Professional Documents
Culture Documents
Privacy Preserving
Machine
Cygogn
Learning
By Dr. Rania Talbi
𝐷 𝑂1 Data Owner
Global ML Service
model Provider
𝐷 𝑂5
𝐷 𝑂2 𝑀𝐿𝑆𝑃 𝐷 𝑂4
Local
training
data
𝐷 𝑂3
4
Cryptography-based vs. Non-cryptographic
PPML
Privacy
Privacy
Privacy
Privacy
Utility Runtime
Utility Runtime
Cryptography- Non-cryptographic
based techniques techniques
(HE-based, and (Data & Output
MPC-based PPML Perturbation, Data
methods) Anonymization)
6
Privacy in Distributed
Machine Learning
PrivML:
Practical Privacy Preserving Machine
Learning
Background on Homomorphic Encryption
Increasing
performance
overhead
8
PrivML’s Design Objectives
Propose
mechanisms to
reduce the
overhead of HE
9
Overview of PrivML’s Architecture
Learning phase
ML Service
𝐷𝑂1
Provider
(MLSP)
𝐷𝑂2
.......
𝐷𝑂 𝑁
PrivML
10
Overview of PrivML’s Architecture
Learning phase
KMU
ML Service
𝐷𝑂1
Provider
(MLSP)
𝐷𝑂2
Encrypted training
data via multiple keys
𝐷𝑂 𝑁
PrivML
11
Overview of PrivML’s Architecture
Learning phase
KMU
ML Service
𝐷𝑂1
Provider
(MLSP)
MU
𝐷𝑂2
Encrypted training
HE-based data via multiple keys
computation
protocols SU 𝐷𝑂 𝑁
PrivML
12
Overview of PrivML’s Architecture
Learning phase
KMU
ML Service
𝐷𝑂1
Provider
(MLSP)
MU
𝐷𝑂2
Encrypted training
Encrypted global data via multiple keys
model trained over the
joint data SU 𝐷𝑂 𝑁
PrivML
13
Overview of PrivML’s Architecture
KMU
ML Service
𝐷𝑂1
Provider
Encrypted (MLSP)
Querier
Classification Query
MU
𝐷𝑂2
Encrypted training
data via multiple keys
Encrypted
Classification
Response
SU 𝐷𝑂 𝑁
PrivML
14
Threat Model
KMU
ML Service
𝐷𝑂1
Provider
Encrypted (MLSP)
Querier
Classification Query
MU
𝐷𝑂2
Encrypted training
data via multiple keys
Encrypted
Classification
Response
SU 𝐷𝑂 𝑁
PrivML
The Key Management Unit is trusted
15
Threat Model
KMU
ML Service
𝐷𝑂1
Provider
Encrypted (MLSP)
Querier
Classification Query
MU
𝐷𝑂2
Encrypted training
data via multiple keys
Encrypted
Classification
Response
SU 𝐷𝑂 𝑁
PrivML
All the other parties are honest but curious
16
Threat Model
KMU
ML Service
𝐷𝑂1
Provider
Encrypted (MLSP)
Querier
Classification Query
MU
𝐷𝑂2
Encrypted training
data via multiple keys
Encrypted
Classification
Response
SU 𝐷𝑂 𝑁
PrivML
Data owners and queriers are mutually untrusted
17
Threat Model
KMU
ML Service
𝐷𝑂1
Provider
Encrypted (MLSP)
Querier
Classification Query
MU
𝐷𝑂2
Encrypted training
data via multiple keys
Encrypted
Classification
Response
SU 𝐷𝑂 𝑁
PrivML
Computation units are non-colluding 18
Cryptographic Primitives Underlaying PrivML
(1) Homomorphic
Addition
Distributed
Two-Trapdoor
+
Public-Key
Cryptosystem
(DT-PKC)
[Liu 2016] [ 𝑥 ] 𝑝𝑘𝜆
(2) Homomorphic Scalar
Multiplication
19
Cryptographic Primitives Underlaying PrivML
(1) Homomorphic
Addition
Distributed
Two-Trapdoor
+
Public-Key
Cryptosystem
(DT-PKC)
[Liu 2016] [ 𝑥 ] 𝑝𝑘𝜆
(2) Homomorphic Scalar
Multiplication
20
Cryptographic Primitives Underlaying PrivML
(1) Homomorphic
Addition
Distributed
Two-Trapdoor
+
Public-Key
Cryptosystem
(DT-PKC)
[Liu 2016] [ 𝑥 ] 𝑝𝑘𝜆
(2) Homomorphic Scalar
Multiplication
21
Cryptographic Primitives Underlaying PrivML
Distributed
Two-Trapdoor
Public-Key
Cryptosystem 𝑆𝐾
(DT-PKC)
[Liu 2016]
22
Cryptographic Primitives Underlaying PrivML
ML Service
Distributed Provider
Two-Trapdoor 𝑃𝑆𝑑𝑒 𝑐 1 (𝑆 𝐾 1 , ..) (MLSP)
Public-Key
Cryptosystem 𝑆𝐾
(DT-PKC) [𝐶𝑇]
[Liu 2016]
23
Cryptographic Primitives Underlaying PrivML
ML Service
Distributed Provider
Two-Trapdoor 𝑃𝑆𝑑𝑒 𝑐 1 (𝑆 𝐾 1 , ..) (MLSP)
Public-Key
Cryptosystem 𝑆𝐾
(DT-PKC) [𝐶𝑇]
[Liu 2016]
𝑃𝑆𝑑𝑒𝑐 2 (𝑆 𝐾 2 ,..)
