Privacy-Preserving Deep Learning Based on Multiparty Secure Computation: A Survey

Deep learning (DL) has demonstrated superior success in various of applications, such as image classification, speech recognition, and anomalous detection. The unprecedented performance gain of DL largely depends on tremendous training data, high-performance computation resources, and well-designed model structures. However, privacy concerns raise from such necessities. First, as the training data are usually distributed among multiple parties, directly exposing and collecting such large amount of data could violate the laws especially for private information, such as personal identities, medical records, and financial profiles. Second, locally deploying advantageous computation resources is costly for individual party having partial data. Third, direct release of well-trained model parameters threatens the information about training data or the intellectual property of model owners. Therefore, individual party prefers outsourcing computation (data) in a secure way to powerful cloud servers such as Microsoft Azure, and how to enable the cloud servers to perform DL algorithms without revealing data owners’ private information and model owners’ valuable parameters is emerging as an urgent task, which is termed as privacy-preserving (outsourcing) DL. In this article, we review the state-of-the-art researches in privacy-preserving DL based on multiparty secure computation with data encryption and summarize these techniques in both training phase and inference phase. Specifically, we categorize the techniques with respect to the linear and nonlinear computations, which are the two basic building blocks in DL. Following a comprehensive overview of each research scheme, we present primary technical hurdles needed to be addressed and discuss several promising directions for future research.

[1]  Dumitru Erhan,et al.  Going deeper with convolutions , 2014, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[2]  Abul Bashar,et al.  SURVEY ON EVOLVING DEEP LEARNING NEURAL NETWORK ARCHITECTURES , 2019, December 2019.

[3]  Marcel Keller,et al.  MP-SPDZ: A Versatile Framework for Multi-Party Computation , 2020, IACR Cryptol. ePrint Arch..

[4]  Song Han,et al.  EIE: Efficient Inference Engine on Compressed Deep Neural Network , 2016, 2016 ACM/IEEE 43rd Annual International Symposium on Computer Architecture (ISCA).

[5]  Jinoh Kim,et al.  An Empirical Study on Network Anomaly Detection Using Convolutional Neural Networks , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[6]  Yantao Lu,et al.  Hermes Attack: Steal DNN Models with Lossless Inference Accuracy , 2020, ArXiv.

[7]  Jie Lin,et al.  The AlexNet Moment for Homomorphic Encryption: HCNN, the First Homomorphic CNN on Encrypted Data with GPUs , 2018, IACR Cryptol. ePrint Arch..

[8]  Thomas C. Rindfleisch,et al.  Privacy, information technology, and health care , 1997, CACM.

[9]  Hsien-Hsin S. Lee,et al.  Cheetah: Optimizing and Accelerating Homomorphic Encryption for Private Inference , 2020, 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA).

[10]  Hui He,et al.  HomoPAI: A Secure Collaborative Machine Learning Platform based on Homomorphic Encryption , 2020, 2020 IEEE 36th International Conference on Data Engineering (ICDE).

[11]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[12]  Yongqin Wang,et al.  DarKnight: A Data Privacy Scheme for Training and Inference of Deep Neural Networks , 2020, ArXiv.

[13]  Li Fei-Fei,et al.  ImageNet: A large-scale hierarchical image database , 2009, CVPR.

[14]  Farinaz Koushanfar,et al.  DeepSecure: Scalable Provably-Secure Deep Learning , 2017, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[15]  Guy N. Rothblum,et al.  Boosting and Differential Privacy , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[16]  Bogdan Warinschi,et al.  Foundations of Hardware-Based Attested Computation and Application to SGX , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[17]  Zvika Brakerski,et al.  Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP , 2012, CRYPTO.

[18]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[19]  Kristin E. Lauter,et al.  Computing Blindfolded on Data Homomorphically Encrypted under Multiple Keys: An Extended Survey , 2020, IACR Cryptol. ePrint Arch..

[20]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[21]  Michael Naehrig,et al.  CryptoNets: applying neural networks to encrypted data with high throughput and accuracy , 2016, ICML 2016.

[22]  Daniel Rueckert,et al.  A generic framework for privacy preserving deep learning , 2018, ArXiv.

