Two security techniques combine to bolster security in cloud and neural network-based machine learning
20 August 2018
MIT researchers’ encryption method dramatically increases data security efficiency, showing promise for the use of cloud-based neural networks in sensitive data-demanding applications, such as medical image analysis.
Outsourcing machine learning is a rising trend in industry: major technology firms have launched cloud platforms that conduct computation-heavy tasks, such as that of running data through a convolutional neural network (CNN) for image classification. Resource-strapped small businesses and other users can upload data to those services for a fee – before receiving the results in several hours.
The question arises from such a process, however: what if there are leaks of private data? While in recent years, researchers have explored various secure-computation techniques to protect such sensitive data, those methods have performance drawbacks that make neural network evaluation (testing and validating) sluggish – sometimes as much as millions of times slower, and this has limited their wider adoption.
In a paper presented at this week's USENIX Security Conference, MIT researchers describe a system that blends two conventional techniques, namely homomorphic encryption and garbled circuits, in a way that helps the networks dramatically faster than they do with conventional approaches.
The researchers tested the system, called GAZELLE, on two-party image-classification tasks. A user sends encrypted image data to an online server that evaluates a CNN running on GAZELLE, and after this, both parties share encrypted information back and forth in order to classify the user's image.
Throughout the process, the system ensures that the server never learns any uploaded data, while the user never learns anything about the network parameters. Compared to traditional systems, however, GAZELLE ran 20 to 30 times faster than state-of-the-art models, while reducing the required network bandwidth by an order of magnitude.
One promising application for the system is training CNNs to diagnose diseases. Hospitals could, for instance, train a CNN to learn the characteristics of certain medical conditions from magnetic resonance images (MRI), and identify those characteristics in uploaded MRIs. The hospital could also make the model available in the cloud for other hospitals. The model is trained on, and further relies on, private patient data, however; and because there are no efficient encryption models, this application is not quite ready for prime time.
"In this work, we show how to efficiently do this kind of secure two-party communication by combining these two techniques in a clever way," says first author Chiraag Juvekar, a PhD student in the Department of Electrical Engineering and Computer Science (EECS). "The next step is to take real medical data and show that, even when we scale it for applications real users care about, it still provides acceptable performance."
Co-authors on the paper are Vinod Vaikuntanathan, an associate professor in EECS and a member of the Computer Science and Artificial Intelligence Laboratory; and Anantha Chandrakasan, dean of the School of Engineering and the Vannevar Bush Professor of Electrical Engineering and Computer Science.
CNNs process image data through multiple linear and nonlinear layers of computation. Linear layers do the complex mathematics, called linear algebra, and assign some values to the data. At a certain threshold, the data is outputted to nonlinear layers that do some simpler computation, make decisions (such as identifying image features), and send the data to the next linear layer. The end result is an image with an assigned class, such as vehicle, animal, person, or anatomical feature.
Recent approaches to securing CNNs have involved the application of homomorphic encryption or garbled circuits to process data throughout an entire network. These techniques are effective at securing data. "On paper, this looks like it solves the problem," Juvekar says. But as they render complex neural networks inefficient, he adds: "you [still] wouldn't use them for any real-world application."
Homomorphic encryption, used in cloud computing, receives and executes computation all in encrypted data, called ciphertext, and generates an encrypted result that can then be decrypted by a user. When applied to neural networks, this technique is particularly fast and efficient at computing linear algebra; however, it must introduce a little noise into the data at each layer. And over many layers, such noise accumulates, and the computation needed to filter that noise grows increasingly complex – ultimately slowing computation speeds.
Garbled circuits are a form of secure two-party computation. The technique takes an input from both parties, carries out some computation, and sends two separate inputs to each party. In that way, the parties send data to one another, but they never see the other party's data, only the relevant output on their side.
The bandwidth needed to communicate data between parties, however, scales with computation complexity – not with the size of the input. In an online neural network, this technique works well in the nonlinear layers, where computation is minimal, but the bandwidth becomes unwieldy in mathematically-heavy linear layers.
The MIT researchers, instead, combined the two techniques in a way that overcomes their said inefficiencies.
In their system, a user will upload ciphertext to a cloud-based CNN. The user must have garbled circuits technique running on their own computer. The CNN does all the computation in the linear layer, then sends the data to the nonlinear layer. At that point, the CNN and user share the data. The user does some computation on garbled circuits, and sends the data back to the CNN.
Ultimately, by splitting and sharing the workload, the system restricts the homomorphic encryption to only processing complex mathematics one layer at a time, so the data does not become too noisy. It also limits the communication of the garbled circuits to just the nonlinear layers, where it performs optimally.
"We're only using the techniques for where they're most efficient," Juvekar says.
The final step was to ensure that both homomorphic and garbled circuit layers maintained a common randomisation scheme, called ‘secret sharing’. In this scheme, data is divided into individual parts that are given to separate parties. All parties sync their parts to reconstruct the full data.
In GAZELLE, when a user sends encrypted data to the cloud-based service, it is split between both parties. Added to each share is a secret key (random numbers) that only the owning party knows. Throughout computation, each party will always have some portion of the data, plus random numbers, so it appears fully random.
At the end of computation, the two parties sync their data. Only then does the user ask the cloud-based service for its secret key, before they can subsequently subtract the secret key from all the data to achieve the required result.
"At the end of the computation, we want the first party to get the classification results and the second party to get absolutely nothing," Juvekar says. Additionally, "the first party learns nothing about the parameters of the model."
Contact Details and Archive...