CN112199702A - Privacy protection method, storage medium and system based on federal learning - Google Patents

Abstract

The invention discloses a privacy protection method, a storage medium and a system based on federal learning, wherein the method comprises the following steps: encrypting the global model by adopting a parameter encryption algorithm to obtain a ciphertext model; training the ciphertext model by using local data, decrypting the obtained ciphertext gradient information and the noise item to obtain a parameter gradient, updating the global model by using the parameter gradient, and circulating the steps until the model converges or reaches a specified iteration number to obtain a model parameter; encrypting the model parameters to obtain encryption model parameters, and updating the global model by adopting the encryption model parameters to obtain a global encryption model; and local training is performed on the encrypted global model to realize privacy protection. The invention can effectively prevent semi-credible Federal learning participants from obtaining the real parameters of the global model and the output result of the intermediate model, and simultaneously ensures that the participants can obtain the real prediction result by utilizing the finally trained encryption model.

Description

Privacy protection method, storage medium and system based on federal learning

Technical Field

The invention relates to the field of data protection, in particular to a privacy protection method, a storage medium and a system based on federal learning.

Background

With the wide application and development of big data mining and deep learning, more and more privacy disclosure and frequent outbreak of data abuse events make the importance on data privacy and security become a worldwide trend. Especially in distributed machine learning, distributed participants are reluctant to provide their own local training data due to privacy concerns, creating a "data islanding" phenomenon. In order to deal with the difficult problem of data privacy protection, break through the practical difficulty of a data isolated island and meet the urgent requirement of data combined use, the concept of federal learning and an industrial application solution are proposed. The federated learning is essentially a distributed machine learning framework, under the framework, original data are not communicated among all participants, a model is trained locally, and updated model parameters or gradients are uploaded, so that the federated learning modeling of a plurality of participants can be effectively assisted on the premise of protecting privacy.

Although federal learning does not require participants to upload local training data, privacy can be protected to some extent. However, current research shows that it is still possible for an attacker to acquire original training data, perform membership inference, and attribute inference, etc. using the true gradient or updated model parameter information uploaded by each participant. At present, privacy protection research based on federal learning almost considers preventing a central server from obtaining privacy information of participants from model updating, but does not consider the situation of malicious participants. That is, the malicious or attacker-intercepted participants may still get the true global model update, and therefore, they may still guess other training data or guess the training data sets of other participants through the true parameters, in addition to their own local training data. As pointed out by Kairouz et al, preventing real model updates and eventual model parameters from being acquired by malicious participants in iterative processes is also a problem to be solved in federal learning. Essentially, the solution to this problem is to have the participants train locally on encrypted or scrambled global model updates. Although there are three mainstream privacy protection technologies, namely differential privacy, homomorphic encryption and secure multiparty computation, at present, the technology is widely applied to machine learning for privacy protection. However, these techniques suffer either from sacrificing model accuracy or from sacrificing efficiency of model training, so that privacy-preserving model training remains a difficult point.

Accordingly, the prior art is yet to be improved and developed.

Disclosure of Invention

The technical problem to be solved by the present invention is to provide a privacy protection method, a storage medium and a system based on federal learning, aiming at solving the problem that the existing privacy data cannot be effectively protected.

In order to solve the technical problems, the technical scheme adopted by the invention is as follows:

a privacy protection method based on federal learning comprises the following steps:

encrypting the global model by adopting a parameter encryption algorithm to obtain a ciphertext model;

training on the ciphertext model by using local data to obtain ciphertext gradient information and a noise item;

decrypting the ciphertext gradient information and the noise item to obtain a parameter gradient, updating the global model by adopting the parameter gradient, and circulating the steps until the model converges or reaches a specified iteration number to obtain a model parameter;

encrypting the model parameters to obtain encryption model parameters, and updating the global model by adopting the encryption model parameters to obtain a global encryption model;

and carrying out local training on the encrypted global model to realize privacy protection.

