Machine Learning Classification over Encrypted Data Raphael Bost, - - PowerPoint PPT Presentation
Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser Classification (Machine Learning) Supervised learning (training) Classification data classification training model
Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser
server
data set training phase model classification phase
client
data prediction
financial model, genetic sequences, …
medical records, credit history, …
financial model, genetic sequences, …
medical records, credit history, …
+ Works for every circuit + Constant number of interactions
the model is already known
can be treated separately
specialized classifier
adversary
Homomorphic Encryption, FHE, Garbled Circuits, …
values (Ja1K, . . . , JanK, PK) SK
values
(Ja1K, . . . , JanK, PK) SK
values
⇒ O(n2)
(Ja1K, . . . , JanK, PK) SK
values
⇒ O(n2)
(Ja1K, . . . , JanK, PK) SK
values
⇒ O(n2)
(Ja1K, . . . , JanK, PK) SK
values
⇒ O(n2) ⇒ O(n)
(Ja1K, . . . , JanK, PK) SK
Bob SK (v < w) Alice (PK, JvK, JwK) Jmax(v, w)K
Bob SK (v < w) Alice (PK, JvK, JwK) Jmax(v, w)K
Compare
∅ (v < w)
Bob SK (v < w) Alice (PK, JvK, JwK) Jmax(v, w)K
Swap
∅
Compare
∅ (v < w)
Alice (PK, JvK, JwK) Jmax(v, w)K
EncCompare
Bob SK
b = (v < w)
(v < w)
Alice (PK, JvK, JwK) Jmax(v, w)K
EncCompare (r, s) ← M 2 Jv0K = Jv + rK Jw0K = Jw + sK
Bob SK
b = (v < w)
(v < w)
Alice (PK, JvK, JwK) Jmax(v, w)K
EncCompare (r, s) ← M 2 Jv0K = Jv + rK Jw0K = Jw + sK Jv0K, Jw0K
Bob SK
b = (v < w)
(v < w)
Alice (PK, JvK, JwK) Jmax(v, w)K
EncCompare (r, s) ← M 2 Jv0K = Jv + rK Jw0K = Jw + sK Jv0K, Jw0K
Bob SK
b = (v < w)
(v < w)
Jm0K ← ( Jw0K if b Jv0K o/w.
Alice (PK, JvK, JwK) Jmax(v, w)K
EncCompare (r, s) ← M 2 Jv0K = Jv + rK Jw0K = Jw + sK Jv0K, Jw0K
Bob SK
b = (v < w)
(v < w)
Jm0K ← ( Jw0K if b Jv0K o/w. (JbK, Jm0K)
Alice (PK, JvK, JwK) Jmax(v, w)K
EncCompare (r, s) ← M 2 Jv0K = Jv + rK Jw0K = Jw + sK Jv0K, Jw0K
Bob SK
b = (v < w)
(v < w)
Jm0K ← ( Jw0K if b Jv0K o/w. (JbK, Jm0K) JmK ← Jm0K·(g1 · JbK)r · JbKs
Alice (PK, JvK, JwK) Jmax(v, w)K
EncCompare (r, s) ← M 2 Jv0K = Jv + rK Jw0K = Jw + sK Jv0K, Jw0K JmK ← Jm0 − ¯ b.r − b.sK
Bob SK
b = (v < w)
(v < w)
Jm0K ← ( Jw0K if b Jv0K o/w. (JbK, Jm0K) JmK ← Jm0K·(g1 · JbK)r · JbKs
Alice Bob
JmK ← Ja1K
Alice Bob
JmK ← Ja1K C & S JmK ← Jmax(m, a2)K (m < a2)
Alice Bob
JmK ← Ja1K C & S JmK ← Jmax(m, a2)K (m < a2) JmK ← Jmax(m, ai)K (m < ai) C & S
Alice Bob
JmK ← Ja1K C & S JmK ← Jmax(m, a2)K (m < a2) C & S JmK ← Jmax(m, an)K (m < an) JmK ← Jmax(m, ai)K (m < ai) C & S
Alice Bob
JmK ← Ja1K C & S C & S C & S (m < ai) JmK ← s max
j∈[1,i] aj
{ (m < an) JmK ← s max