[23]  Dong Yu,et al.  Context-Dependent Pre-Trained Deep Neural Networks for Large-Vocabulary Speech Recognition , 2012, IEEE Transactions on Audio, Speech, and Language Processing.

[24]  Mihir Bellare,et al.  Efficient Garbling from a Fixed-Key Blockcipher , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  Ximeng Liu,et al.  A Lightweight Privacy-Preserving CNN Feature Extraction Framework for Mobile Sensing , 2019, IEEE Transactions on Dependable and Secure Computing.

[26]  Raphael Yuster,et al.  Fast sparse matrix multiplication , 2004, TALG.

[27]  Yan Huang,et al.  Practical MPC+FHE with Applications in Secure Multi-PartyNeural Network Evaluation , 2020, IACR Cryptol. ePrint Arch..

[28]  Yuan Xie,et al.  Model Compression and Hardware Acceleration for Neural Networks: A Comprehensive Survey , 2020, Proceedings of the IEEE.

[29]  Abdelouahid Derhab,et al.  A review of privacy-preserving techniques for deep learning , 2020, Neurocomputing.

[30]  Cynthia Dwork,et al.  Differential Privacy: A Survey of Results , 2008, TAMC.

[31]  Warren B. Chik,et al.  The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform , 2013, Comput. Law Secur. Rev..

[32]  Yuval Ishai,et al.  Extending Oblivious Transfers Efficiently , 2003, CRYPTO.

[33]  Christian Esposito,et al.  Securing Collaborative Deep Learning in Industrial Applications Within Adversarial Scenarios , 2018, IEEE Transactions on Industrial Informatics.

[34]  Yongsoo Song,et al.  Efficient Multi-Key Homomorphic Encryption with Packed Ciphertexts with Application to Oblivious Neural Network Inference , 2019, IACR Cryptol. ePrint Arch..

[35]  Mohammad Al-Rubaie,et al.  Privacy-Preserving Machine Learning: Threats and Solutions , 2018, IEEE Security & Privacy.

[36]  Yuan Yu,et al.  TensorFlow: A system for large-scale machine learning , 2016, OSDI.

[37]  Ion Stoica,et al.  Helen: Maliciously Secure Coopetitive Learning for Linear Models , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[38]  Wenjia Li,et al.  Policy-Based Secure and Trustworthy Sensing for Internet of Things in Smart Cities , 2018, IEEE Internet of Things Journal.

[39]  Sergey Ioffe,et al.  Batch Normalization: Accelerating Deep Network Training by Reducing Internal Covariate Shift , 2015, ICML.

[40]  Song Han,et al.  Learning both Weights and Connections for Efficient Neural Network , 2015, NIPS.

[41]  R. Raskar,et al.  Privacy in Deep Learning: A Survey , 2020, ArXiv.

[42]  M. Rothstein Is Deidentification Sufficient to Protect Health Privacy in Research? , 2010, The American journal of bioethics : AJOB.

[43]  Pascal Paillier,et al.  Fast Homomorphic Evaluation of Deep Discretized Neural Networks , 2018, IACR Cryptol. ePrint Arch..

[44]  Jean-Pierre Hubaux,et al.  Scalable Privacy-Preserving Distributed Learning , 2020, Proc. Priv. Enhancing Technol..

[45]  Ahmad-Reza Sadeghi,et al.  Secure Multiparty Computation from SGX , 2017, Financial Cryptography.

[46]  Yehuda Lindell,et al.  More efficient oblivious transfer and extensions for faster secure computation , 2013, CCS.

[47]  Miriam A. M. Capretz,et al.  MLaaS: Machine Learning as a Service , 2015, 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA).

[48]  Xiaoyu Zhang,et al.  Non-interactive privacy-preserving neural network prediction , 2019, Inf. Sci..

[49]  Yehuda Lindell,et al.  Secure Two-Party Computation via Cut-and-Choose Oblivious Transfer , 2011, Journal of Cryptology.

[50]  Fabio Roli,et al.  Evasion Attacks against Machine Learning at Test Time , 2013, ECML/PKDD.

[51]  Brian Kingsbury,et al.  New types of deep neural network learning for speech recognition and related applications: an overview , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.

[52]  Xiaoqian Jiang,et al.  Secure Outsourced Matrix Computation and Application to Neural Networks , 2018, CCS.

[53]  Dan Boneh,et al.  Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware , 2018, ICLR.

[54]  Fan Zhang,et al.  Stealing Machine Learning Models via Prediction APIs , 2016, USENIX Security Symposium.

[55]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[56]  Lei Jiang,et al.  AutoPrivacy: Automated Layer-wise Parameter Selection for Secure Neural Network Inference , 2020, NeurIPS.

[57]  Kilian Q. Weinberger,et al.  Densely Connected Convolutional Networks , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[58]  Hamed Haddadi,et al.  PrivEdge: From Local to Distributed Private Training and Prediction , 2020, IEEE Transactions on Information Forensics and Security.

[59]  Feng Wu,et al.  FALCON: A Fourier Transform Based Approach for Fast and Secure Convolutional Neural Network Predictions , 2018, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[60]  Peter Rindal,et al.  ABY3: A Mixed Protocol Framework for Machine Learning , 2018, IACR Cryptol. ePrint Arch..

[61]  Lawrence D. Jackel,et al.  Handwritten Digit Recognition with a Back-Propagation Network , 1989, NIPS.

[62]  S. Sastry,et al.  Security and Privacy Issues with Health Care Information Technology , 2006, 2006 International Conference of the IEEE Engineering in Medicine and Biology Society.

[63]  Sai Chand,et al.  Autonomous Vehicles: Disengagements, Accidents and Reaction Times , 2016, PloS one.

[64]  Somesh Jha,et al.  Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures , 2015, CCS.

[65]  Takashi Sato,et al.  ENSEI: Efficient Secure Inference via Frequency-Domain Homomorphic Convolution for Privacy-Preserving Visual Recognition , 2020, 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[66]  Tara N. Sainath,et al.  Deep Neural Networks for Acoustic Modeling in Speech Recognition: The Shared Views of Four Research Groups , 2012, IEEE Signal Processing Magazine.

[67]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[68]  Mohit Tiwari,et al.  SESAME: Software defined Enclaves to Secure Inference Accelerators with Multi-tenant Execution , 2020, ArXiv.

[69]  Ajith Suresh,et al.  Trident: Efficient 4PC Framework for Privacy Preserving Machine Learning , 2019, IACR Cryptol. ePrint Arch..

[70]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[71]  Frederik Vercauteren,et al.  Fully homomorphic SIMD operations , 2012, Designs, Codes and Cryptography.

[72]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[73]  Nei Kato,et al.  An Intelligent Traffic Load Prediction-Based Adaptive Channel Assignment Algorithm in SDN-IoT: A Deep Learning Approach , 2018, IEEE Internet of Things Journal.

[74]  Farinaz Koushanfar,et al.  XONN: XNOR-based Oblivious Deep Neural Network Inference , 2019, IACR Cryptol. ePrint Arch..

[75]  Kwangjo Kim,et al.  A Survey on Deep Learning Techniques for Privacy-Preserving , 2019, ML4CS.

[76]  Farinaz Koushanfar,et al.  Chameleon: A Hybrid Secure Computation Framework for Machine Learning Applications , 2018, IACR Cryptol. ePrint Arch..

[77]  Frederik Vercauteren,et al.  Somewhat Practical Fully Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[78]  Mauro Conti,et al.  The Guard's Dilemma: Efficient Code-Reuse Attacks Against Intel SGX , 2018, USENIX Security Symposium.

[79]  François Le Gall,et al.  Powers of tensors and fast matrix multiplication , 2014, ISSAC.

[80]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[81]  E. Goldman An Introduction to the California Consumer Privacy Act (CCPA) , 2020 .

[82]  Constance Morel,et al.  Privacy-Preserving Classification on Deep Neural Network , 2017, IACR Cryptol. ePrint Arch..

[83]  Maria Zhdanova,et al.  Time to Rethink: Trust Brokerage Using Trusted Execution Environments , 2015, TRUST.

[84]  Houqiang Li,et al.  Efficient Integer-Arithmetic-Only Convolutional Neural Networks , 2020, ArXiv.

[85]  Pan He,et al.  Adversarial Examples: Attacks and Defenses for Deep Learning , 2017, IEEE Transactions on Neural Networks and Learning Systems.

[86]  Sameer Wagh,et al.  SecureNN: 3-Party Secure Computation for Neural Network Training , 2019, Proc. Priv. Enhancing Technol..

[87]  Thomas Schneider,et al.  MP2ML: a mixed-protocol machine learning framework for private inference , 2020, IACR Cryptol. ePrint Arch..

[88]  Peter Snyder,et al.  Yao ’ s Garbled Circuits : Recent Directions and Implementations , 2014 .

[89]  Payman Mohassel,et al.  SecureML: A System for Scalable Privacy-Preserving Machine Learning , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[90]  Mahmood Fathy,et al.  Deep-Cascade: Cascading 3D Deep Neural Networks for Fast Anomaly Detection and Localization in Crowded Scenes , 2017, IEEE Transactions on Image Processing.

[91]  Aaron Roth,et al.  The Algorithmic Foundations of Differential Privacy , 2014, Found. Trends Theor. Comput. Sci..

[92]  Song Han,et al.  Deep Compression: Compressing Deep Neural Network with Pruning, Trained Quantization and Huffman Coding , 2015, ICLR.

[93]  Nishant Kumar,et al.  CrypTFlow: Secure TensorFlow Inference , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[94]  Vitaly Shmatikov,et al.  Machine Learning Models that Remember Too Much , 2017, CCS.

[95]  Michael Niemier,et al.  Computing-in-Memory for Performance and Energy-Efficient Homomorphic Encryption , 2020, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[96]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[97]  Paul Voigt,et al.  The EU General Data Protection Regulation (GDPR) , 2017 .

[98]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[99]  Victor Y. Pan,et al.  Fast Rectangular Matrix Multiplication and Applications , 1998, J. Complex..

[100]  Hassan Takabi,et al.  Privacy-preserving Machine Learning as a Service , 2018, Proc. Priv. Enhancing Technol..

[101]  Aseem Rastogi,et al.  CrypTFlow2: Practical 2-Party Secure Inference , 2020, IACR Cryptol. ePrint Arch..

[102]  Reza Shokri,et al.  SOTERIA: In Search of Efficient Neural Networks for Private Inference , 2020, ArXiv.

[103]  Wei Yu,et al.  A Survey of Deep Learning: Platforms, Applications and Emerging Research Trends , 2018, IEEE Access.

[104]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[105]  Yao Lu,et al.  Oblivious Neural Network Predictions via MiniONN Transformations , 2017, IACR Cryptol. ePrint Arch..

[106]  Hongyi Wu,et al.  CHEETAH: An Ultra-Fast, Approximation-Free, and Privacy-Preserved Neural Network Framework based on Joint Obscure Linear and Nonlinear Computations , 2019, ArXiv.

[107]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[108]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[109]  Eyal Kushilevitz,et al.  Falcon: Honest-Majority Maliciously Secure Framework for Private Deep Learning , 2021, Proc. Priv. Enhancing Technol..

[110]  Guangyu Sun,et al.  BAYHENN: Combining Bayesian Deep Learning and Homomorphic Encryption for Secure DNN Inference , 2019, IJCAI.

[111]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[112]  Li Fei-Fei,et al.  Faster CryptoNets: Leveraging Sparsity for Real-World Encrypted Inference , 2018, ArXiv.

[113]  Carlos V. Rozas,et al.  Intel® Software Guard Extensions (Intel® SGX) Support for Dynamic Memory Management Inside an Enclave , 2016, HASP 2016.

[114]  Song Han,et al.  SpArch: Efficient Architecture for Sparse Matrix Multiplication , 2020, 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[115]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[116]  Vitaly Shmatikov,et al.  Membership Inference Attacks Against Machine Learning Models , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[117]  Cong Wang,et al.  Energy Efficient Data Collection in Large-Scale Internet of Things via Computation Offloading , 2019, IEEE Internet of Things Journal.

[118]  Yehuda Lindell,et al.  High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority , 2016, IACR Cryptol. ePrint Arch..

[119]  Shafi Goldwasser,et al.  Machine Learning Classification over Encrypted Data , 2015, NDSS.

[120]  Ron Steinfeld,et al.  Making NTRU as Secure as Worst-Case Problems over Ideal Lattices , 2011, EUROCRYPT.

