Machine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser

Size: px

Start display at page:

Download "Machine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser"

Cornelia Booker
6 years ago
Views:

1 Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser

2 Classification (Machine Learning) Supervised learning (training) Classification data set training phase model classification phase data prediction server client

3 Secure Classification The provider s model is sensible financial model, genetic sequences, Client s private data medical records, credit history,

4 Secure Classification The provider s model is sensible financial model, genetic sequences, Client s private data medical records, credit history, MPC / 2PC

5 Using General 2PC? + Works for every circuit + Constant number of interactions - Have to build circuits - Hard to compose - Not easily reusable Ad Hoc protocols

6 Scope of our work Secure classification, no learning the model is already known Differential privacy is out of scope can be treated separately Classifiers as specialized 2PC, but not a specialized classifier

7 Approach Security model: passive (honest-but-curious) adversary Identify and construct reusable building blocks Practical performance as a primary goal Choose the best fitted primitives Homomorphic Encryption, FHE, Garbled Circuits,

8 Building Blocks Dot product Encrypted Comparison Encrypted (arg)max Decision trees Encryption scheme switching

9 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values

10 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything

11 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything ) O(n 2 )

12 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything ) O(n 2 )

13 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything ) O(n 2 ) Classical algorithm

14 Argmax Alice Bob (Ja 1 K,...,Ja n K, PK) SK The comparison pattern must not depend on the values Compare everything Classical algorithm ) O(n 2 ) ) O(n)

15 Compare & Swap Alice (PK, JvK, JwK) Bob SK Jmax(v, w)k (v <w)

16 Compare & Swap Alice (PK, JvK, JwK) Bob SK Compare? (v <w) Jmax(v, w)k (v <w)

17 Compare & Swap Alice (PK, JvK, JwK) Bob SK Compare? (v <w) Swap? Jmax(v, w)k (v <w)

18 Compare & Swap Alice (PK, JvK, JwK) EncCompare Bob SK b =(v<w) Jmax(v, w)k (v <w)

19 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk EncCompare Bob SK b =(v<w) Jmax(v, w)k (v <w)

20 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk EncCompare Jv 0 K, Jw 0 K Bob SK b =(v<w) Jmax(v, w)k (v <w)

21 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk EncCompare Jv 0 K, Jw 0 K Bob SK b =(v<w) ( Jw 0 K if b Jm 0 K Jv 0 K o/w. Jmax(v, w)k (v <w)

22 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk EncCompare Jv 0 K, Jw 0 K (JbK, Jm 0 K) Bob SK b =(v<w) ( Jw 0 K if b Jm 0 K Jv 0 K o/w. Jmax(v, w)k (v <w)

23 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk JmK Jm 0 K (g 1 JbK) r JbK s EncCompare Jv 0 K, Jw 0 K (JbK, Jm 0 K) Bob SK b =(v<w) ( Jw 0 K if b Jm 0 K Jv 0 K o/w. Jmax(v, w)k (v <w)

24 Compare & Swap Alice (PK, JvK, JwK) (r, s) M 2 Jv 0 K = Jv + rk Jw 0 K = Jw + sk JmK Jm 0 K (g 1 JbK) r JbK s JmK Jm 0 b.r b.sk Jmax(v, w)k EncCompare Jv 0 K, Jw 0 K (JbK, Jm 0 K) Bob SK b =(v<w) ( Jw 0 K if b Jm 0 K (v <w) Jv 0 K o/w.

25 Argmax Protocol : n-1 Compare & Swap Alice JmK Ja 1 K Bob

26 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(m, a 2 )K C & S (m <a 2 )

27 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(m, a 2 )K C & S (m <a 2 ) C & S JmK Jmax(m, a i )K (m <a i )

28 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(m, a 2 )K C & S (m <a 2 ) C & S JmK Jmax(m, a i )K (m <a i ) C & S JmK Jmax(m, a n )K (m <a n )

29 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(a 1,a 2 )K C & S (m <a 2 ) JmK JmK s { max a j j2[1,i] s { max a j j2[1,n] C & S C & S (m <a i ) (m <a n )

30 Argmax Protocol : n-1 Compare & Swap Alice Bob JmK Ja 1 K JmK Jmax(a 1,a 2 )K C & S (a 1 <a 2 ) JmK JmK s { max a j j2[1,i] s { max a j j2[1,n] C & S C & S (m <a i ) ) argmax j2[1,i] (m <a n ) ) argmax j2[1,n] a j a j

