arch-hints) disclosed in hardware platforms to extract DNN model layer information accurately. In this paper, we take the first step to uncover the root cause of such Arch-hints and summarize the principles to identify them. We then apply these principles to emerging Unified Memory (UM) management system and identify three new Arch-hints caused by UM's unique data movement patterns. We then develop a new extraction attack, UMProbe. We also create the first DNN benchmark suite in UM and utilize the benchmark suite to evaluate UMProbe. Our evaluation shows that UMProbe can extract the layer sequence with an accuracy of 95% for almost all victim test models, which thus calls for more attention to the DNN security in UM system.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Ping Ping,Junyuan Huo,Bobiao Guo

DOI: https://doi.org/10.1016/j.eswa.2024.123270

IF: 8.5

2024-01-24

Expert Systems with Applications

Abstract:With the proliferation of cloud computing and the Internet of Things(IoT), ensuring privacy and robust data protection has become increasingly critical. Reversible data hiding in encrypted images (RDHEI) methods emerge as a promising solution to address these challenges. In this paper, we propose an asymmetric CNN-based predictor (ACNNP) that significantly outperforms other predictors in terms of prediction accuracy. Then, an adaptive mean predictor is proposed to cooperate with ACNNP. According to these two predictors, a two-stage prediction and embedding model is designed to further enhance the embedding capacity and make data embedding more flexible. Experimental results demonstrate that the proposed method exhibits a high embedding capacity and reversibility when compared to state-of-the-art methods. On the BOWS-2, BOSSBase, and UCID datasets, it obtains average embedding rates of 3.302, 3.461, and 2.69 bpp, respectively. Therefore, this method provides an effective solution for applications such as data integrity verification, privacy protection, and copyright preservation.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Chen Wang,Ye Zhang

DOI: https://doi.org/10.1016/j.sigpro.2022.108536

IF: 4.729

2022-07-01

Signal Processing

Abstract:A novel image encryption algorithm based on deep neural network (DNN) is proposed. First, a new encryption unit with the deep neural network (EDNN) is designed. The EDNN is a multilayer forward neural network, and the weight matrices of the EDNN are composed of some scrambled discrete cosine transform (DCT) coefficients matrices to encrypt directly the original image. Then, the original image can be recovered by a decryption unit with the deep neural network (DDNN). For the DDNN, its network structure is symmetric with the EDNN, and the original image can be recovered with two pursuit algorithms corresponding to two activation functions of the EDNN, respectively. The experimental results show the effectiveness of the EDNN for image encryption, and demonstrate that the proposed method can effectively resist brute force attack, statistical attack, differential attack and cutting attack.

engineering, electrical & electronic

Jun Zhou,Longfei Zheng,Chaochao Chen,Yan Wang,Xiaolin Zheng,Bingzhe Wu,Cen Chen,Li Wang,Jianwei Yin

DOI: https://doi.org/10.1145/3501809

IF: 5

2022-01-01

ACM Transactions on Intelligent Systems and Technology

Abstract:Deep Neural Networks (DNNs) have achieved remarkable progress in various real-world applications, especially when abundant training data are provided. However, data isolation has become a serious problem currently. Existing works build privacy-preserving DNN models from either algorithmic perspective or cryptographic perspective. The former mainly splits the DNN computation graph between data holders or between data holders and server, which demonstrates good scalability but suffers from accuracy loss and potential privacy risks. In contrast, the latter leverages time-consuming cryptographic techniques, which has strong privacy guarantee but poor scalability. In this article, we propose SPNN-a Scalable and Privacy-preserving deep Neural Network learning framework, from an algorithmic-cryptographic co-perspective. From algorithmic perspective, we split the computation graph of DNN models into two parts, i.e., the private-data-related computations that are performed by data holders and the rest heavy computations that are delegated to a semi-honest server with high computation ability. From cryptographic perspective, we propose using two types of cryptographic techniques, i.e., secret sharing and homomorphic encryption, for the isolated data holders to conduct private-data-related computations privately and cooperatively. Furthermore, we implement SPNN in a decentralized setting and introduce user-friendly APIs. Experimental results conducted on real-world datasets demonstrate the superiority of our proposed SPNN.

Mohamed Gabr,Amr Diab,Huwaida T. Elshoush,Yen-Lin Chen,Lip Yee Por,Chin Soon Ku,Wassim Alexan

DOI: https://doi.org/10.1109/access.2024.3447075

IF: 3.9

2024-08-31

IEEE Access

Abstract:This article proposes a novel double data security algorithm that first encrypts sensitive data using a two-stage encryption method based on numerical solutions from a fractional-order memristive coupled neural network system. Solutions are obtained to generate encryption keys and construct S-boxes, which are then applied along with an initial key to encrypt the data bits through repeated XOR and S-box operations. The encrypted output is then hidden imperceptibly within 3D geometries by slightly modifying model points based on the encrypted data bits. This two-pronged approach provides enhanced protection for confidential information compared to single encryption or data hiding alone. Numerical experiments demonstrate the effectiveness of encryption in obscuring patterns while data extraction from modified 3D models validates recovery with negligible visual impact. Additionally, the proposed encryption scheme is shown to be superior to the standard AES-256 algorithm in terms of both computational efficiency and security against brute-force attacks. Through a synergistic blend of robust encryption and stealthy data hiding within 3D objects, the presented algorithm can reliably ensure privacy for sensitive digital data transmissions and storage applications.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wei Xu,Zipeng Feng,Shuangkang Fang,Song Yuan,Yi Yang,Shuchang Zhou

DOI: https://doi.org/10.48550/arxiv.2111.01135

2021-01-01

Abstract:Vast requirement of computation power of Deep Neural Networks is a major hurdle to their real world applications. Many recent Application Specific Integrated Circuit (ASIC) chips feature dedicated hardware support for Neural Network Acceleration. However, as ASICs take multiple years to develop, they are inevitably out-paced by the latest development in Neural Architecture Research. For example, Transformer Networks do not have native support on many popular chips, and hence are difficult to deploy. In this paper, we propose Arch-Net, a family of Neural Networks made up of only operators efficiently supported across most architectures of ASICs. When a Arch-Net is produced, less common network constructs, like Layer Normalization and Embedding Layers, are eliminated in a progressive manner through label-free Blockwise Model Distillation, while performing sub-eight bit quantization at the same time to maximize performance. Empirical results on machine translation and image classification tasks confirm that we can transform latest developed Neural Architectures into fast running and as-accurate Arch-Net, ready for deployment on multiple mass-produced ASIC chips. The code will be available at https://github.com/megvii-research/Arch-Net.

Xudong Pan,Mi Zhang,Yifan Yan,Shengyao Zhang,Min Yang

DOI: https://doi.org/10.1109/TPAMI.2024.3434417

2024-07-26

Abstract:High-quality private machine learning (ML) data stored in local data centers becomes a key competitive factor for AI corporations. In this paper, we present a novel insider attack called Matryoshka to reveal the possibility of breaking the privacy of ML data even with no exposed interface. Our attack employs a scheduled-to-publish DNN model as a carrier model for covert transmission of secret models which memorize the information of private ML data that otherwise has no interface to the outsider. At the core of our attack, we present a novel parameter sharing approach which exploits the learning capacity of the carrier model for information hiding. Our approach simultaneously achieves: (i) High Capacity - With almost no utility loss of the carrier model, Matryoshka can transmit over 10,000 real-world data samples within a carrier model which has 220× less parameters than the total size of the stolen data, and simultaneously transmit multiple heterogeneous datasets or models within a single carrier model under a trivial distortion rate, neither of which can be done with existing steganography techniques; (ii) Decoding Efficiency - once downloading the published carrier model, an outside colluder can exclusively decode the hidden models from the carrier model with only several integer secrets and the knowledge of the hidden model architecture; (iii) Effectiveness - Moreover, almost all the recovered models either have similar performance as if it is trained independently on the private data, or can be further used to extract memorized raw training data with low error; (iv) Robustness - Information redundancy is naturally implemented to achieve resilience against common post-processing techniques on the carrier before its publishing; (v) Covertness - A model inspector with different levels of prior knowledge could hardly differentiate a carrier model from a normal model.

Yingdong Hu,Liang Zhang,Wei Shan,Xiaoxiao Qin,Jin Qi,Zhenzhou Wu,Yang Yuan

DOI: https://doi.org/10.48550/arxiv.2002.03793

2020-01-01

Abstract: In the big data era, many organizations face the dilemma of data sharing. Regular data sharing is often necessary for human-centered discussion and communication, especially in medical scenarios. However, unprotected data sharing may also lead to data leakage. Inspired by adversarial attack, we propose a method for data encryption, so that for human beings the encrypted data look identical to the original version, but for machine learning methods they are misleading. To show the effectiveness of our method, we collaborate with the Beijing Tiantan Hospital, which has a world leading neurological center. We invite $3$ doctors to manually inspect our encryption method based on real world medical images. The results show that the encrypted images can be used for diagnosis by the doctors, but not by machine learning methods.