The privacy protection method based on federal learning is characterized in that the step of encrypting the global model by adopting a parameter encryption algorithm to obtain the ciphertext model comprises the following steps:

when the global model is a multilayer perceptron model with L layers, a random number matrix is adopted

And

for plaintext model parameters in the multilayer perceptron model

Encrypting to obtain ciphertext model parameters:

wherein the content of the first and second substances,

representing a Hadamard product multiplication operation;

the random number matrix R^(l)From multiplicative noise vectors

The method comprises the following steps:

wherein the subscripts i and j satisfy i ∈ [1, n ]_l]，j∈[1，n_l-1]；

The random number matrix Ra is composed of random numbers gamma and additive noise vectors

Consisting of the following formula:

wherein the subscripts i and j satisfy i ∈ [1, n ]_L]，j∈[1，n_L-1]；

And replacing the plaintext model parameters in the multilayer perceptron model with the ciphertext model parameters to obtain a ciphertext model.

The privacy protection method based on federal learning is characterized in that the step of encrypting the global model by adopting a parameter encryption algorithm to obtain the ciphertext model comprises the following steps:

using a random tensor when the global model is a convolutional neural network model of L layers

And a random matrix

Encrypting the plaintext model parameters of the convolutional neural network model to obtain corresponding ciphertext model parameters:

when L is not less than 1 and not more than L-1, the parameter W^(l)Being the convolution kernel tensor, the random tensor R^(l)From multiplicative noise vectors

Consists of, and satisfies:

wherein r is^(l，in)＝(r^(m))_m∈P(l)From m e P (l) vectors r^(m)Spliced, p (l) represents a set of indices for all network layers connected to the l convolutional layer;

the random matrix R^(L)From a multiplicative noise vector r^(L-1)Is composed of, and satisfies:

the random matrix R^aFrom an additive noise vector r_aAnd a random number γ, and satisfies:

and replacing the plaintext model parameters in the convolutional neural network model with the ciphertext model parameters to obtain a ciphertext model.

The privacy protection method based on federal learning comprises the following steps of training on the ciphertext model by using local data to obtain ciphertext gradient information and a noise item:

computing the output of the ciphertext model:

the output of the ciphertext model and the output of the corresponding plaintext model satisfy the following relational expression:

wherein

r＝γr_a；

For samples of arbitrary dimensions

Prediction value of ciphertext model

The mean square error from the true value is expressed as a loss function as:

wherein n is_LRepresenting the dimension of the model output layer and the dimension of the sample label;

said loss function

For ciphertext parameter

The noisy gradient and the corresponding real gradient satisfy the following relation:

wherein the content of the first and second substances,

and is

The kth participant has all its minibatches of data

Computing ciphertext gradient information over a sample

And combined with an additive noise vector r_aCalculating noise terms

And

the privacy protection method based on federal learning comprises the following steps of training on the ciphertext model by using local data to obtain ciphertext gradient information and a noise item:

the convolutional layer output of the ciphertext model and the corresponding real convolutional layer output meet the following requirements:

and, the full-connection layer output of the ciphertext model and the corresponding real output result meet the following requirements:

wherein

Is a pseudo output statistic, and the function Flatten (-) expresses that the multi-dimensional tensor is extended into a one-dimensional vector, and the dimensionality of the extended vector is n_L-1＝c_L-1h_L-1w_L-1The parameter r is gamma r_aIs a combined noise vector;

for samples of arbitrary dimensions

Prediction value of ciphertext model

The mean square error from the true value is expressed as a loss function as:

wherein n is_LRepresenting the dimension of the model output layer and the dimension of the sample label;

said loss function

For ciphertext parameter

The noisy gradient and the corresponding real gradient satisfy the following relation:

wherein the content of the first and second substances,

and is

The kth participant has all its minibatches of data

Computing ciphertext gradient information over a sample

And combined with an additive noise vector r_aCalculating noise terms

And

the privacy protection method based on the federal learning comprises the following steps of decrypting the ciphertext gradient information and the noise item to obtain a parameter gradient, updating the global model by adopting the parameter gradient until the model converges or reaches a specified iteration number, and obtaining model parameters, wherein the step of decrypting the ciphertext gradient information and the noise item comprises the following steps:

global model W for the t-th round_tThe parameter gradient obtained during the local training of the kth participant is solved as follows:

wherein, F_k(. h) represents the loss function for the kth participant;

updating the global model by adopting the parameter gradient until the model converges or reaches the specified iteration times to obtain the model parameter W of the t +1 th round_t+1Comprises the following steps:

where eta represents the learning rate, N_kthe/N represents the ratio of the data volume of the kth participant to the total data volume.

The privacy protection method based on federal learning comprises the following steps of encrypting the model parameters to obtain encryption model parameters, updating the global model by adopting the encryption model parameters to obtain a global encryption model:

according toFormula (II)

Encrypting the model parameters to obtain encrypted model parameters;

using said cryptographic model parameters

And updating the global model to obtain a global encryption model.

A computer readable storage medium having one or more programs stored thereon that are executable by one or more processors to perform the steps of the federated learning-based privacy protection method of the present invention.

A privacy preserving system based on federal learning, comprising: the server side is used for encrypting the global model by adopting a parameter encryption algorithm to obtain a ciphertext model;

the client is used for training the ciphertext model by using local data to obtain ciphertext gradient information and a noise item;

the server is further used for decrypting the ciphertext gradient information and the noise item to obtain a parameter gradient, updating the global model by adopting the parameter gradient, and repeating the steps until the model converges or reaches a specified iteration number to obtain a model parameter; encrypting the model parameters to obtain encryption model parameters, and updating the global model by adopting the encryption model parameters to obtain a global encryption model;

and the client is also used for carrying out local training on the encrypted global model to realize privacy protection.

Has the advantages that: compared with the prior art, the privacy protection method based on the federal learning provided by the invention has the advantages that the global model of the federal learning is encrypted through the privacy protection algorithm to obtain the global encryption model, and the participants are allowed to carry out local training on the global encryption model. The privacy protection method provided by the invention can effectively prevent semi-credible federal learning participants from obtaining the real parameters of the global model and the output result of the intermediate model, and simultaneously ensures that all participants can obtain the real prediction result by utilizing the finally trained encryption model.

Drawings

Fig. 1 is a flowchart of a privacy protection method based on federal learning according to a preferred embodiment of the present invention.

Fig. 2 is a schematic diagram of a privacy protection system based on federal learning according to the present invention.

Detailed Description

The invention provides a privacy protection method, a storage medium and a system based on federal learning, and in order to make the purpose, technical scheme and effect of the invention clearer and clearer, the invention is further described in detail below by referring to the attached drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.

It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.

The invention will be further explained by the description of the embodiments with reference to the drawings.

Federal learning (Federatedlearning) is a new artificial intelligence basic technology, is proposed by Google in 2016, and is originally used for solving the problem of local model updating of android mobile phone terminal users, and the design goal of the federal learning is to carry out efficient machine learning among multiple parties or multiple computing nodes on the premise of guaranteeing information safety during big data exchange, protecting terminal data and personal data privacy and guaranteeing legal compliance. The machine learning algorithm which can be used for federal learning is not limited to a neural network, and also comprises important algorithms such as a random forest. The system architecture for federated learning is presented as an example of a scenario involving two data owners (i.e., enterprises A and B). The framework is extensible to scenarios involving multiple data owners. Suppose enterprises A and B want to jointly train a machine learning model, and their business systems have the relevant data of their respective users. In addition, enterprise B also has label data that the model needs to predict. Due to data privacy protection and safety considerations, A and B cannot directly exchange data, and a federal learning system can be used for establishing a model. The federal learning system framework is composed of three parts:

a first part: the encrypted samples are aligned. Because the user groups of the two enterprises are not completely overlapped, the system confirms the common users of the two enterprises on the premise that A and B do not disclose respective data by using an encryption-based user sample alignment technology, and does not expose the users which are not overlapped with each other, so that the modeling is carried out by combining the characteristics of the users. A second part: and (5) training an encryption model. After the common user population is determined, the machine learning model can be trained using these data. In order to ensure the confidentiality of data in the training process, the third-party collaborator C needs to be used for encryption training. Taking the linear regression model as an example, the training process can be divided into 4 steps: the first step is as follows: collaborator C distributes the public key to a and B for encrypting the data to be exchanged during the training process. The second step: a and the intermediate results between A and A are used to calculate the gradient in encrypted form. Thirdly, the step of: a and B are calculated respectively based on the encrypted gradient values, meanwhile, B calculates loss according to the label data of the A and B, and summarizes the result to C, and C calculates the total gradient value through the summarized result and decrypts the total gradient value. Fourthly, the step: and C, respectively transmitting the decrypted gradient back to A and B, and updating the parameters of the respective models by the A and B according to the gradient. And iterating the steps until the loss function converges, so that the whole training process is completed. In the sample alignment and model training processes, the data of A and B are kept locally, and data privacy is not leaked due to data interaction in the training process. Thus, both parties are enabled to collaboratively train the model with the help of federal learning. And a third part: and (4) effect excitation. One of the major features of federal learning is that it solves the problem why different agencies are added to federal co-modeling, i.e., the model effect is shown in practical applications and recorded on a permanent data recording mechanism (e.g., blockchain) after modeling. The effects of these models are distributed to individual agencies on the federal mechanism for feedback and continue to encourage more agencies to join this data federation. The implementation of the three parts not only considers privacy protection and effect of common modeling among a plurality of organizations, but also considers the incentive of the organizations with more contribution data by a consensus mechanism.

Although federal learning does not require participants to upload local training data, the level of privacy protection can be increased to some extent. However, current research shows that it is still possible for an attacker to acquire original training data, perform membership inference, and attribute inference, etc. using the true gradient or updated model parameter information uploaded by each participant. At present, privacy protection research based on federal learning almost considers preventing a central server from obtaining privacy information of participants from model updating, but does not consider the situation of malicious participants. That is, the malicious or attacker-intercepted participants may still get the true global model update, and therefore, they may still guess other training data or guess the training data sets of other participants through the true parameters, in addition to their own local training data. Therefore, in federal learning, it is also an urgent problem to prevent the real model update in the iterative process and the final model parameters from being acquired by malicious participants.

In order to solve the problems in the prior art, the invention provides a privacy protection method based on federal learning, as shown in fig. 1, which comprises the following steps:

s10, encrypting the global model by adopting a parameter encryption algorithm to obtain a ciphertext model;

s20, training the ciphertext model by using local data to obtain ciphertext gradient information and a noise item;

s30, decrypting the ciphertext gradient information and the noise item to obtain a parameter gradient, and updating the global model by adopting the parameter gradient;

s40, circularly executing the steps S10-S30 until the model converges or reaches the specified iteration times to obtain model parameters;

s50, encrypting the model parameters to obtain encryption model parameters, and updating the global model by adopting the encryption model parameters to obtain a global encryption model;

and S60, performing local training on the encrypted global model to realize privacy protection.

Specifically, although the differential privacy technology can ensure the efficiency of the model, the introduced random noise cannot be eliminated, so that the accuracy of the model is greatly affected, and there is a trade-off relationship between the accuracy of the model and the privacy protection level, that is, the higher the privacy protection level is, the greater the random number noise needs to be added, which makes the accuracy of the model worse. In order to solve the problem, the embodiment provides an efficient privacy protection method based on the idea of differential privacy, in each iteration of the training process, before the server side distributes global model parameters, additive and multiplicative random numbers meeting certain conditions are selected as private keys, and the global model is multiplied or added with the private keys as encrypted global models distributed to each participant according to certain design requirements; the participants then perform model training on the encrypted global model using their own local data. The privacy protection method provided by the embodiment can enable the server side to accurately eliminate the influence of the random number and restore a real global model, so that the accuracy of the model can be ensured.

According to the embodiment, the global model is encrypted by providing an efficient privacy protection method, so that all participants of federal learning can only train on the global encryption model and cannot obtain real model parameters, and the privacy of the global model is guaranteed. That is to say, the privacy protection method based on federal learning provided in this embodiment can effectively prevent semi-trusted federal learning participants from obtaining the real parameters of the global model and the output result of the intermediate model, and meanwhile, it is ensured that all participants can obtain the real prediction result by using the finally trained encryption model.

In some specific embodiments, the privacy protection method provided by the invention can be applied to scenes with sensitive data privacy, such as hospitals (medical image data) and banks (credit card transaction records), and the like, and all organizations are combined to train a global model together on the premise of not revealing the data privacy so as to achieve the expected purpose. Taking a bank credit card fraud detection scenario as an example, each bank wants to train a global model while not revealing data privacy, so as to obtain transaction information for a single credit card and detect the capability of whether the transaction is a fraudulent transaction. After receiving the ciphertext model, each banking institution can train on the ciphertext model by using transaction record data of a local credit card and a manually labeled tag (whether the transaction is fraudulent), obtain ciphertext gradient information and a noise item and send the ciphertext gradient information and the noise item to a server; the server decrypts the ciphertext gradient information and the noise item to obtain a parameter gradient, and updates the global model by adopting the parameter gradient; circularly executing the steps until the model converges or reaches the specified iteration times to obtain model parameters; encrypting the model parameters to obtain encryption model parameters, and updating the global model by adopting the encryption model parameters to obtain a global encryption model; the server distributes the global encryption model to the client (each banking institution) again, and the client can carry out local training on the global encryption model to realize privacy protection.