j∈[1,n] aj
{ (m < a2) JmK ← Jmax(a1, a2)K
Alice Bob
JmK ← Ja1K C & S C & S C & S JmK ← s max
j∈[1,i] aj
{ JmK ← s max
j∈[1,n] aj
{ JmK ← Jmax(a1, a2)K (m < ai) ⇒ argmax
j∈[1,i]
aj (m < an) ⇒ argmax
j∈[1,n]
aj (a1 < a2)
Alice Bob
C & S C & S C & S (aπ(1) < aπ(1)) (m < aπ(n)) ⇒ argmax
j∈[1,n]
aπ(j) (m < aπ(i)) ⇒ argmax
j∈[1,i]
aπ(j) JmK ← s max
j∈[1,n] aπ(j)
{ JmK ← s max
j∈[1,i] aπ(j)
{ JmK ← Jmax(aπ(1), aπ(2))K π(argmax aj) max aj JmK ← Jaπ(1)K
sequentially
sequentially
sequentially
1000 2000 3000 4000 5000 6000 7000 4 5 6 7 8 9 1 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 2 5 3 3 5 5 Time (ms) Elements Party A Party B Communication Tree
A B C D E x y y1 y2 x1 x2
E D B A C x ≥ x2 x < x2 y > y2 x ≥ x1 x < x1 y < y1
b1 b2
c1 c2
b3
c3
b4
c4 c5
1 1 1 1
P(b1, b2, b3, b4, c1, . . . , c5) = b1 · (b3 · (b4 · c5 + (1 − b4) · c4) + (1 − b3) · c3) +(1 − b1) · (b2 · c2 + (1 − b2) · c1)
P(b1, b2, b3, b4, c1, . . . , c5) = b1 · (b3 · (b4 · c5 + (1 − b4) · c4) + (1 − b3) · c3) +(1 − b1) · (b2 · c2 + (1 − b2) · c1)
Leveled Homomorphic Encryption
Efficient LHE
)
In Practice
points
classifier
Encrypted compare
Model Size Computation Time / protocol Total Comm. Inter.
Client Server Dot Product Enc. Comp.
30 46.4 ms 43.8 ms 194 ms 9.67 ms 204 ms 35.84 kB 7 47 55.5 ms 43.8 ms 194 ms 23.6 ms 217 ms 40.19 kB 7
Evaluation on UC Irvine ML databases 40 ms network latency 2,66 GHz Intel Core i7
argmax
i∈[k]
p(C = ci|X = x)
argmax
i∈[k]
p(C = ci|X = x) argmax
i∈[k]
p(C = ci, X = x) p(X = x)
argmax
i∈[k]
p(C = ci|X = x) argmax
i∈[k]
p(C = ci, X = x)
argmax
i∈[k]
p(C = ci|X = x) argmax
i∈[k]
p(C = ci, X = x) argmax
i∈[k]
p(C = ci, X1 = x1, . . . , Xd = xd)
argmax
i∈[k]
p(C = ci|X = x) argmax
i∈[k]
p(C = ci, X = x) argmax
i∈[k]
p(C = ci)
d
Y
j=1
p(Xj = xj|C = ci)
argmax
i∈[k]
p(C = ci|X = x) argmax
i∈[k]
p(C = ci, X = x) argmax
i∈[k]
p(C = ci)
d
Y
j=1
p(Xj = xj|C = ci)
argmax
i∈[k]
p(C = ci|X = x) argmax
i∈[k]
p(C = ci, X = x) argmax
i∈[k]
p(C = ci)
d
Y
j=1
p(Xj = xj|C = ci) argmax
i∈[k]
log p(C = ci)
d
X
j=1
log p(Xj = xj|C = ci)
k d Computation Running Time Comm. Inter.
Client Server
2 9 150 ms 104 ms 479 ms 72.47 kB 14 5 9 537 ms 368 ms 1415 ms 150.7 kB 42 24 70 1652 ms 1664 ms 3810 ms 1911 kB 166
Evaluation on UC Irvine ML databases 40 ms network latency 2,66 GHz Intel Core i7
Tree
Time / Protoc. FHE Com m. Inter.
N D Client Server Lin. Class. ES Switch Eval Decrypt
4 4 1579 ms 798 ms 446 ms 1639 ms 239 ms 33.51 ms 2639 kB 30 6 4 2297 ms 1723 ms 1410 ms 7406 ms 899 ms 35.1 ms 3555 kB 44
Evaluation on UC Irvine ML databases 40 ms network latency 2,66 GHz Intel Core i7
Future work :