24
Cryptographic Primitives Underlaying PrivML
ML Service
Distributed Provider
Two-Trapdoor 𝑃𝑆𝑑𝑒 𝑐 1 (𝑆 𝐾 1 , ..) (MLSP)
Public-Key
Cryptosystem 𝑆𝐾 MU
(DT-PKC) [𝐶𝑇]
[Liu 2016]
𝑃𝑆𝑑𝑒𝑐 2 (𝑆 𝐾 2 ,..)
SU
25
Outsourced Privacy Preserving Computations in
PrivML
@MU
Privacy
Preserving
Computation
Protocols in @SU
PrivML
@MU
26
Outsourced Privacy Preserving Computations in
PrivML
@MU
27
Outsourced Privacy Preserving Computations in
PrivML
@MU
28
Outsourced Privacy Preserving Computations in
PrivML
29
PPML Design process in PrivML
ML
Algorithm
30
PPML Design process in PrivML
ML
Algorithm
𝑥. 𝑦 …
√𝑥 ¿ 𝑋 , 𝑌 >¿
Elementary
Operations
31
PPML Design process in PrivML
ML
Algorithm
HE-based Privacy
𝑥. 𝑦 … Preserving Protocols
Design
√𝑥 ¿ 𝑋 , 𝑌 >¿
Elementary
Operations
32
PPML Design process in PrivML
ML
Algorithm
HE-based Privacy
𝑥. 𝑦 … Preserving Protocols 𝑥. 𝑦 …
Design
√𝑥 ¿ 𝑋 , 𝑌 >¿ √𝑥 ¿ 𝑋 , 𝑌 >¿
Elementary
Operations Privacy Preserving
Elementary Operations 33
PPML Design process in PrivML
ML
PPML
Algorithm
Algorithm
HE-based Privacy
𝑥. 𝑦 … Preserving Protocols 𝑥. 𝑦 …
Design
√𝑥 ¿ 𝑋 , 𝑌 >¿ √𝑥 ¿ 𝑋 , 𝑌 >¿
Elementary
Operations Privacy Preserving
Elementary Operations 34
PPML Design process in PrivML
ML
PPML
Algorithm Close Algorithm
or identical
output
HE-based Privacy
𝑥. 𝑦 … Preserving Protocols 𝑥. 𝑦 …
Design
√𝑥 ¿ 𝑋 , 𝑌 >¿ √𝑥 ¿ 𝑋 , 𝑌 >¿
Elementary
Operations Privacy Preserving
Elementary Operations 35
Threat Model
Overhead Reduction Strategies in PrivML
Round Complexity
Minimization
Pre-computations of Random
Powers
Ciphertext Packing
37
Overhead Reduction Strategies in PrivML
computations
Christine Jost, Ha Lam, Alexander Maximov, and Ben JM Smeets. Encryption
Ciphertext Packing performance improvements of the paillier cryptosystem. IACR Cryptol. ePrint
Arch., 2015:864, 2015.
39
Overhead Reduction Strategies in PrivML
Round Complexity
Minimization
Pre-computations of Random
Powers ▪ Use of Schönhage and Strassen FFT multiplication [Gaudry
Optimized Large Number 2007] to implement DT-PKC cryptosystem primitives
Arithmetic ▪ We use an assembly-based sub-routine provided in The GNU
Multiple Precision Arithmetic Library [Granlund 2012].