In some embodiments, the privacy protection method provided by this embodiment is applicable to two deep learning models, namely a multilayer perceptron (MLP) and a Convolutional Neural Network (CNN), and supports a ReLU activation function and a MSE loss function; meanwhile, the privacy protection method can also be effectively applied to a variant convolutional neural network model with hopping connection, such as ResNet and DenseNet networks which are widely popular at present.

The invention comprises four stages of global model encryption, local model training, global model updating and final model distribution, corresponding to the training process of horizontal federal learning. And the first three stages are sequentially executed in a circulating mode until the model converges or reaches the specified circulating times, and then the fourth stage is turned to be ended.

In some embodiments, the "global model encryption" stage is performed by a server side of the federal learning framework, and the server side encrypts or scrambles a global model (referred to as a "plaintext model") by using the parameter encryption algorithm, and then sends the encrypted model (referred to as a "ciphertext model") and auxiliary random information to a client side. The global model can be a multilayer perceptron model or a convolutional neural network model, and the parameter encryption algorithm is specifically described below based on the two models respectively.

In a specific embodiment, when the global model is a multilayer perceptron model with L layers, the multilayer perceptron model is composed of any number of fully connected layers, and the ReLU is used as an activation function. Consider a multi-layer perceptron model with L layers, the number of neurons in the L layer is n_lThe parameter matrix is

Its output can be expressed as:

in particular, when l is 0, y⁽⁰⁾Input x ═ x representing model_1，x₂，…，x_d)^T，n₀D denotes the dimension of the input data.

Aiming at the multilayer perceptron model of the L layers, the server side uses a random number matrix

And

for plaintext model parameters

Performing encryption, ciphertext model parameter

The calculation process of (2) is as follows:

wherein

Representing a Hadamard product operation.

In particular, the random number matrix R^(l)From multiplicative noise vectors

The method comprises the following steps:

wherein the subscripts i and j satisfy i ∈ [1, n ]_l]，j∈[1，n_l-1]. The random number matrix R^aFrom a random number gamma and an additive noise vector

Consisting of the following formula:

wherein the subscripts i and j satisfy i ∈ [1, n ]_L]，j∈[1，n_L-1]. And replacing the plaintext model parameters in the multilayer perceptron model with the ciphertext model parameters to obtain a ciphertext model.

In this embodiment, the server end first completes the model encryption according to the above requirements, and then encrypts the ciphertext model parameters

And additive noise vector r_aSent together to the federal learned participants.

In another embodiment, when the global model is a convolutional neural network model of L layers, the convolutional neural network model is composed of an arbitrary number of convolutional layers and max-pooling layers alternately connected and then ends with a fully connected layer for regression or classification tasks. The convolution model uses ReLU as an activation function and allows a "splice-type jump-join" structure between layers. The convolution layer takes three-dimensional data as input and takes a plurality of three-dimensional convolution kernels as parameters, and outputs a feature map after convolution. For any number of channels c_lHeight of h_lWidth of w_lThree-dimensional input data of

The three-dimensional convolution operation is defined as:

wherein the content of the first and second substances,

is c_l+1Size of c_lThe tensor composed by the xf f convolution kernel,

is an outputThe characteristic diagram of (1).

For any L layers of the convolutional network model, the server side uses random tensor

And a random matrix

Encrypting the plaintext model parameters of the convolutional neural network model to obtain corresponding ciphertext model parameters:

when L is not less than 1 and not more than L-1, the parameter W^(l)Being the convolution kernel tensor, the random tensor R^(l)From multiplicative noise vectors

Consists of, and satisfies:

wherein r is^(l，in)＝(r^(m))_m∈P(l)From m e P (l) vectors r^(m)Spliced, p (l) denotes a set of indices for all network layers connected to the l convolutional layer, this change being used to adapt the connection structure with a spliced jump connection;

the random matrix R^(L)From a multiplicative noise vector r^(L-1)Is composed of, and satisfies:

the random matrix R^aFrom an additive noise vector r_aAnd a random number γ, and satisfies:

and replacing the plaintext model parameters in the convolutional neural network model with the ciphertext model parameters to obtain a ciphertext model.

In the embodiment, the server sideFirstly, completing model encryption according to the requirements, and then, encrypting the model parameters of the ciphertext

And additive noise vector r_aSent together to the participants (clients) of the federal study.

In some embodiments, the "local model training" phase is a second phase, completed by the client. After each participant receives the ciphertext model and the additive noise vector, the participant trains on the ciphertext model by using own local data, and the training method mainly comprises two stages: forward propagation and backward propagation. And finally, sending the cipher text gradient information obtained by local calculation and the extra noise item to a server side.

And a forward propagation stage:

when the global model is a multilayer perceptron model of an L layer, after receiving the ciphertext model, the participants of the federal learning calculate the output containing noise

The output of the ciphertext model and the output of the corresponding plaintext model satisfy the following relational expression:

wherein

r＝γr_a. For a Federal learning participant, a random noise vector r^(l)And the random number gamma is unknown.

When the global model is a convolutional neural network model of an L layer, similar to a multilayer perceptron, the convolutional layer output of the ciphertext model and the corresponding real convolutional layer output satisfy:

and the output of the full connection layer of the ciphertext model and the corresponding real output result meet the following requirements:

wherein

Is a pseudo output statistic, and the function Flatten (-) expresses that the multi-dimensional tensor is extended into a one-dimensional vector, and the dimensionality of the extended vector is n_L-1＝c_L-1h_L-1w_L-1. Parameter r ═ γ r_aTo a combined noise vector. The random noise vector r is the same as the encryption mechanism of the multilayer perceptron model^(l)And the random number gamma is unknown to the participants of the federated learning, and the encryption mechanism aiming at the convolution model can strictly ensure the security of the global model.

And (3) a back propagation stage:

the back propagation process is applicable to both multilayer perceptron models and convolutional neural network models, using Mean Square Error (MSE) as the loss function. For samples of arbitrary dimensions

Prediction value of ciphertext model

The mean square error from the true value can be expressed as:

wherein n is_LRepresenting the dimensions of the model output layer and also the dimensions of the sample label. The parameters alpha and r are respectively "orderThe pseudo output statistics and the combined noise vector introduced in paragraph 1 ". For the parametric encryption algorithm introduced in the present invention, the loss function

For ciphertext parameter

The noisy gradient and the corresponding real gradient satisfy the following relation:

wherein the content of the first and second substances,

and is

Notably, the parameter σ^(l)And beta^(l)Is done by the participants independently computing locally.

Specifically, the kth participant is at all its minibatches of data

Calculating gradients on a sample

And combined with additive noise vector r provided by the server_aCalculating noise terms

And

finally, the three types of information are combined

And simultaneously sending the data to the server side.

In some embodiments, the "global model update" phase is performed by federally learned clothesAnd the server end completes the operation. And after receiving the ciphertext gradient information and the noise items sent by all participants, the server decrypts the true parameter gradient by using the selected private key, and finally updates the global model by using the aggregated parameter gradient. In particular, the global model W for the t-th round_tThe true gradient it gets during the local training of the kth participant can be solved as follows:

wherein F_k(. cndot.) represents the loss function for the kth participant. After the real gradient is decrypted, the server side updates to obtain the global model W of the t +1 th round_t+1：

Where eta represents the learning rate, N_kthe/N represents the ratio of the data volume of the kth participant to the total data volume.

In some embodiments, the "final model distribution" phase is done by the server side of federal learning. After the server and the client alternately execute the stages 1 to 3 until the model converges or reaches the specified iteration times, the server obtains the final model parameters

In order to protect the model parameters and ensure that the participants can obtain correct inference results, the server side still encrypts the global model before distributing the model, and the server side does not select additive noise R unlike the training stage^aAnd only multiplicative noise is selected to ensure that the output of the ciphertext model is the same as the true output, namely:

without loss of generality, the server side encrypts the model parameters according to the following formula:

the parameter W in the above formula is not only a multilayer perceptron model but also a convolutional neural network model^(l)And noise R^(l)In exactly the same form as described in "stage 1". And finally, the server side distributes the encrypted global model to all participants, and the participants carry out local training on the encrypted global model to realize privacy protection.

In some embodiments, a computer-readable storage medium is also provided, wherein the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the steps in the federal learning based privacy protection method of the present invention.

In some embodiments, a privacy protection system based on the federal learning method is further provided, as shown in fig. 2, which includes a server 10 and a client 20, where the server 10 is configured to perform encryption processing on a global model by using a parameter encryption algorithm to obtain a ciphertext model;

the client 20 is configured to train on the ciphertext model by using local data to obtain ciphertext gradient information and a noise item;

the server 10 is further configured to decrypt the ciphertext gradient information and the noise item to obtain a parameter gradient, update the global model by using the parameter gradient, and loop the above steps until the model converges or reaches a specified iteration number to obtain a model parameter; encrypting the model parameters to obtain encryption model parameters, and updating the global model by adopting the encryption model parameters to obtain a global encryption model;

the client 20 is further configured to perform local training on the encrypted global model to achieve privacy protection.

In summary, the present invention solves the problem of implementing a nonlinear activation function such as ReLU in a ciphertext domain, thereby supporting a client to train a multilayer perceptron model, a convolutional neural network model or perform local prediction in an encryption domain without knowing real updates or parameters. Therefore, semi-trusted federal learning participants can be effectively prevented from obtaining the real parameters of the global model and the output result of the intermediate model, and meanwhile, all the participants can be guaranteed to obtain the real prediction result by using the finally distributed encryption model. The invention provides privacy protection, at the same time, the server can eliminate random numbers to obtain real global model parameters, and the participants can obtain real prediction by using the encrypted model, thereby ensuring the accuracy of the model and the prediction. The extra cost of the invention is mainly generated in the back propagation, and besides the gradient, the participants also calculate and send two extra noise terms to the server side. The upper bounds of the additional computation and communication costs compared to the plaintext model training are about 2T and 2C, respectively (T is the cost of back propagation in the plaintext model training and C is the size of the model parameters), which ensures the efficiency and usability of the method in practice.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. A privacy protection method based on federal learning is characterized by comprising the following steps:

encrypting the global model by adopting a parameter encryption algorithm to obtain a ciphertext model;

training on the ciphertext model by using local data to obtain ciphertext gradient information and a noise item;

decrypting the ciphertext gradient information and the noise item to obtain a parameter gradient, updating the global model by adopting the parameter gradient, and circulating the steps until the model converges or reaches a specified iteration number to obtain a model parameter;

encrypting the model parameters to obtain encryption model parameters, and updating the global model by adopting the encryption model parameters to obtain a global encryption model;

and carrying out local training on the encrypted global model to realize privacy protection.

2. The privacy protection method based on federal learning of claim 1, wherein the step of obtaining the ciphertext model by encrypting the global model by using a parameter encryption algorithm comprises:

when the global model is a multilayer perceptron model with L layers, a random number matrix is adopted

And

for plaintext model parameters in the multilayer perceptron model

Encrypting to obtain ciphertext model parameters:

wherein the content of the first and second substances,

representing a Hadamard product multiplication operation;

the random number matrix R^(l)From multiplicative noise vectors

The method comprises the following steps:

wherein the subscripts i and j satisfy i ∈ [1, n ]_l]，j∈[1，n_l-1]；

The random number matrix R^aFrom a random number gamma and an additive noise vector

Consisting of the following formula:

wherein the subscripts i and j satisfy i ∈ [1, n ]_L]，j∈[1，n_L-1]；

And replacing the plaintext model parameters in the multilayer perceptron model with the ciphertext model parameters to obtain a ciphertext model.

3. The privacy protection method based on federal learning of claim 1, wherein the step of obtaining the ciphertext model by encrypting the global model by using a parameter encryption algorithm comprises:

using a random tensor when the global model is a convolutional neural network model of L layers

And a random matrix R^(L),

Encrypting the plaintext model parameters of the convolutional neural network model to obtain corresponding ciphertext model parameters:

when L is not less than 1 and not more than L-1, the parameter W^(l)For convolution kernel tensors, the random tensor R (l) is formed by multiplicative noise vectors

Consists of, and satisfies:

wherein r is^(l，in)＝(r^(m))_m∈P(l)From m e P (l) vectors r^(m)Spliced, p (l) represents a set of indices for all network layers connected to the l convolutional layer;

the random matrix R^(L)From a multiplicative noise vector r^(L-1)Is composed of, and satisfies:

the random matrix R^aFrom an additive noise vector r_aAnd a random number γ, and satisfies:

and replacing the plaintext model parameters in the convolutional neural network model with the ciphertext model parameters to obtain a ciphertext model.

4. The privacy protection method based on federal learning as claimed in claim 2, wherein the step of training on the ciphertext model by using local data to obtain ciphertext gradient information and a noise item comprises:

computing the output of the ciphertext model:

the output of the ciphertext model and the output of the corresponding plaintext model satisfy the following relational expression:

wherein

r＝γr_a；

For any dimension of sampleBook (I)

Prediction value of ciphertext model

The mean square error from the true value is expressed as a loss function as:

wherein n is_LRepresenting the dimension of the model output layer and the dimension of the sample label;

said loss function

For ciphertext parameter

The noisy gradient and the corresponding real gradient satisfy the following relation:

wherein the content of the first and second substances,

v＝r^Tr and

the kth participant has all its minibatches of data

Computing ciphertext gradient information over a sample

And combined with an additive noise vector r_aCalculating noise terms

And

5. the privacy protection method based on federal learning as claimed in claim 3, wherein the step of training on the ciphertext model by using local data to obtain ciphertext gradient information and a noise item comprises:

the convolutional layer output of the ciphertext model and the corresponding real convolutional layer output meet the following requirements:

and, the full-connection layer output of the ciphertext model and the corresponding real output result meet the following requirements:

wherein

Is a pseudo output statistic, and the function Flatten (-) expresses that the multi-dimensional tensor is extended into a one-dimensional vector, and the dimensionality of the extended vector is n_L-1＝c_L-1h_L-1w_L-1The parameter r is gamma r_aIs a combined noise vector;

for samples of arbitrary dimensions

Prediction value of ciphertext model

The mean square error from the true value is expressed as a loss function as:

wherein n is_LRepresenting model outputsThe dimension of the layer, and also the dimension of the sample label;

said loss function

For ciphertext parameter

The noisy gradient and the corresponding real gradient satisfy the following relation:

wherein the content of the first and second substances,

v＝r^Tr and

the kth participant has all its minibatches of data

Computing ciphertext gradient information over a sample

And combined with an additive noise vector r_aCalculating noise terms

And

6. the privacy protection method based on federated learning as claimed in any of claims 4-5, wherein, to decrypt the ciphertext gradient information and noise item, to obtain parameter gradients, to use the parameter gradients to update the global model, until the model converges or reaches a specified number of iterations, the step of obtaining model parameters includes:

global model W for the t-th round_tThe parameter gradient obtained during the local training of the kth participant is solved as follows:

wherein, F_k(. h) represents the loss function for the kth participant;

updating the global model by adopting the parameter gradient until the model converges or reaches the specified iteration times to obtain the model parameter W of the t +1 th round_t+1Comprises the following steps:

where eta represents the learning rate, N_kthe/N represents the ratio of the data volume of the kth participant to the total data volume.

7. The privacy protection method based on federal learning as claimed in claim 6, wherein the step of encrypting the model parameters to obtain encryption model parameters, and updating the global model with the encryption model parameters to obtain a global encryption model comprises:

according to the formula

Encrypting the model parameters to obtain encrypted model parameters;

using said cryptographic model parameters

And updating the global model to obtain a global encryption model.

8. A computer-readable storage medium storing one or more programs for execution by one or more processors to perform the steps of the federated learning-based privacy method of any one of claims 1-7.

9. A privacy preserving system based on federal learning, comprising: the server side is used for encrypting the global model by adopting a parameter encryption algorithm to obtain a ciphertext model;

the client is used for training the ciphertext model by using local data to obtain ciphertext gradient information and a noise item;

the server is further used for decrypting the ciphertext gradient information and the noise item to obtain a parameter gradient, updating the global model by adopting the parameter gradient, and repeating the steps until the model converges or reaches a specified iteration number to obtain a model parameter; encrypting the model parameters to obtain encryption model parameters, and updating the global model by adopting the encryption model parameters to obtain a global encryption model;

and the client is also used for carrying out local training on the encrypted global model to realize privacy protection.

Images