[121]  Delaram Kahrobaei,et al.  Homomorphic Encryption for Machine Learning in Medicine and Bioinformatics , 2020, ACM Comput. Surv..

[122]  Yehuda Lindell,et al.  Optimized Honest-Majority MPC for Malicious Adversaries — Breaking the 1 Billion-Gate Per Second Barrier , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[123]  Raluca Ada Popa,et al.  Delphi: A Cryptographic Inference System for Neural Networks , 2020, IACR Cryptol. ePrint Arch..

[124]  Johannes Götzfried,et al.  Cache Attacks on Intel SGX , 2017, EUROSEC.

[125]  Morten Dahl,et al.  Private Machine Learning in TensorFlow using Secure Computation , 2018, ArXiv.

[126]  Toufique Morshed Tamal CPU and GPU accelerated fully homomorphic encryption , 2019 .

[127]  Vladimir Kolesnikov,et al.  A Pragmatic Introduction to Secure Multi-Party Computation , 2019, Found. Trends Priv. Secur..

[128]  Lake Bu,et al.  Fast Arithmetic Hardware Library For RLWE-Based Homomorphic Encryption , 2020, 2020 IEEE 28th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM).

[129]  Jinhui Tang,et al.  Video Anomaly Detection with Sparse Coding Inspired Deep Neural Networks , 2019, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[130]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[131]  Chaoping Xing,et al.  MPC-enabled Privacy-Preserving Neural Network Training against Malicious Attack , 2020, ArXiv.

[132]  Matt J. Kusner,et al.  QUOTIENT: Two-Party Secure Neural Network Training and Prediction , 2019, CCS.

[133]  Cong Wang,et al.  GELU-Net: A Globally Encrypted, Locally Unencrypted Deep Neural Network for Privacy-Preserved Learning , 2018, IJCAI.

[134]  Sameer Wagh,et al.  SecureNN: Efficient and Private Neural Network Training , 2018, IACR Cryptol. ePrint Arch..

[135]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[136]  Arpita Patra,et al.  SWIFT: Super-fast and Robust Privacy-Preserving Machine Learning , 2020, IACR Cryptol. ePrint Arch..

[137]  Brett Hemenway,et al.  SoK: General Purpose Compilers for Secure Multi-Party Computation , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[138]  Jung Hee Cheon,et al.  Homomorphic Encryption for Arithmetic of Approximate Numbers , 2017, ASIACRYPT.

[139]  Xun Yi,et al.  Leia: A Lightweight Cryptographic Neural Network Inference System at the Edge , 2022, IEEE Transactions on Information Forensics and Security.

[140]  Ghulam Muhammad,et al.  Automatic Fruit Classification Using Deep Learning for Industrial Applications , 2019, IEEE Transactions on Industrial Informatics.

[141]  Yixing Lao,et al.  nGraph-HE: a graph compiler for deep learning on homomorphically encrypted data , 2018, IACR Cryptol. ePrint Arch..

[142]  Vitaly Shmatikov,et al.  Chiron: Privacy-preserving Machine Learning as a Service , 2018, ArXiv.

[143]  Alexander Kozlov,et al.  Neural Network Compression Framework for fast model inference , 2020, ArXiv.

[144]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[145]  Rosario Cammarota,et al.  nGraph-HE2: A High-Throughput Framework for Neural Network Inference on Encrypted Data , 2019, IACR Cryptol. ePrint Arch..

[146]  Trevor Darrell,et al.  Caffe: Convolutional Architecture for Fast Feature Embedding , 2014, ACM Multimedia.

[147]  Silvio Micali,et al.  The round complexity of secure protocols , 1990, STOC '90.

[148]  Declan O'Sullivan,et al.  Machine learning as a service for enabling Internet of Things and People , 2016, Personal and Ubiquitous Computing.

[149]  Anantha Chandrakasan,et al.  Gazelle: A Low Latency Framework for Secure Neural Network Inference , 2018, IACR Cryptol. ePrint Arch..

[150]  Mohsen Guizani,et al.  Deep Learning for IoT Big Data and Streaming Analytics: A Survey , 2017, IEEE Communications Surveys & Tutorials.