Parallel Computing
• Pierrick Gaudry, Alexander Kruppa, and Paul Zimmermann. A gmp-based implementation
of schönhage-strassen’s large integer multiplication algorithm. In Proceedings of
international symposium on Symbolic and algebraic computation, pages 167–174, 2007.
Analytical Approximations • Torbjörn Granlund and the GMP development team. GNU MP: The GNU Multiple Precision
Arithmetic Library, 5.0.5 edition, 2012. http://gmplib.org/.
Ciphertext Packing
40
Privacy in Distributed
Machine Learning
PrivML:
C++ library available at: ▪ Real World Datasets from UCI are
https://gitlab.liris.cnrs.fr/rtalbi/privml used : Adult, Bank, Nursery, Iris &
Evaluation Scenarios: Edinburgh
43
Performance of PrivML’s Cryptographic
building blocks
44
Performance of PrivML’s PPML methods
45
Comparison with Related-Works
46
Comparison with Related-Works
47
Robustness in Federated
Learning
I. Background & Related Work
on Federated Learning (FL)
& Attacks targeting FL
Generalities on Federated Learning
Global model
Workers
49
Generalities on Federated Learning
Workers
50
Generalities on Federated Learning
Workers
51
Generalities on Federated Learning
Workers
52
Generalities on Federated Learning
Workers
53
Generalities on Federated Learning
54
Targeted Data Poisoning attacks in FL
Clean training
data for traffic
signs
classification
55
Targeted Data Poisoning attacks in FL
Mislabel to
Stop signs
Clean training
data for traffic
signs
classification
56
Targeted Data Poisoning attacks in FL
Mislabel to
Stop signs
Carry local
Clean training training and
data for traffic generate
signs a faulty model
classification update
57
Targeted Data Poisoning attacks in FL
Mislabel to
Stop signs
Carry local
Clean training training and
data for traffic generate
signs a faulty model Send the
classification update faulty model
update to the
FL server for
aggregation
58
Targeted Data Poisoning attacks in FL
Carry local
Clean training training and
data for traffic generate
signs a faulty model Send the
classification update faulty model
update to the
FL server for
aggregation
59
Targeted Data Poisoning attacks in FL
Carry local
Clean training training and
data for traffic generate
signs a faulty model Send the
classification update faulty model
update to the
FL server for
Single shot model poisoning: [ Bagdasaryan 2019] aggregation
60
Robustness in Federated
Learning
ARMOR:
62
Overview of ARMOR
63
Overview of ARMOR
64
Overview of ARMOR
65
ARMOR’s Components: (1) ARgan
66
ARMOR’s Components: (1) ARgan
67
ARMOR’s Components: (2) MORpheus
68
ARMOR’s Components: (2) MORpheus
69
ARMOR’s Components: (2) MORpheus
70
ARMOR’s Components: (2) MORpheus
71
Experimental Results
Robustness Evaluation
72
Experimental Results
73
Bibliography
Bibliography
75
Bibliography
Thore Graepel, Kristin Lauter, and Michael Naehrig. Ml confidential: Machine learning on
encrypted data. In International Conference on Information Security and Cryptology, pages 1–
21. Springer, 2012
Andrey Kim, Yongsoo Song, Miran Kim, Keewoo Lee, and Jung Hee Cheon. Logistic
regression model training based on the approximate homomorphic encryption. BMC medical
genomics, 11(4):83, 2018.
Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John
Wernsing. Cryptonets: Applying neural networks to encrypted data with high throughput and
accuracy. In International Conference on Machine Learning, pages 201–210, 2016.
Raphael Bost, Raluca Ada Popa, Stephen Tu, and Shafi Goldwasser. Machine learning
classification over encrypted data. In NDSS, volume 4324, page 4325, 2015.
Ximeng Liu, Robert H Deng, Kim-Kwang Raymond Choo, and Jian Weng. An efficient privacy-
preserving outsourced calculation toolkit with multiple keys. IEEE Transactions on Information
Forensics and Security, 11(11):2401–2414, 2016.
Bonawitz, K., Eichner, H., Grieskamp, W., Huba, D., Ingerman, A., Ivanov, V., ... & Van
Overveldt, T. (2019). Towards federated learning at scale: System design. arXiv preprint
arXiv:1902.01046.