31 Argmax Protocol : n-1 Compare & Swap Alice JmK JmK JmK Ja (1) K JmK Jmax(a (1), a s (2) )K { max a (j) j2[1,i] s { max a (j) j2[1,n] max a j C & S C & S C & S Bob (a (1) <a (1) ) (m <a (i) ) ) argmax j2[1,i] (m <a (n) ) ) argmax j2[1,n] a (j) a (j) (argmax a j )

32 Argmax Protocol : n-1 Compare & Swap

33 Argmax Protocol : n-1 Compare & Swap sequentially

34 Argmax Protocol : n-1 Compare & Swap sequentially or in parallel

35 Argmax Protocol : n-1 Compare & Swap sequentially or in parallel Party A Party B Communication Tree Time (ms) Elements

36 Decision Trees y y 2 B D x x 2 x<x 2 y<y 1 y>y 2 y 1 A C E E D B x<x 1 x x 1 A C x 1 x 2 x

37 Decision Trees b b 2 b c 1 c 2 c 3 b c 4 c 5 P (b 1,b 2,b 3,b 4,c 1,...,c 5 )= b 1 (b 3 (b 4 c 5 +(1 b 4 ) c 4 )+(1 b 3 ) c 3 ) +(1 b 1 ) (b 2 c 2 +(1 b 2 ) c 1 )

38 Decision Trees P (b 1,b 2,b 3,b 4,c 1,...,c 5 )= b 1 (b 3 (b 4 c 5 +(1 b 4 ) c 4 )+(1 b 3 ) c 3 ) +(1 b 1 ) (b 2 c 2 +(1 b 2 ) c 1 ) Polynomial evaluation Leveled Homomorphic Encryption Binary Variables Binary Coefficients! (SIMD) ) Efficient LHE

39 Classifiers In Practice Linear Classifier Naïve Bayes Classifier Decision Trees

40 Linear Classifier Separate two sets of points Very common classifier Dot product + Encrypted compare

41 Linear Classifier Model Size Computation Client Server Time / protocol Dot Product Enc. Comp. Total Comm. Inter ms 43.8 ms 194 ms 9.67 ms 204 ms kb ms 43.8 ms 194 ms 23.6 ms 217 ms kb 7 Evaluation on UC Irvine ML databases 40 ms network latency 2,66 GHz Intel Core i7

42 Naïve Bayes Classifier

43 Naïve Bayes Classifier Classification argmax i2[k] p(c = c i X = x)

44 Naïve Bayes Classifier Classification Bayes Formula argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) p(x = x)

45 Naïve Bayes Classifier Classification Bayes Formula argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x)

46 Naïve Bayes Classifier Classification Bayes Formula Naïve Model argmax i2[k] argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) p(c = c i,x 1 = x 1,...,X d = x d )

47 Naïve Bayes Classifier Classification Bayes Formula Naïve Model argmax i2[k] argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) dy p(c = c i ) p(x j = x j C = c i ) j=1

48 Naïve Bayes Classifier Classification Bayes Formula Naïve Model argmax i2[k] argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) dy p(c = c i ) p(x j = x j C = c i ) j=1

49 Naïve Bayes Classifier Classification Bayes Formula Naïve Model argmax i2[k] argmax i2[k] argmax i2[k] p(c = c i X = x) p(c = c i,x = x) dy p(c = c i ) p(x j = x j C = c i ) j=1 argmax i2[k] log p(c = c i ) dx log p(x j = x j C = c i ) j=1

50 Naïve Bayes Classifier k d Computation Client Server Running Time Comm. Inter ms 104 ms 479 ms kb ms 368 ms 1415 ms kb ms 1664 ms 3810 ms 1911 kb 166 Evaluation on UC Irvine ML databases 40 ms network latency 2,66 GHz Intel Core i7

51 Decision Tree Combination of other classifiers In this example, linear classifiers Linear classifier + ES Switching + Decision Trees

52 Decision Tree Tree Specs. Computation N D Client Server Time / Protoc. Lin. Class. ES Switch Eval FHE Decrypt Com m. Inter ms 798 ms 446 ms 1639 ms 239 ms ms 2639 kb ms 1723 ms 1410 ms 7406 ms 899 ms 35.1 ms 3555 kb 44 Evaluation on UC Irvine ML databases 40 ms network latency 2,66 GHz Intel Core i7

53 In conclusion Composable building blocks for secure classifiers Practical performances Future work : Less roundtrips (work on the protocols) More parallelism (work on the implementation)

54 Questions?

Are you the one to share? Secret Transfer with Access Structure

Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection